OpenStack Dashboard (Horizon)

syspanel doesn't strip confirm_password from JSON when updating user password

Bug #970483 reported by Morgan Fainberg on 2012-04-01

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	Critical	Gabriel Hurley	OpenStack Dashboard (Horizon) 2012.1 "essex"

Bug Description

The syspanel in Horizon doesn't remove the confirm_password data from the data that is sent to Keystone when updating a user's password.

This results in the JSON element "confirm_password" holding a plain-text version of the user's updated password in the keystone database and thus exposing the user's pain text password to anyone who can request the user_ref data.

The simplest solution is to just add a data.pop('confirm_password') in the handle function in the UpdateUserForm in 'dashboards/syspanel/users/forms.py

Tags:

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2012-04-01:

#1

Patch to pop the 'confirm_password' data off to prevent it ending in the JSON for the user when updating the password Edit (797 bytes, application/rtf)

Devin Carlen (devcamcar) on 2012-04-02

Changed in horizon:
milestone:	none → essex-rc2
status:	New → Confirmed
importance:	Undecided → Critical

Revision history for this message

Gabriel Hurley (gabriel-hurley) wrote on 2012-04-02:

#2

Totally agree about the fix, but why is Keystone saving that data at all? Does Keystone simply save *any* random data you throw at it?

Changed in horizon:
assignee:	nobody → Gabriel Hurley (gabriel-hurley)
status:	Confirmed → In Progress

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2012-04-02:

#3

From experiments that I have done in extending the use of keystone, I have found that Keystone does, in-fact, store any arbitrary data that is thrown at it. This work is how I discovered that the confirm_password field was being stored in plain-text in the JSON.

There are certain fields that Keystone will strip out and do something with it (i.e. password, which when supplied via PUT for a user or on new user creation, gets replaced with the hashed version; name (another one that gets handled in a special way).

I wouldn't advocate changing that functionality in keystone, as it can be useful for extending Openstack without having to extend the REST calls to achieve it.

It does mean that one must be very careful about what data is sent to Keystone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-04-02: Fix proposed to horizon (master)

#4

Fix proposed to branch: master
Review: https://review.openstack.org/6115

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-04-02: Fix merged to horizon (master)

#5

Reviewed: https://review.openstack.org/6115
Committed: http://github.com/openstack/horizon/commit/e90886aa0761611d201ba163dce4c657c5cd57b0
Submitter: Jenkins
Branch: master

commit e90886aa0761611d201ba163dce4c657c5cd57b0
Author: Gabriel Hurley <email address hidden>
Date: Mon Apr 2 14:58:05 2012 -0700

Prevent confirmation password data from being sent to keystone.

Fixes bug 970483.

Change-Id: Id26bfcab81f62cedc31236417835081deef07e9a

Changed in horizon:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-04-03

Changed in horizon:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-04-05

Changed in horizon:
milestone:	essex-rc2 → 2012.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Patch to pop the 'confirm_password' data off to prevent it ending in the JSON for the user when updating the password Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.