Bug 1715725

Summary: Sending credentials in query string logs them in ovirt-request-logs
Product: Red Hat Enterprise Virtualization Manager Reporter: Germano Veit Michel <gveitmic>
Component: ovirt-engineAssignee: Ori Liel <oliel>
Status: CLOSED ERRATA QA Contact: Guilherme Santos <gdeolive>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: lleistne, mperina, mtessun
Target Milestone: ovirt-4.4.0   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-04 13:19:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Germano Veit Michel 2019-05-31 05:32:38 UTC 
Description of problem:

When using the REST API, if a user mistakenly sends the login credentials in the query string (not in the request body), the user/password is logged on RHV-M logs:
- /var/log/httpd/ovirt-requests-log
- /var/log/httpd/ssl_access_log
- /var/log/httpd/ssl_request_log

Anything we can do in the default config to prevent this?

Version-Release number of selected component (if applicable):
rhvm-4.3.3.7-0.1.el7.noarch
httpd-2.4.6-89.el7_6.x86_64

Steps to Reproduce:
A. In query string (password logged)
$ curl --cacert /etc/pki/ovirt-engine/apache-ca.pem \
  -X POST \
  -H 'Content-Type:application/x-www-form-urlencoded' \
  -H 'Accept: application/json' \
  'https://<RHV-M FQDN>/ovirt-engine/sso/oauth/token?grant_type=password&username=admin@internal&password=redhat&scope=ovirt-app-api'

[29/May/2019:10:59:20 +1000] 10.64.24.30 "Correlation-Id: -" "Duration: 97090us" "POST /ovirt-engine/sso/oauth/token?grant_type=password&username=admin@internal&password=redhat&scope=ovirt-app-api HTTP/1.1" 310


B. In body (password not logged)
# curl --cacert /etc/pki/ovirt-engine/apache-ca.pem \
  -X POST \
  -H 'Content-Type:application/x-www-form-urlencoded' \
  -H 'Accept: application/json' \
  -d 'grant_type=password&scope=ovirt-appapi&username=admin%40internal&password=redhat' \
  'https://<RHV-M FQDN>/ovirt-engine/sso/oauth/token'

[29/May/2019:10:59:33 +1000] 10.64.24.30 "Correlation-Id: -" "Duration: 89662us" "POST /ovirt-engine/sso/oauth/token HTTP/1.1" 172
Comment 2 Daniel Gur 2019-08-28 13:11:53 UTC 
sync2jira
Comment 3 Daniel Gur 2019-08-28 13:16:06 UTC 
sync2jira
Comment 4 RHV bug bot 2019-12-13 13:13:23 UTC 
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops
Comment 5 RHV bug bot 2019-12-20 17:43:24 UTC 
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops
Comment 6 RHV bug bot 2020-01-08 14:46:30 UTC 
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops
Comment 7 RHV bug bot 2020-01-08 15:14:01 UTC 
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops
Comment 8 RHV bug bot 2020-01-24 19:48:16 UTC 
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops
Comment 9 Guilherme Santos 2020-02-17 15:47:39 UTC 
Verified on:
httpd-2.4.6-90.el7.x86_64
ovirt-engine-4.4.0-0.20.master.el7.noarch

Steps:
1. # curl -X GET -H 'All-content: true' -H "Accept: application/json" --insecure https://<engine-fqdn>/ovirt-engine/sso/oauth/token?grant_type=password&username=admin@internal&password=<password>&scope=ovirt-app-api
2. Checked /var/log/httpd/ssl_access_log; /var/log/httpd/ovirt-requests-log; /var/log/httpd/ssl_request_log

Results
No password logged
Comment 12 errata-xmlrpc 2020-08-04 13:19:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3247