[Openstack-security] [Bug 1858186] Re: http_log_request will print debug info include pki certificate which is unsafety
kuangpeiling
1858186 at bugs.launchpad.net
Fri Jan 3 08:17:59 UTC 2020
** Description changed:
when i use pki token,i find nova debug log include the whole pki
certificate info,is this safety?need to modify?
- my request is
+ my request is
curl -g -i -X GET https://identity.az1.dc1.domainname.com:443/identity-admin/v3/auth/tokens/OS-PKI/revoked
- debug.log:
- RESP BODY: {"signed": "-----BEGIN CMS-----\nMIIBuwYJKoZIhvcNAQcCoIIBrDCCAagCAQExDTALBglghkgBZQMEAgEwHgYJKoZI\nhvcNAQcBoBEED3sicmV2b2tlZCI6IFtdfTGCAXIwggFuAgEBMEkwPTELMAkGA1UE\nBhMCQ04xDzANBgNVBAoTBkh1YXdlaTEdMBsGA1UEAxMUSHVhd2VpIElUIFByb2R1\nY3QgQ0ECCBWpkSG6QZq3MAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQDF\nbzhT6VPqrir7wnKvxVxH+sYthHMX0Om+OaMecCL+VnQE1wcg7tAAh1LI7Z6qkSAr\nF1FnrQeq6PV+8EbD4ZsvfLisk0NHI8IgnS36dyTznitddX7zPTVl4g3TQVox2Qmm\nnPSYrqDx6bLxDQGcuMANkpbCDrlqmmOio2BMboHi6V6aNRMPdYGYOVAKxuYbt3s8\n3FDEsM/DpEDywdhQiXGL2fa81QaXIuu5LaS1wUbb8IBEtwF8YkZOS7tOWSSUxsZ9\nNdjKEmhBUN4qFg5yTRKU7WLVegrZnwKPFbcdqMbeDVcgGT0bcEhtBIa90uKI50Fb\nB6PVg7DpfJdPTE/fs0QO\n-----END CMS-----\n"}
+ debug.log such as:
+ RESP BODY: {"signed": "-----BEGIN CMS-----\nMIIBuwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfs0QO\n-----END CMS-----\n"}
** Description changed:
when i use pki token,i find nova debug log include the whole pki
certificate info,is this safety?need to modify?
my request is
curl -g -i -X GET https://identity.az1.dc1.domainname.com:443/identity-admin/v3/auth/tokens/OS-PKI/revoked
debug.log such as:
RESP BODY: {"signed": "-----BEGIN CMS-----\nMIIBuwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfs0QO\n-----END CMS-----\n"}
+
+ code session.py:
+ if response is not None:
+ if not status_code:
+ status_code = response.status_code
+ if not headers:
+ headers = response.headers
+ if not text:
+ # NOTE(samueldmq): If the response does not provide enough info
+ # about the content type to decide whether it is useful and
+ # safe to log it or not, just do not log the body. Trying to
+ # read the response body anyways may result on reading a long
+ # stream of bytes and getting an unexpected MemoryError. See
+ # bug 1616105 for further details.
+ content_type = response.headers.get('content-type', None)
+
+ # NOTE(lamt): Per [1], the Content-Type header can be of the
+ # form Content-Type := type "/" subtype *[";" parameter]
+ # [1] https://www.w3.org/Protocols/rfc1341/4_Content-Type.html
+ for log_type in _LOG_CONTENT_TYPES:
+ if content_type is not None and content_type.startswith(
+ log_type):
+ text = self._remove_service_catalog(response.text)
+ break
+ else:
+ text = ('Omitted, Content-Type is set to %s. Only '
+ '%s responses have their bodies logged.')
+ text = text % (content_type, ', '.join(_LOG_CONTENT_TYPES))
+ if json:
+ text = self._json.encode(json)
+
+ string_parts = ['RESP:']
+
+ if status_code:
+ string_parts.append('[%s]' % status_code)
+ if headers:
+ for header in six.iteritems(headers):
+ string_parts.append('%s: %s' % self._process_header(header))
+ if text:
+ string_parts.append('\nRESP BODY: %s\n' % text)
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1858186
Title:
http_log_request will print debug info include pki certificate which
is unsafety
Status in keystoneauth:
Invalid
Bug description:
when i use pki token,i find nova debug log include the whole pki
certificate info,is this safety?need to modify?
my request is
curl -g -i -X GET https://identity.az1.dc1.domainname.com:443/identity-admin/v3/auth/tokens/OS-PKI/revoked
debug.log such as:
RESP BODY: {"signed": "-----BEGIN CMS-----\nMIIBuwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfs0QO\n-----END CMS-----\n"}
code session.py:
if response is not None:
if not status_code:
status_code = response.status_code
if not headers:
headers = response.headers
if not text:
# NOTE(samueldmq): If the response does not provide enough info
# about the content type to decide whether it is useful and
# safe to log it or not, just do not log the body. Trying to
# read the response body anyways may result on reading a long
# stream of bytes and getting an unexpected MemoryError. See
# bug 1616105 for further details.
content_type = response.headers.get('content-type', None)
# NOTE(lamt): Per [1], the Content-Type header can be of the
# form Content-Type := type "/" subtype *[";" parameter]
# [1] https://www.w3.org/Protocols/rfc1341/4_Content-Type.html
for log_type in _LOG_CONTENT_TYPES:
if content_type is not None and content_type.startswith(
log_type):
text = self._remove_service_catalog(response.text)
break
else:
text = ('Omitted, Content-Type is set to %s. Only '
'%s responses have their bodies logged.')
text = text % (content_type, ', '.join(_LOG_CONTENT_TYPES))
if json:
text = self._json.encode(json)
string_parts = ['RESP:']
if status_code:
string_parts.append('[%s]' % status_code)
if headers:
for header in six.iteritems(headers):
string_parts.append('%s: %s' % self._process_header(header))
if text:
string_parts.append('\nRESP BODY: %s\n' % text)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystoneauth/+bug/1858186/+subscriptions
More information about the Openstack-security
mailing list