Description of problem: Pulp logs the database connection parameters at the debug level, substituting each character of the database password with an asterisk. An attacker could learn the length of the database password by counting the asterisks. We should instead use a static string in this field. Version-Release number of selected component (if applicable): 2.6 beta How reproducible: Every time Steps to Reproduce: 1. Configure Pulp to use the DEBUG log level 2. Ensure that your syslog shows DEBUG messages. 3. Configure Pulp to use a username/password on the Mongo connection. (It is probably not important to actually configure Mongo to do this for this test.) 4. Watch the log when you start Pulp. Actual results: In the log, you will see the DB connection params logged, and the password will be transformed to asterisks, with one asterisk per character of your password. You can try varying the password to confirm this. Expected results: The log should not include hints about the length of the password.
https://github.com/pulp/pulp/pull/1616
2.6.0-0.7.beta
Verified with https://bugzilla.redhat.com/show_bug.cgi?id=1182279#c5
Moved to https://pulp.plan.io/issues/691