keystoneauth

http_log_request will print debug info include pki certificate which is unsafety

Bug #1858186 reported by kuangpeiling on 2020-01-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	keystoneauth	Invalid	Undecided	Unassigned

Bug Description

when i use pki token,i find nova debug log include the whole pki certificate info,is this safety?need to modify?

my request is
curl -g -i -X GET https://identity.az1.dc1.domainname.com:443/identity-admin/v3/auth/tokens/OS-PKI/revoked

debug.log such as:
RESP BODY: {"signed": "-----BEGIN CMS-----\nMIIBuwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfs0QO\n-----END CMS-----\n"}

code session.py:
        if response is not None:
            if not status_code:
                status_code = response.status_code
            if not headers:
                headers = response.headers
            if not text:
                # NOTE(samueldmq): If the response does not provide enough info
                # about the content type to decide whether it is useful and
                # safe to log it or not, just do not log the body. Trying to
                # read the response body anyways may result on reading a long
                # stream of bytes and getting an unexpected MemoryError. See
                # bug 1616105 for further details.
                content_type = response.headers.get('content-type', None)

                # NOTE(lamt): Per [1], the Content-Type header can be of the
                # form Content-Type := type "/" subtype *[";" parameter]
                # [1] https://www.w3.org/Protocols/rfc1341/4_Content-Type.html
                for log_type in _LOG_CONTENT_TYPES:
                    if content_type is not None and content_type.startswith(
                            log_type):
                        text = self._remove_service_catalog(response.text)
                        break
                else:
                    text = ('Omitted, Content-Type is set to %s. Only '
                            '%s responses have their bodies logged.')
                    text = text % (content_type, ', '.join(_LOG_CONTENT_TYPES))
        if json:
            text = self._json.encode(json)

string_parts = ['RESP:']

        if status_code:
            string_parts.append('[%s]' % status_code)
        if headers:
            for header in six.iteritems(headers):
                string_parts.append('%s: %s' % self._process_header(header))
        if text:
            string_parts.append('\nRESP BODY: %s\n' % text)

See original description

kuangpeiling (kuangpeiling) on 2020-01-03

description:	updated
description:	updated

kuangpeiling (kuangpeiling) on 2020-01-03

Changed in keystoneauth:
status:	New → Invalid
information type:	Public → Private Security
information type:	Private Security → Private

Jeremy Stanley (fungi) on 2020-01-03

tags:

removed: security

Jeremy Stanley (fungi) on 2020-02-28

information type:

Private → Public

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.