Comment 61 for bug 1837877

Reviewed: https://review.opendev.org/674821
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=298b337a16c0d10916b4431c436d19b3d6f5360e
Submitter: Zuul
Branch: master

commit 298b337a16c0d10916b4431c436d19b3d6f5360e
Author: Matt Riedemann <email address hidden>
Date: Fri Jul 26 10:53:02 2019 -0400

    Replace non-nova server fault message

    The server fault "message" is always shown in the API
    server response, regardless of policy or user role.

    The fault "details" are only shown to users with the
    admin role when the fault code is 500.

    The problem with this is for non-nova exceptions, the
    fault message is a string-ified version of the exception
    (see nova.compute.utils.exception_to_dict) which can
    contain sensitive information which the non-admin owner
    of the server can see.

    This change adds a functional test to recreate the issue
    and a change to exception_to_dict which for the non-nova
    case changes the fault message by simply storing the
    exception type class name. Admins can still see the fault
    traceback in the "details" key of the fault dict in the
    server API response. Note that _get_fault_details is
    changed so that the details also includes the exception
    value which is what used to be in the fault message for
    non-nova exceptions. This is necessary so admins can still
    get the exception message with the traceback details.

    Note that nova exceptions with a %(reason)s replacement
    variable could potentially be leaking sensitive details as
    well but those would need to be cleaned up on a case-by-case
    basis since we don't want to change the behavior of all
    fault messages otherwise users might not see information
    like NoValidHost when their server goes to ERROR status
    during scheduling.

    SecurityImpact: This change contains a fix for CVE-2019-14433.

    Change-Id: I5e0a43ec59341c9ac62f89105ddf82c4a014df81
    Closes-Bug: #1837877