Notifications should not include auth token
Bug #1072669 reported by
Sandy Walsh
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.messaging |
Expired
|
Undecided
|
Unassigned |
Bug Description
The auth token is part of the context and is being included in all Event Notifications. Exposing the auth token is a potential security risk. It should be stripped out before sending the event.
Changed in nova: | |
status: | New → Triaged |
importance: | Undecided → High |
affects: | oslo-incubator → oslo.messaging |
To post a comment you must log in.
Just for my information (and please excuse my ignoranceà, who actually gets notified in events ?
Trying to see if that could be exploited the way it is, or if it's just a welcome security stregthening improvement.