Project

Profile

Help

Issue #691

Pulp logs the length of the database password at debug level

Added by rbarlow almost 7 years ago. Updated almost 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
2.6 Beta
Platform Release:
2.6.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Description of problem:
Pulp logs the database connection parameters at the debug level, substituting each character of the database password with an asterisk. An attacker could learn the length of the database password by counting the asterisks. We should instead use a static string in this field.

Version-Release number of selected component (if applicable):
2.6 beta

How reproducible:
Every time

Steps to Reproduce:
1. Configure Pulp to use the DEBUG log level
2. Ensure that your syslog shows DEBUG messages.
3. Configure Pulp to use a username/password on the Mongo connection. (It is probably not important to actually configure Mongo to do this for this test.)
4. Watch the log when you start Pulp.

Actual results:
In the log, you will see the DB connection params logged, and the password will be transformed to asterisks, with one asterisk per character of your password. You can try varying the password to confirm this.

Expected results:
The log should not include hints about the length of the password.

+ This bug was cloned from Bugzilla Bug #1190824 +

History

#2 Updated by cduryee almost 7 years ago

2.6.0-0.7.beta

+ This comment was cloned from Bugzilla #1190824 comment 2 +

#4 Updated by bmbouter almost 7 years ago

  • Triaged changed from No to Yes

#5 Updated by bmbouter almost 7 years ago

  • Severity changed from High to 3. High

#6 Updated by rbarlow almost 7 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE

#8 Updated by bmbouter almost 3 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF