Bug 1686021 - exposure of database information on API login request
Summary: exposure of database information on API login request
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: API
Version: 5.9.5
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: GA
: 5.10.2
Assignee: Joe Vlcek
QA Contact: Parthvi Vala
Red Hat CloudForms Documentation
URL:
Whiteboard:
Depends On: 1661445
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-06 14:59 UTC by Satoe Imaishi
Modified: 2019-11-29 05:41 UTC (History)
6 users (show)

Fixed In Version: 5.10.2.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1661445
Environment:
Last Closed: 2019-04-02 07:46:16 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ManageIQ integration_tests pull 9694 0 'None' 'open' '[RFR] Audit qe-test-coverage for Customer BZs' 2019-11-29 05:41:42 UTC
Red Hat Product Errata RHBA-2019:0694 0 None None None 2019-04-02 07:46:22 UTC

Comment 2 CFME Bot 2019-03-06 15:03:38 UTC 
New commit detected on ManageIQ/manageiq-api/hammer:

https://github.com/ManageIQ/manageiq-api/commit/93195015aedcfd90fc5733a8ca22aa03fc083934
commit 93195015aedcfd90fc5733a8ca22aa03fc083934
Author:     Gregg Tanzillo <gtanzill>
AuthorDate: Thu Jan 10 17:40:12 2019 -0500
Commit:     Gregg Tanzillo <gtanzill>
CommitDate: Thu Jan 10 17:40:12 2019 -0500

    Merge pull request #537 from jvlcek/bz_1661445_error_w_sql

    Remove SQL select from exception error messages.

    (cherry picked from commit 325a5a105a7aefc4c6864823890f72a071c14360)

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1686021

 app/controllers/api/base_controller/authentication.rb | 4 +-
 lib/services/api/error_serializer.rb | 12 +-
 spec/lib/services/api/error_serializer_spec.rb | 58 +
 3 files changed, 71 insertions(+), 3 deletions(-)
Comment 3 Parthvi Vala 2019-03-13 08:09:26 UTC 
FIXED. Verified on 5.10.2.0.20190311164858_455d270.

Requset: curl -k -u admin:smartvm -H "Accept: application/json" -H "Authorization: Basic Testing" -i -X GET "https://192.168.122.56/api/auth?requester=ui"

Response: {"error":{"kind":"unauthorized","message":"PG::CharacterNotInRepertoire: ERROR:  invalid byte sequence for encoding \"UTF8\": 0xeb 0x2d 0x8a\n:","klass":"Api::AuthenticationError"}}

No SQL query in the response.
Comment 5 errata-xmlrpc 2019-04-02 07:46:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0694
Note You need to log in before you can comment on or make changes to this bug.