Generic exceptions can reveal system information
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned | ||
Bug Description
Due to the nature of https:/
generic exceptions are being thrown by the API that may expose internal system information.
Example as a regular user:
1) Keystone & mysql running
2) # keystone token-get
3) #service mysql stop
4) #keystone token-get ( or any other client that use keystone , ex: nova list)
Output:
ERROR: An unexpected error prevented the server from fulfilling your request. (OperationalError) (2003, "Can't connect to MySQL server on '127.0.0.1' (111)") None None (HTTP 500)
If the db password is not the right one:
Authorization Failed: An unexpected error prevented the server from fulfilling your request. (OperationalError) (1045, "Access denied for user 'root'@'localhost' (using password: YES)") None None (HTTP 500)
There are 3 possibles fix for this:
- Catch specific exceptions that may reveal usernames / hosts
- Replace exception=e for exception='' on line 379.
- Check if user is admin or not to return the exception message in case that this really needed. ( i don't think this is appopiate neither, since an admin user maybe not the Cloud Admin operator? )
I will upload a review if we consider this a real bug.
| Morgan Fainberg (mdrnstm) wrote | #1 |
| information type: | Private Security → Public |
Duplicate of fixed released.