yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1680289] [NEW] Keystone logs fernet token when token is invalid

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Divya K Konoor <dikonoor@xxxxxxxxxx>
Date: Thu, 06 Apr 2017 01:22:05 -0000
Reply-to: Bug 1680289 <1680289@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

If an incorrect token is passed for keystone validation (verify token), Keystone logs the token :
https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L94

As this is either an invalid or expired token and of no use to anyone ,
logging this does not pose any vulnerability (unless an expired fernet
token can be used for anything). In any case, it might be better to not
log the entire token .

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1680289

Title:
  Keystone logs fernet token when token is invalid

Status in OpenStack Identity (keystone):
  New

Bug description:
  If an incorrect token is passed for keystone validation (verify token), Keystone logs the token :
  https://github.com/openstack/keystone/blob/master/keystone/token/providers/fernet/token_formatters.py#L94

  As this is either an invalid or expired token and of no use to anyone
  , logging this does not pose any vulnerability (unless an expired
  fernet token can be used for anything). In any case, it might be
  better to not log the entire token .

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1680289/+subscriptions

Follow ups

[Bug 1680289] Re: Keystone logs fernet token when token is invalid
From: Lance Bragstad, 2017-04-06