login password can be displayed in plaintext in horizon log
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Tyler Smith |
Bug Description
Title
-----
login password can be displayed in plaintext in horizon log
Brief Description
-----------------
Browsers can autopopulate the 'fake_password' field on the horizon login form which isn't masked by the operation logger, resulting in plaintext passwords written to horizon.log. I noticed this while using Chrome after letting it remember my login credentials
Severity
--------
Minor
Steps to Reproduce
------------------
Save password on login using chrome, logout, log in allowing chrome to auto-populate fields, check horizon.log
Reproducibility
---------------
Reproducible
System Configuration
-------
Any
Branch/Pull Time/Commit
-------
BUILD_ID=
Timestamp/Logs
--------------
2018-09-20 17:57:21,493 [INFO] horizon.
Changed in starlingx: | |
assignee: | nobody → Tyler Smith (tyler.smith) |
status: | New → In Progress |
Changed in starlingx: | |
importance: | Undecided → Medium |
tags: |
added: stx.1.0 removed: stx.2018.10 |
Reviewed: https:/ /review. openstack. org/604181 /git.openstack. org/cgit/ openstack/ stx-upstream/ commit/ ?id=ae3a377c887 2c32cfdd15d5700 d9b40b211bbd2a
Committed: https:/
Submitter: Zuul
Branch: master
commit ae3a377c8872c32 cfdd15d5700d9b4 0b211bbd2a
Author: Tyler Smith <email address hidden>
Date: Thu Sep 20 14:21:01 2018 -0400
Adding 'fake_password' to the operation logger mask fields
Change-Id: I140f1a0984c029 92909ce8c3afcb5 df3536723b3
Closes-Bug: 1793578
Signed-off-by: Tyler Smith <email address hidden>