Secure user info is improperly logged
Bug #1664821 reported by
Summer Long
This bug report is a duplicate of:
Bug #1664792: Password written in clear text in heat-api.log with DEBUG mode.
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
New
|
Undecided
|
Unassigned |
Bug Description
Heat is logging plain-text AdminPasswords in the /var/log/
Code:
heat/heat/
31 class JSONResponseSer
32
33 def to_json(self, data):
34 def sanitizer(obj):
35 if isinstance(obj, datetime.datetime):
36 return obj.isoformat()
37 return six.text_type(obj)
38
39 response = jsonutils.
40 LOG.debug("JSON response : %s" % response) # <- HERE
This is logged at the debug level, so more of a hardening issue.
Similar to bug: https:/
information type: | Private Security → Public Security |
To post a comment you must log in.
This can be closed. It's a duplicate of a bug raised earlier today: /bugs.launchpad .net/heat/ +bug/1664792
https:/