Red Hat Bugzilla – Bug 749890
Mask passwords from xmlrpc tracebacks
Last modified: 2012-03-08 04:06:43 EST
Description of problem:
Tracebacks triggered by a failure of xmlrpc/registration.py include all of the submitted data--including the user's password in clear text. This should be masked so that the password is not exposed in the logs or email.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Use an unsupported option during the rhn registration, in this case we use "rhnreg_ks --subscription=xxxx"
2. The unknown attribute triggers a traceback to the log and email.
The traceback includes all the data from the registration, including the registering user's password in plain text.
The password should never be exposed.
Full reproducer traceback attached.
Fixed in Spacewalk master, 76d0064693107148e4a949fc7ad62d72bb3ec26c.
Also reverted change for bug 695282 in Spacewalk.
*** Bug 695282 has been marked as a duplicate of this bug. ***
Cherry picked to SATELLITE-5.4, 3a62d545541d5509786a5e4976527180b114f324.
Tagged and built as spacewalk-backend-1.2.13-64.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.