osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1708122] Re: Don't return back the sensitive information to user


Reviewed:  https://review.openstack.org/490320
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=8cdfc3b293027292d21974b8152f42426d1f61ae
Submitter: Zuul
Branch:    master

commit 8cdfc3b293027292d21974b8152f42426d1f61ae
Author: huangtianhua <huangtianhua at huawei.com>
Date:   Thu Aug 3 11:56:11 2017 +0800

    Don't return the sensitive information to user
    
    We return back the sensitive information to user
    when some exceptions happened, for example,
    when DBError happened, we return the whole sql
    statement to user, it's not safe.
    This patch changes to return the message if the
    exception is the HeatException, otherwise the message
    won't be revealed to user.
    
    Change-Id: I6e01b1003a39106274e79c3b413917a30b5651b6
    Closes-Bug: #1708122


** Changed in: heat
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1708122

Title:
  Don't return back the sensitive information to user

Status in OpenStack Heat:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  We return back the sensitive information to user when some exception happen, for example, when DBError happened, we will return the whole sql statement to user, it's not safe, also we return the traceback to user, it's not necessary.
  Maybe we can do the same thing like nova and cinder to add an attribute 'safe' for some exceptions to decide whether to return the information like the error message details to user.

To manage notifications about this bug go to:
https://bugs.launchpad.net/heat/+bug/1708122/+subscriptions