syspanel doesn't strip confirm_password from JSON when updating user password
Bug #970483 reported by
Morgan Fainberg
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Critical
|
Gabriel Hurley |
Bug Description
The syspanel in Horizon doesn't remove the confirm_password data from the data that is sent to Keystone when updating a user's password.
This results in the JSON element "confirm_password" holding a plain-text version of the user's updated password in the keystone database and thus exposing the user's pain text password to anyone who can request the user_ref data.
The simplest solution is to just add a data.pop(
Changed in horizon: | |
milestone: | none → essex-rc2 |
status: | New → Confirmed |
importance: | Undecided → Critical |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | essex-rc2 → 2012.1 |
To post a comment you must log in.
Totally agree about the fix, but why is Keystone saving that data at all? Does Keystone simply save *any* random data you throw at it?