Don't return back the sensitive information to user
Bug #1708122 reported by
huangtianhua
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
huangtianhua | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
We return back the sensitive information to user when some exception happen, for example, when DBError happened, we will return the whole sql statement to user, it's not safe, also we return the traceback to user, it's not necessary.
Maybe we can do the same thing like nova and cinder to add an attribute 'safe' for some exceptions to decide whether to return the information like the error message details to user.
Changed in heat: | |
assignee: | nobody → huangtianhua (huangtianhua) |
importance: | Undecided → High |
information type: | Public → Public Security |
information type: | Public Security → Public |
tags: | added: security |
Changed in heat: | |
milestone: | none → pike-rc1 |
Changed in heat: | |
milestone: | pike-rc1 → pike-rc2 |
Changed in heat: | |
milestone: | pike-rc2 → queens-1 |
Changed in heat: | |
milestone: | queens-1 → pike-rc2 |
Changed in heat: | |
milestone: | pike-rc2 → queens-1 |
Changed in heat: | |
milestone: | queens-1 → queens-2 |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.