oslo.middleware

catch_errors may record token-id in log file

Bug #1646254 reported by JiaJunsu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
oslo.middleware
Fix Committed
High
JiaJunsu

Bug Description

https://github.com/openstack/oslo.middleware/blob/master/oslo_middleware/catch_errors.py#L41

If an API request with token got an exception, the req may be logged by CatchErrors.__call__.

I supposed to replace token-id by *.

Log context here:

An error occurred during processing the request: GET /v2.0/ports.json?device_id=xxxxx HTTP/1.0
Accept: application/json
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: text/plain
Host: network.test.com:8020
User-Agent: python-neutronclient
X-Auth-Token: xxxxxxxx

CVE References

JiaJunsu (jiajunsu)
Changed in oslo.middleware:
assignee: nobody → JiaJunsu (jiajunsu)
status: New → In Progress
gordon chung (chungg)
Changed in oslo.middleware:
importance: Undecided → High
JiaJunsu (jiajunsu)
Changed in oslo.middleware:
status: In Progress → Fix Committed
Revision history for this message
JiaJunsu (jiajunsu) wrote :

Fix merged to master: https://review.openstack.org/#/c/404980/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/oslo.middleware 3.23.0

This issue was fixed in the openstack/oslo.middleware 3.23.0 release.

Revision history for this message
Jeremy Stanley (fungi) wrote :

It was pointed out that this report is a duplicate of embargoed security vulnerability OSSA-2017-001/CVE-2017-2592 which was being worked in parallel. I'll mark this bug as a duplicate since the other has far more detail and covers the advisory and (slightly different) stable branch fixes.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.