git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1858186] Re: http_log_request will print debug info include pki certificate which is unsafety


** Description changed:

  when i use pki token,i find nova debug log include the whole pki
  certificate info,is this safety?need to modify?
  
- my request is 
+ my request is
  curl -g -i -X GET https://identity.az1.dc1.domainname.com:443/identity-admin/v3/auth/tokens/OS-PKI/revoked
  
- debug.log:
- RESP BODY: {"signed": "-----BEGIN CMS-----\nMIIBuwYJKoZIhvcNAQcCoIIBrDCCAagCAQExDTALBglghkgBZQMEAgEwHgYJKoZI\nhvcNAQcBoBEED3sicmV2b2tlZCI6IFtdfTGCAXIwggFuAgEBMEkwPTELMAkGA1UE\nBhMCQ04xDzANBgNVBAoTBkh1YXdlaTEdMBsGA1UEAxMUSHVhd2VpIElUIFByb2R1\nY3QgQ0ECCBWpkSG6QZq3MAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQDF\nbzhT6VPqrir7wnKvxVxH+sYthHMX0Om+OaMecCL+VnQE1wcg7tAAh1LI7Z6qkSAr\nF1FnrQeq6PV+8EbD4ZsvfLisk0NHI8IgnS36dyTznitddX7zPTVl4g3TQVox2Qmm\nnPSYrqDx6bLxDQGcuMANkpbCDrlqmmOio2BMboHi6V6aNRMPdYGYOVAKxuYbt3s8\n3FDEsM/DpEDywdhQiXGL2fa81QaXIuu5LaS1wUbb8IBEtwF8YkZOS7tOWSSUxsZ9\nNdjKEmhBUN4qFg5yTRKU7WLVegrZnwKPFbcdqMbeDVcgGT0bcEhtBIa90uKI50Fb\nB6PVg7DpfJdPTE/fs0QO\n-----END CMS-----\n"}
+ debug.log such as:
+ RESP BODY: {"signed": "-----BEGIN CMS-----\nMIIBuwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfs0QO\n-----END CMS-----\n"}

** Description changed:

  when i use pki token,i find nova debug log include the whole pki
  certificate info,is this safety?need to modify?
  
  my request is
  curl -g -i -X GET https://identity.az1.dc1.domainname.com:443/identity-admin/v3/auth/tokens/OS-PKI/revoked
  
  debug.log such as:
  RESP BODY: {"signed": "-----BEGIN CMS-----\nMIIBuwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfs0QO\n-----END CMS-----\n"}
+ 
+ code session.py:
+         if response is not None:
+             if not status_code:
+                 status_code = response.status_code
+             if not headers:
+                 headers = response.headers
+             if not text:
+                 # NOTE(samueldmq): If the response does not provide enough info
+                 # about the content type to decide whether it is useful and
+                 # safe to log it or not, just do not log the body. Trying to
+                 # read the response body anyways may result on reading a long
+                 # stream of bytes and getting an unexpected MemoryError. See
+                 # bug 1616105 for further details.
+                 content_type = response.headers.get('content-type', None)
+ 
+                 # NOTE(lamt): Per [1], the Content-Type header can be of the
+                 # form Content-Type := type "/" subtype *[";" parameter]
+                 # [1] https://www.w3.org/Protocols/rfc1341/4_Content-Type.html
+                 for log_type in _LOG_CONTENT_TYPES:
+                     if content_type is not None and content_type.startswith(
+                             log_type):
+                         text = self._remove_service_catalog(response.text)
+                         break
+                 else:
+                     text = ('Omitted, Content-Type is set to %s. Only '
+                             '%s responses have their bodies logged.')
+                     text = text % (content_type, ', '.join(_LOG_CONTENT_TYPES))
+         if json:
+             text = self._json.encode(json)
+ 
+         string_parts = ['RESP:']
+ 
+         if status_code:
+             string_parts.append('[%s]' % status_code)
+         if headers:
+             for header in six.iteritems(headers):
+                 string_parts.append('%s: %s' % self._process_header(header))
+         if text:
+             string_parts.append('\nRESP BODY: %s\n' % text)

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1858186

Title:
  http_log_request will print debug info include pki certificate which
  is unsafety

Status in keystoneauth:
  Invalid

Bug description:
  when i use pki token,i find nova debug log include the whole pki
  certificate info,is this safety?need to modify?

  my request is
  curl -g -i -X GET https://identity.az1.dc1.domainname.com:443/identity-admin/v3/auth/tokens/OS-PKI/revoked

  debug.log such as:
  RESP BODY: {"signed": "-----BEGIN CMS-----\nMIIBuwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfs0QO\n-----END CMS-----\n"}

  code session.py:
          if response is not None:
              if not status_code:
                  status_code = response.status_code
              if not headers:
                  headers = response.headers
              if not text:
                  # NOTE(samueldmq): If the response does not provide enough info
                  # about the content type to decide whether it is useful and
                  # safe to log it or not, just do not log the body. Trying to
                  # read the response body anyways may result on reading a long
                  # stream of bytes and getting an unexpected MemoryError. See
                  # bug 1616105 for further details.
                  content_type = response.headers.get('content-type', None)

                  # NOTE(lamt): Per [1], the Content-Type header can be of the
                  # form Content-Type := type "/" subtype *[";" parameter]
                  # [1] https://www.w3.org/Protocols/rfc1341/4_Content-Type.html
                  for log_type in _LOG_CONTENT_TYPES:
                      if content_type is not None and content_type.startswith(
                              log_type):
                          text = self._remove_service_catalog(response.text)
                          break
                  else:
                      text = ('Omitted, Content-Type is set to %s. Only '
                              '%s responses have their bodies logged.')
                      text = text % (content_type, ', '.join(_LOG_CONTENT_TYPES))
          if json:
              text = self._json.encode(json)

          string_parts = ['RESP:']

          if status_code:
              string_parts.append('[%s]' % status_code)
          if headers:
              for header in six.iteritems(headers):
                  string_parts.append('%s: %s' % self._process_header(header))
          if text:
              string_parts.append('\nRESP BODY: %s\n' % text)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystoneauth/+bug/1858186/+subscriptions