Description of problem: If an error occurs during an XMLRPC API login, the traceback emails sent by the satellite server contain the username and password used in cleartext. Version-Release number of selected component (if applicable): Satellite 5.2 How reproducible: Always Steps to Reproduce: 1. [python snippet] def create_session(URL, username, password, verbose=0): """ creates the RHN session, returns a session_key as a string """ rhn = xmlrpclib.Server(URL,verbose=verbose) session_key = rhn.auth.login(username, password) rhn.sysver = rhn.api.systemVersion() rhn.apiver = rhn.api.getVersion() return rhn, session_key session_key = create_session("https://dhcp-1-221.fab.redhat.com//rpc/api","satadmin","password") (note extra "/" at beginning of path component) 2. Check email Traceback email contains the following: Headers: Content-Length: 218 Content-Type: text/xml Host: dhcp-1-221.fab.redhat.com User-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com) RPC Request: auth.login(satadmin, password) Actual results: Admin password has been sent via Email to the configured administrator email address/mailing list. Expected results: The password in auth.login should be masked out or removed. Additional info: If users are testing scripts and encounter an error when creating the session, their password will be sent to the administrator. This doesn't seem to be the desired outcome.
The Perl stack still recognizes this. It should not. This (and any similar URL) should return a 404 Not Found. Examples: <FQDN>//rpc/api <FQDN>/rpc//api <FQDN>//rpc//api But basically, we have something in the perl code that still thinks this is real: The following exception occurred while executing this request: POST /rpc//api HTTP/1.1 (from browser) /rpc//api (from Apache) Date: Tue Mar 17 12:45:56 2009 Headers: Connection: TE, close Content-Length: 216 Content-Type: text/xml Host: test10-64.rhndev.redhat.com TE: deflate,gzip;q=0.3 User-Agent: libwww-perl/5.805 RPC Request: auth.login(bdperkin, ########) User Information: (not logged in) Error notes: (none) Initial Request: Yes Error message: Can't locate Sniglets/API.pm in @INC (@INC contains: /var/www/lib /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib64/perl5/site_perl/5.8.5/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.4/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.3/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.2/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.1/x86_64-linux-thread-multi /usr/lib64/perl5/site_perl/5.8.0/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.5/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.4/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.3/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.2/x86_64-linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.1/x86_64-! linux-thread-multi /usr/lib64/perl5/vendor_perl/5.8.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . /etc/rhn/satellite-httpd) at /usr/lib/perl5/site_perl/5.8.5/PXT/ApacheHandler.pm line 520. ===================================================================== Nothing should be using Sniglets/API.pm anymore, so we need to remove that code path, wherever it is.
I have run several tests using the Satellite 5.3 httpd configuration and I have not been able to reproduce the behavior described. (Note: I was able to reproduce it using Satellite 5.2). One of the changes introduced in Satellite 5.3 is to move away from the existing satellite-httpd to the standard httpd configuration with the addition of the configs needed by Satellite (i.e. /etc/httpd/conf.d -> zz-spacewalk-server.conf & zz-spacewalk-www.conf). With this configuration, I was able to verify scenarios such as the following without generating any traceback emails: bash-3.2$ python Python 2.4.3 (#1, Sep 17 2008, 16:04:01) [GCC 4.1.2 20071124 (Red Hat 4.1.2-41)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> >>> >>> import xmlrpclib >>> >>> rhn=xmlrpclib.Server('http://<server>//rpc/api',verbose=0) >>> key=rhn.auth.login('admin','password') >>> key '365x6c87f63c547c8f6577dc5d5485716f7e' >>> >>> >>> rhn.auth.logout(key) 1 >>> >>> rhn=xmlrpclib.Server('http://<server>/rpc//api',verbose=0) >>> key=rhn.auth.login('admin','password') Traceback (most recent call last): File "<stdin>", line 1, in ? File "/usr/lib/python2.4/xmlrpclib.py", line 1096, in __call__ return self.__send(self.__name, args) File "/usr/lib/python2.4/xmlrpclib.py", line 1383, in __request verbose=self.__verbose File "/usr/lib/python2.4/xmlrpclib.py", line 1137, in request headers xmlrpclib.ProtocolError: <ProtocolError for <server>/rpc//api: 404 Not Found> >>> key '365x6c87f63c547c8f6577dc5d5485716f7e' >>> >>> >>> rhn=xmlrpclib.Server('http://<server>//rpc//api',verbose=0) >>> key=rhn.auth.login('admin','password') Traceback (most recent call last): File "<stdin>", line 1, in ? File "/usr/lib/python2.4/xmlrpclib.py", line 1096, in __call__ return self.__send(self.__name, args) File "/usr/lib/python2.4/xmlrpclib.py", line 1383, in __request verbose=self.__verbose File "/usr/lib/python2.4/xmlrpclib.py", line 1137, in request headers xmlrpclib.ProtocolError: <ProtocolError for <server>//rpc//api: 404 Not Found> >>> >>> rhn=xmlrpclib.Server('http://<server>/something/rpc/api',verbose=0) >>> key=rhn.auth.login('admin','password') Traceback (most recent call last): File "<stdin>", line 1, in ? File "/usr/lib/python2.4/xmlrpclib.py", line 1096, in __call__ return self.__send(self.__name, args) File "/usr/lib/python2.4/xmlrpclib.py", line 1383, in __request verbose=self.__verbose File "/usr/lib/python2.4/xmlrpclib.py", line 1137, in request headers xmlrpclib.ProtocolError: <ProtocolError for <server>/something/rpc/api: 404 Not Found> >>> >>> >>> rhn=xmlrpclib.Server('http://<server>///rpc/api',verbose=0) >>> key=rhn.auth.login('admin','redhat') >>> key '366x111f292fecffccb926636dd39c56b27b' >>> Moving the BZ to ON_QA to allow for some additional testing.
verified.
Verified in stage -> RELEASE_PENDING
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html