python-cinderclient

cinderclient is logging passwords in http responses

Bug #1640269 reported by Matt Riedemann
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-cinderclient
Fix Released
Undecided
Matt Riedemann

Bug Description

https://github.com/openstack/python-cinderclient/blob/1.9.0/cinderclient/client.py#L291

As seen here:

2016-10-01 01:00:22.278 220 76777232 MainThread DEBUG cinderclient.v2.client [req-254dfe71-d8d1-4d16-a287-a6c9a20e0686 1f7a4c1def5e41e3b19ee6f5a0e1025f 9f1453d585cb40aabd31299d889d3ca8 - - -] RESP: [200] X-Compute-Request-Id: req-f551871a-4950-4225-9b2c-29a14c8f075e Content-Type: application/json Content-Length: 446 X-Openstack-Request-Id: req-f551871a-4950-4225-9b2c-29a14c8f075e Date: Sat, 01 Oct 2016 01:00:22 GMT Connection: keep-alive
RESP BODY: {"connection_info": {"driver_volume_type": "iscsi", "data": {"auth_password": "kk4qD6CpKFLyz9JD", "target_discovered": false, "encrypted": false, "qos_specs": null, "target_iqn": "iqn.2010-10.org.openstack:volume-a2f33dcc-1bb7-45ba-b8fc-5b38179120f8", "target_portal": "10.0.100.186:3260", "volume_id": "a2f33dcc-1bb7-45ba-b8fc-5b38179120f8", "target_lun": 1, "access_mode": "rw", "auth_username": "s4BfSfZ67Bo2mnpuFWY8", "auth_method": "CHAP"}}}

Matt Riedemann (mriedem)
Changed in python-cinderclient:
status: New → Confirmed
Matt Riedemann (mriedem)
Changed in python-cinderclient:
assignee: nobody → Matt Riedemann (mriedem)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-cinderclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/395119

Changed in python-cinderclient:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-cinderclient (master)

Reviewed: https://review.openstack.org/395119
Committed: https://git.openstack.org/cgit/openstack/python-cinderclient/commit/?id=4d78dfaac2edde5efe56b9550955a761894279e7
Submitter: Jenkins
Branch: master

commit 4d78dfaac2edde5efe56b9550955a761894279e7
Author: Matt Riedemann <email address hidden>
Date: Tue Nov 8 13:53:32 2016 -0500

    Mask passwords when logging HTTP req/resp bodies

    The very specific 'password' is being masked when logging
    requests but not when logging response bodies.

    This change fixes the response logging to mask passwords and
    also makes the request logging more robust as it was just
    checking for 'password' but the mask_password method handles
    much more than that.

    Change-Id: Id8bf583ecdf60eafb50fd69d6a19180ea97bd92c
    Closes-Bug: #1640269

Changed in python-cinderclient:
status: In Progress → Fix Released
Revision history for this message
Tzach Shefi (tshefi) wrote :

What are the steps were taken to hit this bug:
What action was done?
Where would I see the password exposed with --debug ?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-cinderclient 1.10.0

This issue was fixed in the openstack/python-cinderclient 1.10.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to python-cinderclient (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/546176

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to python-cinderclient (master)

Reviewed: https://review.openstack.org/546176
Committed: https://git.openstack.org/cgit/openstack/python-cinderclient/commit/?id=98822d1fb4c28f5192fb8245c0737e50e3f20ac0
Submitter: Zuul
Branch: master

commit 98822d1fb4c28f5192fb8245c0737e50e3f20ac0
Author: Matt Riedemann <email address hidden>
Date: Tue Feb 20 10:16:16 2018 -0500

    Remove unused cinderclient/apiclient/client.py module

    This old module was a carry over from the oslo incubator days
    and is no longer used.

    Change-Id: I44982d2581e90b781c78f3d2421cd1dcd8e590fd
    Related-Bug: #1685678
    Related-Bug: #1640269

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.