OpenStack Identity (keystone)

keystone logs password in log message

Bug #1427533 reported by Haneef Ali on 2015-03-03

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Critical	Dolph Mathews	OpenStack Identity (keystone) 2015.1.0 "kilo"
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

Current master branch logs request at

https://github.com/openstack/keystone/blob/master/keystone/common/wsgi.py#L230

Sample log

(keystone.common.wsgi): 2015-03-03 05:42:36,072 INFO wsgi __call__ POST /auth/tokens?auth=%7Bu%27scope%27%3A+%7Bu%27project%27%3A+%7Bu%27domain%27%3A+%7Bu%27name%27%3A+u%27Default%27%7D%2C+u%27name%27%3A+u%27admin%27%7D%7D%2C+u%27identity%27%3A+%7Bu%27password%27%3A+%7Bu%27user%27%3A+%7Bu%27domain%27%3A+%7Bu%27id%27%3A+u%27default%27%7D%2C+u%27password%27%3A+u%27admin%27%2C+u%27name%27%3A+u%27admin%27%7D%7D%2C+u%27methods%27%3A+%5Bu%27password%27%5D%7D%7D
c^[:^C

If do url decode, you can easily see the user's password

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-03-03:

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Brant Knudson (blk-u) wrote on 2015-03-03:

I believe this was caused by https://review.openstack.org/#/c/153692/ -- it's only in master.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-03-03:

Thanks Brant for the quick feedback!

I opened the bug since it only concerns master, can you please confirm the keystone part and tag it for kilo in order to have it fixed before the release ?

information type:	Private Security → Public Security
Changed in ossa:
status:	Incomplete → Won't Fix

Dolph Mathews (dolph) on 2015-03-03

Changed in keystone:
importance:	Undecided → Critical
status:	New → Triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-03: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/160955

Changed in keystone:
assignee:	nobody → Dolph Mathews (dolph)
status:	Triaged → In Progress

Brant Knudson (blk-u) on 2015-03-03

Changed in keystone:
milestone:	none → kilo-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-03: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/160955
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e3a5943e78f3f5afe061f53565f6929351d2133a
Submitter: Jenkins
Branch: master

commit e3a5943e78f3f5afe061f53565f6929351d2133a
Author: Dolph Mathews <email address hidden>
Date: Tue Mar 3 19:44:33 2015 +0000

log query string instead of openstack.params and request args

    The old code was obviously intending to log the request's query string
    (request parameters), but the "params" variable in the local context
    refers to a combination of the request's routing arguments and the
    openstack.params environment variable.

Change-Id: I4bb8cf1c9d80383536bbc310df65e9dc90df5cc5
Closes-Bug: 1427533

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.