When a ProcessExecutionError is thrown by processutils.execute(), the
exception may contain information such as password. Upstream
applications that just log the message (as several appear to do) could
inadvertently expose these passwords to a user with read access to the
log files. It is therefore considered prudent to invoke
strutils.mask_password() on the command, stdout and stderr in the
exception. A test case has been added to ensure that all three are
properly masked.
OSSA is aware of this change request.
Submitted to oslo.concurrency in
Ie122db5f19802f519b96ed024ab3f2b5eede3eee
Reviewed: https:/ /review. openstack. org/109417 /git.openstack. org/cgit/ openstack/ oslo-incubator/ commit/ ?id=63c99a0fd5f a7f60b33c7fa756 020e5562b6afb0
Committed: https:/
Submitter: Jenkins
Branch: master
commit 63c99a0fd5fa7f6 0b33c7fa756020e 5562b6afb0
Author: Amrith Kumar <email address hidden>
Date: Thu Jul 24 17:04:42 2014 -0400
Mask passwords in exceptions and error messages
When a ProcessExecutio nError is thrown by processutils. execute( ), the mask_password( ) on the command, stdout and stderr in the
exception may contain information such as password. Upstream
applications that just log the message (as several appear to do) could
inadvertently expose these passwords to a user with read access to the
log files. It is therefore considered prudent to invoke
strutils.
exception. A test case has been added to ensure that all three are
properly masked.
OSSA is aware of this change request.
Submitted to oslo.concurrency in 802f519b96ed024 ab3f2b5eede3eee
Ie122db5f19
Change-Id: I173dfb865e84eb 7dee54a22c76db1 e4f125a0a8a
Closes-Bug: #1343604