[Openstack-security] [Bug 1858186] Re: http_log_request will print debug info include pki certificate which is unsafety

kuangpeiling 1858186 at bugs.launchpad.net
Fri Jan 3 08:28:54 UTC 2020 

** Changed in: keystoneauth
       Status: New => Invalid

** Information type changed from Public to Private Security

** Information type changed from Private Security to Private

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1858186

Title:
  http_log_request will print debug info include pki certificate which
  is unsafety

Status in keystoneauth:
  Invalid

Bug description:
  when i use pki token,i find nova debug log include the whole pki
  certificate info,is this safety?need to modify?

  my request is
  curl -g -i -X GET https://identity.az1.dc1.domainname.com:443/identity-admin/v3/auth/tokens/OS-PKI/revoked

  debug.log such as:
  RESP BODY: {"signed": "-----BEGIN CMS-----\nMIIBuwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfs0QO\n-----END CMS-----\n"}

  code session.py:
          if response is not None:
              if not status_code:
                  status_code = response.status_code
              if not headers:
                  headers = response.headers
              if not text:
                  # NOTE(samueldmq): If the response does not provide enough info
                  # about the content type to decide whether it is useful and
                  # safe to log it or not, just do not log the body. Trying to
                  # read the response body anyways may result on reading a long
                  # stream of bytes and getting an unexpected MemoryError. See
                  # bug 1616105 for further details.
                  content_type = response.headers.get('content-type', None)

                  # NOTE(lamt): Per [1], the Content-Type header can be of the
                  # form Content-Type := type "/" subtype *[";" parameter]
                  # [1] https://www.w3.org/Protocols/rfc1341/4_Content-Type.html
                  for log_type in _LOG_CONTENT_TYPES:
                      if content_type is not None and content_type.startswith(
                              log_type):
                          text = self._remove_service_catalog(response.text)
                          break
                  else:
                      text = ('Omitted, Content-Type is set to %s. Only '
                              '%s responses have their bodies logged.')
                      text = text % (content_type, ', '.join(_LOG_CONTENT_TYPES))
          if json:
              text = self._json.encode(json)

          string_parts = ['RESP:']

          if status_code:
              string_parts.append('[%s]' % status_code)
          if headers:
              for header in six.iteritems(headers):
                  string_parts.append('%s: %s' % self._process_header(header))
          if text:
              string_parts.append('\nRESP BODY: %s\n' % text)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystoneauth/+bug/1858186/+subscriptions

More information about the Openstack-security mailing list