Issue #691
closed
Pulp logs the length of the database password at debug level
Description
Description of problem:
Pulp logs the database connection parameters at the debug level, substituting each character of the database password with an asterisk. An attacker could learn the length of the database password by counting the asterisks. We should instead use a static string in this field.
Version-Release number of selected component (if applicable):
2.6 beta
How reproducible:
Every time
Steps to Reproduce:
1. Configure Pulp to use the DEBUG log level
2. Ensure that your syslog shows DEBUG messages.
3. Configure Pulp to use a username/password on the Mongo connection. (It is probably not important to actually configure Mongo to do this for this test.)
4. Watch the log when you start Pulp.
Actual results:
In the log, you will see the DB connection params logged, and the password will be transformed to asterisks, with one asterisk per character of your password. You can try varying the password to confirm this.
Expected results:
The log should not include hints about the length of the password.
+ This bug was cloned from Bugzilla Bug #1190824 +
Updated by rbarlow about 8 years ago
https://github.com/pulp/pulp/pull/1616
+ This comment was cloned from Bugzilla #1190824 comment 1 +
Updated by cduryee about 8 years ago
2.6.0-0.7.beta
+ This comment was cloned from Bugzilla #1190824 comment 2 +
Updated by igulina@redhat.com about 8 years ago
Verified with https://bugzilla.redhat.com/show_bug.cgi?id=1182279#c5
+ This comment was cloned from Bugzilla #1190824 comment 3 +
Updated by rbarlow almost 8 years ago
- Status changed from 6 to CLOSED - CURRENTRELEASE
.