Reviewed: https://review.openstack.org/539534 Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=1941d34e5cecf33090e73665034a8196b220e690 Submitter: Zuul Branch: master
commit 1941d34e5cecf33090e73665034a8196b220e690 Author: Akihiro Motoki <[email protected]> Date: Mon Jan 22 09:20:16 2018 +0900 operation_log: Mask more password fields by default Change-Id: I69283a2b692d1fca93aad1d5ed26a29de4e0e4a9 Closes-Bug: #1744609 ** Changed in: horizon Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1744609 Title: operation log: user passwords are logged by default setting Status in OpenStack Dashboard (Horizon): Fix Released Status in OpenStack Security Advisory: Incomplete Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. -- If the operation log is enabled (disabled by default) and the default value of OPERATION_LOG_OPTIONS['mask_fields'] is used, when a user tries to change his/her password from "Change Password" panel (http://<dashboard-site>/settings/password/), both current and new passwords will be logged in the operation log like below. The same thing happens in "Change Password" action in the Identity User panel. ---- [None] [None] [demo] [d65075f0e4964b8d9ccb57ddcce8fbbb] [admin] [c90eec6eb48d4bcc988e8cebf9ce80fa] [http] [/settings/password/] [/settings/password/] [error: Unauthorized: Unable to change password., error: Unauthorized. Please try logging in again.] [POST] [403] [{"fake_email": "", "fake_password": "", "new_password": "NEW-PASSWORD", "confirm_password": "NEW-PASSWORD", "current_password": "CURRENT-PASSWORD", "csrfmiddlewaretoken": "SEuuWLJlUPNUZzC6aCQkIQxyFuQPCjcahqnuZ8CYthDd4GNr76UC5EQYTAZzbdeo"}] ---- The default value of OPERATION_LOG_OPTIONS['mask_fields'] should include "current_password", "new_password" and "confirm_password". Operators who enable the operation log feature are recommended to set OPERATION_LOG_OPTIONS['mask_fields'] to ['password', 'current_password', 'new_password', 'confirm_password'] in local_settings.py. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1744609/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
