When a ProcessExecutionError is thrown by processutils.execute(), the
exception may contain information such as password. Upstream
applications that just log the message (as several appear to do) could
inadvertently expose these passwords to a user with read access to the
log files. It is therefore considered prudent to invoke
strutils.mask_password() on the command, stdout and stderr in the
exception. A test case has been added to ensure that all three are
properly masked.
Reviewed: https:/ /review. openstack. org/114656 /git.openstack. org/cgit/ openstack/ oslo.concurrenc y/commit/ ?id=c906dccefcc edd8d00d6aa3eac c76194e8199714
Committed: https:/
Submitter: Jenkins
Branch: master
commit c906dccefccedd8 d00d6aa3eacc761 94e8199714
Author: Amrith Kumar <email address hidden>
Date: Thu Aug 14 00:52:02 2014 -0400
Mask passwords in exceptions and error messages
When a ProcessExecutio nError is thrown by processutils. execute( ), the mask_password( ) on the command, stdout and stderr in the
exception may contain information such as password. Upstream
applications that just log the message (as several appear to do) could
inadvertently expose these passwords to a user with read access to the
log files. It is therefore considered prudent to invoke
strutils.
exception. A test case has been added to ensure that all three are
properly masked.
OSSA is aware of this change request.
Originally- Submitted- In: I173dfb865e84eb 7dee54a22c76db1 e4f125a0a8a
Change-Id: Ie122db5f19802f 519b96ed024ab3f 2b5eede3eee
Closes-Bug: #1343604