[Openstack-security] [openstack/python-keystoneclient] SecurityImpact review request change If5b196a734e7a0f0b3fa892d5c0436812a5bbd85
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Thu Jun 12 16:48:36 UTC 2014
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/99432
Log:
commit 299c88048468615d0fecf5e21a3fc4f17f428215
Author: Morgan Fainberg <morgan.fainberg at gmail.com>
Date: Wed Jun 11 10:13:32 2014 -0700
Do not expose Token IDs in debug output
It is only very slightly less of a security issue to expose
Token IDs in the logs than it is to expose password details. This
change obscures the Token ID in the debug output in all cases to
ensure that the ID is not presented in any of the logs that could
be read by a unpriviledged source (e.g. lower priv log watchers,
centralized logging, etc).
SHA1 is no longer allowed as a hashing mode for CMS token hashing.
This is because SHA1 is being used to obscure tokens in the
session object debug. This is done to prevent the debug output
from being potentially exposing a valid token (PKI->sha1-short-id)
in some configurations of Keystone / auth_token middleware.
The raw data elements from the token (e.g. user, roles, expiration
etc) could be added into debug/trace level logging at a future time.
SecurityImpact
Change-Id: If5b196a734e7a0f0b3fa892d5c0436812a5bbd85
More information about the Openstack-security
mailing list