OpenStack Heat

Secure user info is improperly logged

Bug #1664821 reported by Summer Long
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Heat
New
Undecided
Unassigned

Bug Description

Heat is logging plain-text AdminPasswords in the /var/log/heat/heat-api.log file.

Code:
heat/heat/common/serializers.py:
 31 class JSONResponseSerializer(object):
 32
 33 def to_json(self, data):
 34 def sanitizer(obj):
 35 if isinstance(obj, datetime.datetime):
 36 return obj.isoformat()
 37 return six.text_type(obj)
 38
 39 response = jsonutils.dumps(data, default=sanitizer)
 40 LOG.debug("JSON response : %s" % response) # <- HERE

This is logged at the debug level, so more of a hardening issue.

Similar to bug: https://bugs.launchpad.net/mistral/+bug/1337268

Summer Long (slong-g)
information type: Private Security → Public Security
Revision history for this message
Summer Long (slong-g) wrote :

This can be closed. It's a duplicate of a bug raised earlier today:
https://bugs.launchpad.net/heat/+bug/1664792

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.