OpenStack Compute (nova)

  1. Series icehouse
  2. Bug #1343604
  3. Comment #14

Comment 14 for bug 1343604

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Exceptions thrown, and messages logged by execute() may include passwords

@slicknik Can you confirm trove/icehouse is not impacted? This may leak password if the request does not encapsulate password with '"''
  https://github.com/openstack/trove/blob/stable/icehouse/trove/extensions/mysql/service.py#L85
e.g., >>> mask_password("requests.... password=SECRET")
u'requests.... password=SECRET'

@cinder-coresec: Can you check how an execution error in this call will get handled ?
   https://github.com/openstack/cinder/blob/stable/havana/cinder/brick/iscsi/iscsi.py#L419
e.g., if the exception is logged it might leak the password to logs (either because password is not encapsulated with '"', either because the mask_password is not called)

@Tracy Jones: Can you explain why did you added "compute" tag ? I double check nova source code and couldn't find a clear code path that would leak a password by logging ProcessExecutionError exception.