[Openstack-security] [Bug 1490693] Re: session fails to sanitize response body of passwords

Doug Hellmann doug at doughellmann.com
Fri Sep 4 17:21:19 UTC 2015


** Changed in: python-keystoneclient
       Status: Fix Committed => Fix Released

** Changed in: python-keystoneclient
    Milestone: None => 1.7.0

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1490693

Title:
  session fails to sanitize response body of passwords

Status in python-keystoneclient:
  Fix Released

Bug description:
  Seeing this in the n-cpu logs when nova calls the os-
  initialize_connection API via python-cinderclient and cinder returns a
  response body with credentials in it:

  http://logs.openstack.org/66/218666/1/check/gate-tempest-dsvm-
  full/3ac1f2b/logs/screen-n-cpu.txt.gz#_2015-08-30_16_33_09_578

  keystoneclient.session is logging the response body without sanitizing
  it first.

  2015-08-30 16:33:09.578 DEBUG keystoneclient.session [req-ff63c358-41b0-4aac-8d8c-e369d82a0d5e tempest-TestMinimumBasicScenario-472140388 tempest-TestMinimumBasicScenario-192291337] REQ: curl -g -i -X POST http://127.0.0.1:8776/v2/8a98625b8c5445afbc72496ce2f7ab7f/volumes/744d2085-8e78-40a5-8659-ef3cffb2480e/action -H "User-Agent: python-cinderclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}fbdcb6c88ebb8ec83181b62e338a1a4b909f7031" -d '{"os-initialize_connection": {"connector": {"initiator": "iqn.1993-08.org.debian:01:f991bccc0", "ip": "172.99.69.228", "platform": "x86_64", "host": "devstack-trusty-rax-iad-4640004", "os_type": "linux2", "multipath": false}}}' _http_log_request /usr/local/lib/python2.7/dist-packages/keystoneclient/session.py:195
  2015-08-30 16:33:10.674 DEBUG keystoneclient.session [req-ff63c358-41b0-4aac-8d8c-e369d82a0d5e tempest-TestMinimumBasicScenario-472140388 tempest-TestMinimumBasicScenario-192291337] RESP: [200] content-length: 447 x-compute-request-id: req-747a68eb-f62e-4a43-aa8a-ff332c92783d connection: keep-alive date: Sun, 30 Aug 2015 16:33:10 GMT content-type: application/json x-openstack-request-id: req-747a68eb-f62e-4a43-aa8a-ff332c92783d 
  RESP BODY: {"connection_info": {"driver_volume_type": "iscsi", "data": {"auth_password": "FF5vCvAvks8iQ2Vx", "target_discovered": false, "encrypted": false, "qos_specs": null, "target_iqn": "iqn.2010-10.org.openstack:volume-744d2085-8e78-40a5-8659-ef3cffb2480e", "target_portal": "172.99.69.228:3260", "volume_id": "744d2085-8e78-40a5-8659-ef3cffb2480e", "target_lun": 1, "access_mode": "rw", "auth_username": "82tvLceDnfHjg6jrTwpq", "auth_method": "CHAP"}}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/python-keystoneclient/+bug/1490693/+subscriptions




More information about the Openstack-security mailing list