Comment 2 for bug 1673569
Revision history for this message
| Ben Nemec (bnemec) wrote Re: Failed notification payload is dumped in logs with auth secrets | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Hmm, so the problem is that the notifier is hooked directly into the logger, and when it sends the notification it tries to include all of the args to the logger. In this case that includes the Nova context, which contains sensitive data.
The circular reference error aside, it seems bad that we're sending sensitive data in notification payloads. That isn't considered a secure channel, is it?
Maybe we could filter the context out in the notification log handler. I don't think that information is intended to be exposed, except where it is referenced in the log message anyway.