Remove sensitive information from logs

When -w/--password option is passed to ipa-replica-install it is printed to ipareplica-install.log. Make sure that the value of this option is hidden. https://fedorahosted.org/freeipa/ticket/1378
2024-12-23 07:33:27 -06:00 · 2011-07-12 10:02:09 +02:00 · 2011-07-12 10:02:09 +02:00 · 02520ab98c
commit 02520ab98c
parent 0cb65fd9f6
2 changed files with 11 additions and 11 deletions
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@ -210,8 +210,6 @@ def run(args, stdin=None, raiseonerr=True,
    if capture_output:
        p_out = subprocess.PIPE
        p_err = subprocess.PIPE
-    elif len(nolog):
-        raise RuntimeError("Can't use nolog if output is not captured")

    p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err,
                         close_fds=True, env=env)
@ -224,13 +222,14 @@ def run(args, stdin=None, raiseonerr=True,
    for value in nolog:
        if not isinstance(value, basestring):
            continue
-        args = args.replace(value, 'XXXXXXXX')
-        stdout = stdout.replace(value, 'XXXXXXXX')
-        stderr = stderr.replace(value, 'XXXXXXXX')
+
        quoted = urllib2.quote(value)
-        args = args.replace(quoted, 'XXXXXXXX')
-        stdout = stdout.replace(quoted, 'XXXXXXXX')
-        stderr = stderr.replace(quoted, 'XXXXXXXX')
+        for nolog_value in (value, quoted):
+            if capture_output:
+                stdout = stdout.replace(nolog_value, 'XXXXXXXX')
+                stderr = stderr.replace(nolog_value, 'XXXXXXXX')
+            args = args.replace(nolog_value, 'XXXXXXXX')
+
    logging.debug('args=%s' % args)
    if capture_output:
        logging.debug('stdout=%s' % stdout)
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@ -55,15 +55,16 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
            "--auto-master-check", "--realm", realm,
            "--principal", "admin",
            "--hostname", host_name]
+    nolog=tuple()

    if admin_password:
        args.extend(["--password", admin_password])
+        nolog=(admin_password,)

    if check_ca:
        args.append('--check-ca')
-    logging.debug("Running ipa-replica-conncheck with following arguments: %s" %
-            " ".join(args))
-    (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False, capture_output=False)
+    (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False,capture_output=False,
+                                              nolog=nolog)

    if returncode != 0:
        sys.exit("Connection check failed!" +