[Yahoo-eng-team] [Bug 1744609] Re: operation log: user passwords are logged by default setting

Thu, 15 Feb 2018 09:42:06 -0800 

Seeing no objection to report class B1, I'm marking our OSSA task as
won't fix. We can revisit if a case is made for class A with backported
fixes.

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1744609

Title:
  operation log: user passwords are logged by default setting

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  If the operation log is enabled (disabled by default) and the default value 
of OPERATION_LOG_OPTIONS['mask_fields'] is used, when a user tries to change 
his/her password from "Change Password" panel 
(http://<dashboard-site>/settings/password/), both current and new passwords 
will be logged in the operation log like below.
  The same thing happens in "Change Password" action in the Identity User panel.
  ----
  [None] [None] [demo] [d65075f0e4964b8d9ccb57ddcce8fbbb] [admin] 
[c90eec6eb48d4bcc988e8cebf9ce80fa] [http] [/settings/password/] 
[/settings/password/] [error: Unauthorized: Unable to change password., error: 
Unauthorized. Please try logging in again.] [POST] [403] [{"fake_email": "", 
"fake_password": "", "new_password": "NEW-PASSWORD", "confirm_password": 
"NEW-PASSWORD", "current_password": "CURRENT-PASSWORD", "csrfmiddlewaretoken": 
"SEuuWLJlUPNUZzC6aCQkIQxyFuQPCjcahqnuZ8CYthDd4GNr76UC5EQYTAZzbdeo"}]
  ----

  The default value of OPERATION_LOG_OPTIONS['mask_fields'] should
  include "current_password", "new_password" and "confirm_password".

  Operators who enable the operation log feature are recommended to set
  OPERATION_LOG_OPTIONS['mask_fields'] to ['password',
  'current_password', 'new_password', 'confirm_password'] in
  local_settings.py.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1744609/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to