Bug 1169760 - [rfe] scrub selected environment variables
Summary: [rfe] scrub selected environment variables
Keywords:
Status: POST
Alias: None
Product: Fedora
Classification: Fedora
Component: libreport
Version: rawhide
Hardware: Unspecified
OS: Unspecified
urgent
unspecified
Target Milestone: ---
Assignee: Matej Grabovsky
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-02 11:48 UTC by Jakub Filak
Modified: 2020-08-27 07:49 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github https://github.com/abrt libreport issues 353 0 None None None 2020-08-26 07:56:55 UTC

Description Jakub Filak 2014-12-02 11:48:05 UTC 
There are plenty of applications using environment variables for passing credentials to programs. libreport must have a black list of such environment  variables and must clear all of them. libreport also must allow users to provide their own black list of cleared environment variables.


OpenStack : OS_*
Amazon EC2 : AWS_*
OpenNebula : ONE_*
Vmware : VI_*
Rackspace : NOVA_*
DigitalOcean : DO_*
Google Computing Engine : APPID_*
Comment 1 Zbigniew Jędrzejewski-Szmek 2014-12-02 14:50:14 UTC 
Amazon EC2/Eucalyptus: EC2_*
Comment 2 Richard W.M. Jones 2014-12-02 22:48:14 UTC 
And as was suggested on the list:

 *PASSWORD*
 *SECRET*

are probably not things you'd want in your bug report either ...
Comment 4 Miroslav Suchý 2020-08-04 14:25:47 UTC 
In libreport we have src/gui-wizard-gtk/forbidden_words.conf which already contains some sensitive word. We can add it there.
Comment 5 Matej Grabovsky 2020-08-05 11:43:41 UTC 
Upstream patch: https://github.com/abrt/libreport/pull/658
Comment 6 Matej Grabovsky 2020-08-27 07:49:32 UTC 
Patch has been merged.
Note You need to log in before you can comment on or make changes to this bug.