You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Min Chen (JIRA)" <ji...@apache.org> on 2013/12/04 00:41:36 UTC

[jira] [Created] (CLOUDSTACK-5355) addImageStore should not log password in clear text in the log

Min Chen created CLOUDSTACK-5355:
------------------------------------

             Summary: addImageStore should not log password in clear text in the log
                 Key: CLOUDSTACK-5355
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5355
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: API
    Affects Versions: 4.2.0
            Reporter: Min Chen
            Assignee: Min Chen
            Priority: Critical
             Fix For: 4.3.0


For cifs, addImageStore are currently logging everything including username, password and domain in clear text in the logs, which are specified in query parameter url for the image store.
Here's an extract from the logs: (obscured actual pwd)

2013-11-26 12:03:35,703 DEBUG [c.c.a.ApiServlet] (catalina-exec-13:ctx-f0723f52) ===START=== 10.104.255.45 – GET command=addImageStore&response=json&sessionkey=5DGP7gv1vXNaK35rAxfIEi7256o%3D&name=SS1&provider=SMB&zoneid=5a60af2b-3025-4f2a-9ecc-8e33bf2b94e3&url=cifs%3A%2F%2F10.102.192.150%2FSMB-Share%2Fsowmya%2Fsecondary%3Fuser%3Dsowmya%26password%3DXXXXX%40123%26domain%3DBLR&_=1385447356899
2013-11-26 12:03:35,741 INFO [o.a.c.s.d.l.CloudStackImageStoreLifeCycleImpl] (catalina-exec-13:ctx-f0723f52 ctx-547cfc1f) Trying to add a new data store at cifs://10.102.192.150/SMB-Share/sowmya/secondary?user=sowmya&password=XXX@123&domain=BLR to data center 1
2013-11-26 12:03:35,776 DEBUG [c.c.u.UriUtils] (catalina-exec-13:ctx-f0723f52 ctx-547cfc1f) foundUser istrue
2013-11-26 12:03:35,777 DEBUG [c.c.u.UriUtils] (catalina-exec-13:ctx-f0723f52 ctx-547cfc1f) foundPswd istrue
2013-11-26 12:03:36,011 DEBUG [c.c.a.ApiServlet] (catalina-exec-13:ctx-f0723f52 ctx-547cfc1f) ===END=== 10.104.255.45 – GET command=addImageStore&response=json&sessionkey=5DGP7gv1vXNaK35rAxfIEi7256o%3D&name=SS1&provider=SMB&zoneid=5a60af2b-3025-4f2a-9ecc-8e33bf2b94e3&url=cifs%3A%2F%2F10.102.192.150%2FSMB-Share%2Fsowmya%2Fsecondary%3Fuser%3Dsowmya%26password%3DXXX%40123%26domain%3DBLR&_=1385447356899




--
This message was sent by Atlassian JIRA
(v6.1#6144)