OpenStack Compute (nova)

Comment 2 for bug 1343604

Revision history for this message

Amrith Kumar (amrith) wrote on 2014-07-19: Re: Exceptions thrown by execute() return a command that potentially includes passwords

Grant, with respect, I disagree with your assessment. The default values are attempts = 1 and ignore_exit_code is False and check_exit_code is None. Therefore, by default, an invocation of execute that results in an error would result in an exception being thrown.

Whether you need to issue a security advisory or not may depend more on the incompleteness of the conditions in mask_password (strutils.mask_password) than just whether this function results in a thrown exception or not.

In testing my changes, I found that the masks in mask_password did not, for example, catch the usage

/usr/sbin/mysqld --password=top-secret

2014-07-19 18:35:01.415 20588 ERROR openstack.common.processutils [-] Running cmd (subprocess): /usr/sbin/mysqld --password=secret

They did catch

/usr/sbin/mysqld --password="top-secret"

2014-07-19 18:35:48.686 20605 ERROR openstack.common.processutils [-] Running cmd (subprocess): /usr/sbin/mysqld --password="***"

I do intend to enter a bug to make the strings in strutils.mask_password more robust.