catch_errors may record token-id in log file
Bug #1646254 reported by
JiaJunsu
This bug report is a duplicate of:
Bug #1628031: [OSSA-2017-001] CatchErrors leaks sensitive values in oslo.middleware (CVE-2017-2592).
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.middleware |
Fix Committed
|
High
|
JiaJunsu |
Bug Description
https:/
If an API request with token got an exception, the req may be logged by CatchErrors.
I supposed to replace token-id by *.
Log context here:
An error occurred during processing the request: GET /v2.0/ports.
Accept: application/json
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: text/plain
Host: network.
User-Agent: python-
X-Auth-Token: xxxxxxxx
CVE References
Changed in oslo.middleware: | |
assignee: | nobody → JiaJunsu (jiajunsu) |
status: | New → In Progress |
Changed in oslo.middleware: | |
importance: | Undecided → High |
Changed in oslo.middleware: | |
status: | In Progress → Fix Committed |
To post a comment you must log in.
Fix merged to master: https:/ /review. openstack. org/#/c/ 404980/