syspanel doesn't strip confirm_password from JSON when updating user password

Bug #970483 reported by Morgan Fainberg on 2012-04-01
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Critical
Gabriel Hurley

Bug Description

The syspanel in Horizon doesn't remove the confirm_password data from the data that is sent to Keystone when updating a user's password.

This results in the JSON element "confirm_password" holding a plain-text version of the user's updated password in the keystone database and thus exposing the user's pain text password to anyone who can request the user_ref data.

The simplest solution is to just add a data.pop('confirm_password') in the handle function in the UpdateUserForm in 'dashboards/syspanel/users/forms.py

Devin Carlen (devcamcar) on 2012-04-02
Changed in horizon:
milestone: none → essex-rc2
status: New → Confirmed
importance: Undecided → Critical
Gabriel Hurley (gabriel-hurley) wrote :

Totally agree about the fix, but why is Keystone saving that data at all? Does Keystone simply save *any* random data you throw at it?

Changed in horizon:
assignee: nobody → Gabriel Hurley (gabriel-hurley)
status: Confirmed → In Progress
Morgan Fainberg (mdrnstm) wrote :

From experiments that I have done in extending the use of keystone, I have found that Keystone does, in-fact, store any arbitrary data that is thrown at it. This work is how I discovered that the confirm_password field was being stored in plain-text in the JSON.

There are certain fields that Keystone will strip out and do something with it (i.e. password, which when supplied via PUT for a user or on new user creation, gets replaced with the hashed version; name (another one that gets handled in a special way).

I wouldn't advocate changing that functionality in keystone, as it can be useful for extending Openstack without having to extend the REST calls to achieve it.

It does mean that one must be very careful about what data is sent to Keystone.

Reviewed: https://review.openstack.org/6115
Committed: http://github.com/openstack/horizon/commit/e90886aa0761611d201ba163dce4c657c5cd57b0
Submitter: Jenkins
Branch: master

commit e90886aa0761611d201ba163dce4c657c5cd57b0
Author: Gabriel Hurley <email address hidden>
Date: Mon Apr 2 14:58:05 2012 -0700

    Prevent confirmation password data from being sent to keystone.

    Fixes bug 970483.

    Change-Id: Id26bfcab81f62cedc31236417835081deef07e9a

Changed in horizon:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-04-03
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in horizon:
milestone: essex-rc2 → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers