yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1744609] Re: operation log: user passwords are logged by default setting

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1744609@xxxxxxxxxxxxxxxxxx>
Date: Thu, 01 Feb 2018 04:20:17 -0000
Reply-to: Bug 1744609 <1744609@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/539534
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=1941d34e5cecf33090e73665034a8196b220e690
Submitter: Zuul
Branch:    master

commit 1941d34e5cecf33090e73665034a8196b220e690
Author: Akihiro Motoki <amotoki@xxxxxxxxx>
Date:   Mon Jan 22 09:20:16 2018 +0900

    operation_log: Mask more password fields by default
    
    Change-Id: I69283a2b692d1fca93aad1d5ed26a29de4e0e4a9
    Closes-Bug: #1744609


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1744609

Title:
  operation log: user passwords are logged by default setting

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added to the
  bug as attachments.

  --

  If the operation log is enabled (disabled by default) and the default value of OPERATION_LOG_OPTIONS['mask_fields'] is used, when a user tries to change his/her password from "Change Password" panel (http://<dashboard-site>/settings/password/), both current and new passwords will be logged in the operation log like below.
  The same thing happens in "Change Password" action in the Identity User panel.
  ----
  [None] [None] [demo] [d65075f0e4964b8d9ccb57ddcce8fbbb] [admin] [c90eec6eb48d4bcc988e8cebf9ce80fa] [http] [/settings/password/] [/settings/password/] [error: Unauthorized: Unable to change password., error: Unauthorized. Please try logging in again.] [POST] [403] [{"fake_email": "", "fake_password": "", "new_password": "NEW-PASSWORD", "confirm_password": "NEW-PASSWORD", "current_password": "CURRENT-PASSWORD", "csrfmiddlewaretoken": "SEuuWLJlUPNUZzC6aCQkIQxyFuQPCjcahqnuZ8CYthDd4GNr76UC5EQYTAZzbdeo"}]
  ----

  The default value of OPERATION_LOG_OPTIONS['mask_fields'] should
  include "current_password", "new_password" and "confirm_password".

  Operators who enable the operation log feature are recommended to set
  OPERATION_LOG_OPTIONS['mask_fields'] to ['password',
  'current_password', 'new_password', 'confirm_password'] in
  local_settings.py.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1744609/+subscriptions