Bug 49938 – passwords in dicts are not removed when dict is only argument in log call

Bug 49938 - passwords in dicts are not removed when dict is only argument in log call


Summary:	passwords in dicts are not removed when dict is only argument in log call

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	Ucsschool-lib
Version:	UCS@school 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.4 v3-errata
Assigned To:	Daniel Tröder
QA Contact:	Jürn Brodersen

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-07-30 14:19 CEST by Daniel Tröder
Modified:	2019-08-05 18:42 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019072421000323
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Tröder

2019-07-30 14:19:30 CEST

The ucsschool.libs logger removes password strings from dictionary arguments.
If there is only 1 format argument, the password will not be removed.

Comment 1 Daniel Tröder

2019-07-30 14:27:39 CEST

Fix and unittest.

[4.4] 73f5f7d93 Bug #49938: fix removal of passwords from logging arguments if only one format argument is passed
[4.4] a6ae4ecf3 Bug #49938: test removal of passwords when logging
[4.4] 76f88a07c Bug #49938: advisory

MS should be "4.4 v3 errata", but I don'h have the permissions to create new MS...

Comment 2 Daniel Tröder

2019-07-30 19:00:34 CEST

[4.4] bcac3d914 Bug #49938: remove password also from dict in record.msg
[4.4] c0812b15c Bug #49938: advisory update

ucs-school-lib (12.1.4)
ucs-test-ucsschool (6.0.36)

Comment 3 Jürn Brodersen

2019-07-31 12:27:36 CEST

What I tested:
401_ucsschool_lib_logger_removes_password -> OK


Manuel test that password are removed:
In [10]: logger.debug({"fo": 1234}) -> OK
In [11]: logger.debug({"fo": 1234, "password": "dfgxsdfg"}) -> OK
In [12]: logger.debug("foo: %r", {"fo": 1234, "password": "dfgxsdfg"}) -> OK
In [13]: logger.debug("foo: %s", {"fo": 1234, "password": "dfgxsdfg"}) -> OK

yaml -> OK

Comment 4 Daniel Tröder

2019-08-05 18:42:12 CEST

UCS@school 4.4 v3 has been released.

https://docs.software-univention.de/release-notes-ucsschool-4.4v3-de.html

If this error occurs again, please clone this bug.