StarlingX

horizon.log reveals admin_password when any user password is changed using admin account

Bug #2058294 reported by Enzo Candotti
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Enzo Candotti

Bug Description

Brief Description
The horizon logs reveals admin password during day to day operations like changing password for other users.

Severity
Major

Steps to Reproduce
    Log in to Horizon GUI.
    tail -f /var/log/horizon/horizon.log
    Try to change password for any user using admin accounting.

Expected Behavior
The admin password should also be encrypted.

Actual Behavior
horizon.log reveals admin_password when any user password is changed using admin account

Reproducibility
100% reproducible

Last Pass
Never tested before.

Alarms
No alarms.

Workaround
No workaround

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to gui (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/gui/+/913606

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to gui (master)

Reviewed: https://review.opendev.org/c/starlingx/gui/+/913606
Committed: https://opendev.org/starlingx/gui/commit/f04638e8f849465ba9a55c134b5d6663d4347fe0
Submitter: "Zuul (22348)"
Branch: master

commit f04638e8f849465ba9a55c134b5d6663d4347fe0
Author: Enzo Candotti <email address hidden>
Date: Mon Mar 18 19:40:46 2024 -0300

    Add admin_password to mask_fields

    This change adds the admin_password to the mask_fields in the
    settings.py file, in order to prevent this password from being logged in
    plain text.

    Test Plan:
    PASS: Apply this change and verify that in every user password change,
    the admin_password is masked.

    Closes-bug: 2058294

    Signed-off-by: Enzo Candotti <email address hidden>
    Change-Id: Iba80d682e7bd74c0903dd2f23334f3298229cb2e

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
tags: added: stx.10.0 stx.gui
Changed in starlingx:
importance: Undecided → Medium
assignee: nobody → Enzo Candotti (ecandotti)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.