Min Chen created CLOUDSTACK-5355:
------------------------------------
Summary: addImageStore should not log password in clear text in
the log
Key: CLOUDSTACK-5355
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5355
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: API
Affects Versions: 4.2.0
Reporter: Min Chen
Assignee: Min Chen
Priority: Critical
Fix For: 4.3.0
For cifs, addImageStore are currently logging everything including username,
password and domain in clear text in the logs, which are specified in query
parameter url for the image store.
Here's an extract from the logs: (obscured actual pwd)
2013-11-26 12:03:35,703 DEBUG [c.c.a.ApiServlet]
(catalina-exec-13:ctx-f0723f52) ===START=== 10.104.255.45 – GET
command=addImageStore&response=json&sessionkey=5DGP7gv1vXNaK35rAxfIEi7256o%3D&name=SS1&provider=SMB&zoneid=5a60af2b-3025-4f2a-9ecc-8e33bf2b94e3&url=cifs%3A%2F%2F10.102.192.150%2FSMB-Share%2Fsowmya%2Fsecondary%3Fuser%3Dsowmya%26password%3DXXXXX%40123%26domain%3DBLR&_=1385447356899
2013-11-26 12:03:35,741 INFO [o.a.c.s.d.l.CloudStackImageStoreLifeCycleImpl]
(catalina-exec-13:ctx-f0723f52 ctx-547cfc1f) Trying to add a new data store at
cifs://10.102.192.150/SMB-Share/sowmya/secondary?user=sowmya&password=XXX@123&domain=BLR
to data center 1
2013-11-26 12:03:35,776 DEBUG [c.c.u.UriUtils] (catalina-exec-13:ctx-f0723f52
ctx-547cfc1f) foundUser istrue
2013-11-26 12:03:35,777 DEBUG [c.c.u.UriUtils] (catalina-exec-13:ctx-f0723f52
ctx-547cfc1f) foundPswd istrue
2013-11-26 12:03:36,011 DEBUG [c.c.a.ApiServlet] (catalina-exec-13:ctx-f0723f52
ctx-547cfc1f) ===END=== 10.104.255.45 – GET
command=addImageStore&response=json&sessionkey=5DGP7gv1vXNaK35rAxfIEi7256o%3D&name=SS1&provider=SMB&zoneid=5a60af2b-3025-4f2a-9ecc-8e33bf2b94e3&url=cifs%3A%2F%2F10.102.192.150%2FSMB-Share%2Fsowmya%2Fsecondary%3Fuser%3Dsowmya%26password%3DXXX%40123%26domain%3DBLR&_=1385447356899
--
This message was sent by Atlassian JIRA
(v6.1#6144)
