[Openstack-security] [openstack/oslo-incubator] SecurityImpact review request change I2912ad7efc10b065c954fd198325305f81a8c6ec
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Tue Jul 22 02:58:20 UTC 2014
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/108215
Log:
commit 25a29c2a6c74b9819fe37e14ac2dfc308e93d6d3
Author: Amrith Kumar <amrith at tesora.com>
Date: Sat Jul 19 19:15:48 2014 -0400
Mask any password in exception command string
Currently the command executed by processutils.execute
is included in the exception (if one is generated). This
could contain passwords and other information that could
represent a security vulnerability.
Also added a test for this, ensuring that stdout and
stderr contain the expected text, and that the password
is obscured from the command that is part of the exception.
Before merging this change into other projects, it is
important to understand that the command being returned
in a ProcessExecutionError exception (should one be
thrown) is one where passwords will have been masked
using strutils.mask_password(). Therefore the command
may no longer be executable. This may break some existing
code that may have a construct such as:
except ProcessExecutionError as err:
# retry the command
processutils.execute(err.cmd)
OSSO is aware of this change.
DocImpact:
The documentation for the execute command should include
a note about the change in behavior described in the message
as above.
SecurityImpact:
Change-Id: I2912ad7efc10b065c954fd198325305f81a8c6ec
Closes-Bug: #1343604
More information about the Openstack-security
mailing list