Pulp logs the length of the database password at debug level
Description of problem:
Pulp logs the database connection parameters at the debug level, substituting each character of the database password with an asterisk. An attacker could learn the length of the database password by counting the asterisks. We should instead use a static string in this field.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure Pulp to use the DEBUG log level
2. Ensure that your syslog shows DEBUG messages.
3. Configure Pulp to use a username/password on the Mongo connection. (It is probably not important to actually configure Mongo to do this for this test.)
4. Watch the log when you start Pulp.
In the log, you will see the DB connection params logged, and the password will be transformed to asterisks, with one asterisk per character of your password. You can try varying the password to confirm this.
The log should not include hints about the length of the password.
+ This bug was cloned from Bugzilla Bug #1190824 +
#3 Updated by firstname.lastname@example.org almost 7 years ago
Verified with https://bugzilla.redhat.com/show_bug.cgi?id=1182279#c5
+ This comment was cloned from Bugzilla #1190824 comment 3 +