There are plenty of applications using environment variables for passing credentials to programs. libreport must have a black list of such environment variables and must clear all of them. libreport also must allow users to provide their own black list of cleared environment variables. OpenStack : OS_* Amazon EC2 : AWS_* OpenNebula : ONE_* Vmware : VI_* Rackspace : NOVA_* DigitalOcean : DO_* Google Computing Engine : APPID_*
Amazon EC2/Eucalyptus: EC2_*
And as was suggested on the list: *PASSWORD* *SECRET* are probably not things you'd want in your bug report either ...
In libreport we have src/gui-wizard-gtk/forbidden_words.conf which already contains some sensitive word. We can add it there.
Upstream patch: https://github.com/abrt/libreport/pull/658
Patch has been merged.