http_log_request will print debug info include pki certificate which is unsafety

Bug #1858186 reported by kuangpeiling on 2020-01-03
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystoneauth
Undecided
Unassigned

Bug Description

when i use pki token,i find nova debug log include the whole pki certificate info,is this safety?need to modify?

my request is
curl -g -i -X GET https://identity.az1.dc1.domainname.com:443/identity-admin/v3/auth/tokens/OS-PKI/revoked

debug.log such as:
RESP BODY: {"signed": "-----BEGIN CMS-----\nMIIBuwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfs0QO\n-----END CMS-----\n"}

code session.py:
        if response is not None:
            if not status_code:
                status_code = response.status_code
            if not headers:
                headers = response.headers
            if not text:
                # NOTE(samueldmq): If the response does not provide enough info
                # about the content type to decide whether it is useful and
                # safe to log it or not, just do not log the body. Trying to
                # read the response body anyways may result on reading a long
                # stream of bytes and getting an unexpected MemoryError. See
                # bug 1616105 for further details.
                content_type = response.headers.get('content-type', None)

                # NOTE(lamt): Per [1], the Content-Type header can be of the
                # form Content-Type := type "/" subtype *[";" parameter]
                # [1] https://www.w3.org/Protocols/rfc1341/4_Content-Type.html
                for log_type in _LOG_CONTENT_TYPES:
                    if content_type is not None and content_type.startswith(
                            log_type):
                        text = self._remove_service_catalog(response.text)
                        break
                else:
                    text = ('Omitted, Content-Type is set to %s. Only '
                            '%s responses have their bodies logged.')
                    text = text % (content_type, ', '.join(_LOG_CONTENT_TYPES))
        if json:
            text = self._json.encode(json)

        string_parts = ['RESP:']

        if status_code:
            string_parts.append('[%s]' % status_code)
        if headers:
            for header in six.iteritems(headers):
                string_parts.append('%s: %s' % self._process_header(header))
        if text:
            string_parts.append('\nRESP BODY: %s\n' % text)

description: updated
description: updated
Changed in keystoneauth:
status: New → Invalid
information type: Public → Private Security
information type: Private Security → Private
Jeremy Stanley (fungi) on 2020-01-03
tags: removed: security
Jeremy Stanley (fungi) on 2020-02-28
information type: Private → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers