StarlingX

login password can be displayed in plaintext in horizon log

Bug #1793578 reported by Tyler Smith on 2018-09-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Tyler Smith

Bug Description

Title
-----
login password can be displayed in plaintext in horizon log

Brief Description
-----------------
Browsers can autopopulate the 'fake_password' field on the horizon login form which isn't masked by the operation logger, resulting in plaintext passwords written to horizon.log. I noticed this while using Chrome after letting it remember my login credentials

Severity
--------
Minor

Steps to Reproduce
------------------
Save password on login using chrome, logout, log in allowing chrome to auto-populate fields, check horizon.log

Reproducibility
---------------
Reproducible

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
BUILD_ID="2018-09-16_21-45-00"

Timestamp/Logs
--------------

2018-09-20 17:57:21,493 [INFO] horizon.operation_log: [admin 4f6a651d11d94c09b56b503619b48eb7] [admin 517b899baf53408db014f81d82d7658a] [POST /auth/login/ 302] parameters:[{"fake_email": "", "username": "admin", "fake_password": "###PLAINTEXT PW HERE###", "region": "http://controller:5000/v3", "next": "/admin/inventory/", "csrfmiddlewaretoken": "gMFBQqWDQGqaTXq3db6acwEyggn2O9o1", "password": "********"}] message:[None]

Tags:

Tyler Smith (tyler.smith) on 2018-09-20

Changed in starlingx:
assignee:	nobody → Tyler Smith (tyler.smith)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-20: Fix merged to stx-upstream (master)

Reviewed: https://review.openstack.org/604181
Committed: https://git.openstack.org/cgit/openstack/stx-upstream/commit/?id=ae3a377c8872c32cfdd15d5700d9b40b211bbd2a
Submitter: Zuul
Branch: master

commit ae3a377c8872c32cfdd15d5700d9b40b211bbd2a
Author: Tyler Smith <email address hidden>
Date: Thu Sep 20 14:21:01 2018 -0400

Adding 'fake_password' to the operation logger mask fields

    Change-Id: I140f1a0984c02992909ce8c3afcb5df3536723b3
    Closes-Bug: 1793578
    Signed-off-by: Tyler Smith <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2018-09-21

Changed in starlingx:
importance:	Undecided → Medium

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2018-09-21:

Targeting stx.2018.10 as this is a security concern

tags:

added: stx.2018.10

Ken Young (kenyis) on 2019-04-06

tags:

added: stx.1.0
removed: stx.2018.10

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.