← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #71180

[Bug 1744609] Re: operation log: user passwords are logged by default setting

  Thread PreviousDate PreviousThread Next 
Seeing no objection to report class B1, I'm marking our OSSA task as
won't fix. We can revisit if a case is made for class A with backported
fixes.

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1744609

Title:
  operation log: user passwords are logged by default setting

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  If the operation log is enabled (disabled by default) and the default value of OPERATION_LOG_OPTIONS['mask_fields'] is used, when a user tries to change his/her password from "Change Password" panel (http://<dashboard-site>/settings/password/), both current and new passwords will be logged in the operation log like below.
  The same thing happens in "Change Password" action in the Identity User panel.
  ----
  [None] [None] [demo] [d65075f0e4964b8d9ccb57ddcce8fbbb] [admin] [c90eec6eb48d4bcc988e8cebf9ce80fa] [http] [/settings/password/] [/settings/password/] [error: Unauthorized: Unable to change password., error: Unauthorized. Please try logging in again.] [POST] [403] [{"fake_email": "", "fake_password": "", "new_password": "NEW-PASSWORD", "confirm_password": "NEW-PASSWORD", "current_password": "CURRENT-PASSWORD", "csrfmiddlewaretoken": "SEuuWLJlUPNUZzC6aCQkIQxyFuQPCjcahqnuZ8CYthDd4GNr76UC5EQYTAZzbdeo"}]
  ----

  The default value of OPERATION_LOG_OPTIONS['mask_fields'] should
  include "current_password", "new_password" and "confirm_password".

  Operators who enable the operation log feature are recommended to set
  OPERATION_LOG_OPTIONS['mask_fields'] to ['password',
  'current_password', 'new_password', 'confirm_password'] in
  local_settings.py.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1744609/+subscriptions
  Thread PreviousDate PreviousThread Next