Bug 1686021

Summary: exposure of database information on API login request
Product: Red Hat CloudForms Management Engine Reporter: Satoe Imaishi <simaishi>
Component: APIAssignee: Joe Vlcek <jvlcek>
Status: CLOSED ERRATA QA Contact: Parthvi Vala <pvala>
Severity: medium Docs Contact: Red Hat CloudForms Documentation <cloudforms-docs>
Priority: medium    
Version: 5.9.5CC: dmetzger, gtanzill, jocarter, obarenbo, pvala, simaishi
Target Milestone: GAKeywords: ZStream
Target Release: 5.10.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.10.2.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1661445 Environment:
Last Closed: 2019-04-02 07:46:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On: 1661445    
Bug Blocks:    

Comment 2 CFME Bot 2019-03-06 15:03:38 UTC 
New commit detected on ManageIQ/manageiq-api/hammer:

https://github.com/ManageIQ/manageiq-api/commit/93195015aedcfd90fc5733a8ca22aa03fc083934
commit 93195015aedcfd90fc5733a8ca22aa03fc083934
Author:     Gregg Tanzillo <gtanzill>
AuthorDate: Thu Jan 10 17:40:12 2019 -0500
Commit:     Gregg Tanzillo <gtanzill>
CommitDate: Thu Jan 10 17:40:12 2019 -0500

    Merge pull request #537 from jvlcek/bz_1661445_error_w_sql

    Remove SQL select from exception error messages.

    (cherry picked from commit 325a5a105a7aefc4c6864823890f72a071c14360)

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1686021

 app/controllers/api/base_controller/authentication.rb | 4 +-
 lib/services/api/error_serializer.rb | 12 +-
 spec/lib/services/api/error_serializer_spec.rb | 58 +
 3 files changed, 71 insertions(+), 3 deletions(-)
Comment 3 Parthvi Vala 2019-03-13 08:09:26 UTC 
FIXED. Verified on 5.10.2.0.20190311164858_455d270.

Requset: curl -k -u admin:smartvm -H "Accept: application/json" -H "Authorization: Basic Testing" -i -X GET "https://192.168.122.56/api/auth?requester=ui"

Response: {"error":{"kind":"unauthorized","message":"PG::CharacterNotInRepertoire: ERROR:  invalid byte sequence for encoding \"UTF8\": 0xeb 0x2d 0x8a\n:","klass":"Api::AuthenticationError"}}

No SQL query in the response.
Comment 5 errata-xmlrpc 2019-04-02 07:46:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0694