When a ProcessExecutionError is thrown by processutils.execute(), the
exception may contain information such as password. Upstream
applications that just log the message (as several appear to do) could
inadvertently expose these passwords to a user with read access to the
log files. It is therefore considered prudent to invoke
strutils.mask_password() on the command, stdout and stderr in the
exception.
Cherry-pick from review.openstack.org/109417
Partial-Bug: #1343604
Reviewed: https:/ /review. openstack. org/116982 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=853d8f9897f 8563851441108a9 be26b10908c076
Committed: https:/
Submitter: Jenkins
Branch: master
commit 853d8f9897f8563 851441108a9be26 b10908c076
Author: Tristan Cacqueray <email address hidden>
Date: Tue Aug 26 18:16:40 2014 +0000
Mask passwords in exceptions and error messages
When a ProcessExecutio nError is thrown by processutils. execute( ), the mask_password( ) on the command, stdout and stderr in the
exception may contain information such as password. Upstream
applications that just log the message (as several appear to do) could
inadvertently expose these passwords to a user with read access to the
log files. It is therefore considered prudent to invoke
strutils.
exception.
Cherry-pick from review. openstack. org/109417
Partial-Bug: #1343604
Change-Id: I9741dcdebdb4be d295ddc5ec4c4b1 17fffcfe88c