[jira] [Commented] (CLOUDSTACK-10423) Potential sensitive information disclosure

Sun, 13 Dec 2020 22:11:09 -0800 


    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17248755#comment-17248755
 ] 

ASF subversion and git services commented on CLOUDSTACK-10423:
--------------------------------------------------------------

Commit 2aa7fac9ac2edf015e971d6d9ff63b121993b009 in cloudstack's branch 
refs/heads/master from lujiefsi
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=2aa7fac ]

CLOUDSTACK-10423:Potential sensitive information disclosure (#4536)

* fixing CLOUDSTACK-10423

* make the message clear

Co-authored-by: lujie <lu...@foxmail.com>

> Potential  sensitive information disclosure 
> --------------------------------------------
>
>                 Key: CLOUDSTACK-10423
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10423
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>            Reporter: lujie
>            Priority: Major
>
> As shown at 
> [https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/plugins/storage/image/default/src/main/java/org/apache/cloudstack/storage/datastore/lifecycle/CloudStackImageStoreLifeCycleImpl.java#L92]
>  url could contain password or other sensitive information
> we have sanitized the url before logging, but when we provide a invalid URL 
> who still have sensitive information, the url will be warped in to an 
> exception at
> [https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/plugins/storage/image/default/src/main/java/org/apache/cloudstack/storage/datastore/lifecycle/CloudStackImageStoreLifeCycleImpl.java#L117]
> and the exception will printed at
> [https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/server/src/main/java/com/cloud/storage/StorageManagerImpl.java#L639]
> or
> [https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/server/src/main/java/com/cloud/storage/StorageManagerImpl.java#L747]
> or
> [https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/server/src/main/java/com/cloud/storage/StorageManagerImpl.java#L2472]
> or
> [https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/server/src/main/java/com/cloud/storage/StorageManagerImpl.java#L2260]
> we should provide the detail information to client without sensitive 
> information.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to