Grant, with respect, I disagree with your assessment. The default values are attempts = 1 and ignore_exit_code is False and check_exit_code is None. Therefore, by default, an invocation of execute that results in an error would result in an exception being thrown.
Whether you need to issue a security advisory or not may depend more on the incompleteness of the conditions in mask_password (strutils.mask_password) than just whether this function results in a thrown exception or not.
In testing my changes, I found that the masks in mask_password did not, for example, catch the usage
Grant, with respect, I disagree with your assessment. The default values are attempts = 1 and ignore_exit_code is False and check_exit_code is None. Therefore, by default, an invocation of execute that results in an error would result in an exception being thrown.
Whether you need to issue a security advisory or not may depend more on the incompleteness of the conditions in mask_password (strutils. mask_password) than just whether this function results in a thrown exception or not.
In testing my changes, I found that the masks in mask_password did not, for example, catch the usage
/usr/sbin/mysqld --password= top-secret
2014-07-19 18:35:01.415 20588 ERROR openstack. common. processutils [-] Running cmd (subprocess): /usr/sbin/mysqld --password=secret
They did catch
/usr/sbin/mysqld --password= "top-secret"
2014-07-19 18:35:48.686 20605 ERROR openstack. common. processutils [-] Running cmd (subprocess): /usr/sbin/mysqld --password="***"
I do intend to enter a bug to make the strings in strutils. mask_password more robust.