Bug 1169760 - [rfe] scrub selected environment variables
Summary: [rfe] scrub selected environment variables
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: libreport
Version: rawhide
Hardware: Unspecified
OS: Unspecified
urgent
unspecified
Target Milestone: ---
Assignee: Matej Grabovsky
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-02 11:48 UTC by Jakub Filak
Modified: 2020-08-05 11:43 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github https://github.com/abrt libreport issues 353 None None None 2020-08-11 05:55:25 UTC

Description Jakub Filak 2014-12-02 11:48:05 UTC
There are plenty of applications using environment variables for passing credentials to programs. libreport must have a black list of such environment  variables and must clear all of them. libreport also must allow users to provide their own black list of cleared environment variables.


OpenStack : OS_*
Amazon EC2 : AWS_*
OpenNebula : ONE_*
Vmware : VI_*
Rackspace : NOVA_*
DigitalOcean : DO_*
Google Computing Engine : APPID_*

Comment 1 Zbigniew Jędrzejewski-Szmek 2014-12-02 14:50:14 UTC
Amazon EC2/Eucalyptus: EC2_*

Comment 2 Richard W.M. Jones 2014-12-02 22:48:14 UTC
And as was suggested on the list:

 *PASSWORD*
 *SECRET*

are probably not things you'd want in your bug report either ...

Comment 4 Miroslav Suchý 2020-08-04 14:25:47 UTC
In libreport we have src/gui-wizard-gtk/forbidden_words.conf which already contains some sensitive word. We can add it there.

Comment 5 Matej Grabovsky 2020-08-05 11:43:41 UTC
Upstream patch: https://github.com/abrt/libreport/pull/658


Note You need to log in before you can comment on or make changes to this bug.