From 02520ab98c5c5614c4b11f1a7c35a2f14001dc06 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Tue, 12 Jul 2011 10:02:09 +0200 Subject: [PATCH] Remove sensitive information from logs When -w/--password option is passed to ipa-replica-install it is printed to ipareplica-install.log. Make sure that the value of this option is hidden. https://fedorahosted.org/freeipa/ticket/1378 --- ipapython/ipautil.py | 15 +++++++-------- ipaserver/install/replication.py | 7 ++++--- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 91d19e95f..0191662cd 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -210,8 +210,6 @@ def run(args, stdin=None, raiseonerr=True, if capture_output: p_out = subprocess.PIPE p_err = subprocess.PIPE - elif len(nolog): - raise RuntimeError("Can't use nolog if output is not captured") p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err, close_fds=True, env=env) @@ -224,13 +222,14 @@ def run(args, stdin=None, raiseonerr=True, for value in nolog: if not isinstance(value, basestring): continue - args = args.replace(value, 'XXXXXXXX') - stdout = stdout.replace(value, 'XXXXXXXX') - stderr = stderr.replace(value, 'XXXXXXXX') + quoted = urllib2.quote(value) - args = args.replace(quoted, 'XXXXXXXX') - stdout = stdout.replace(quoted, 'XXXXXXXX') - stderr = stderr.replace(quoted, 'XXXXXXXX') + for nolog_value in (value, quoted): + if capture_output: + stdout = stdout.replace(nolog_value, 'XXXXXXXX') + stderr = stderr.replace(nolog_value, 'XXXXXXXX') + args = args.replace(nolog_value, 'XXXXXXXX') + logging.debug('args=%s' % args) if capture_output: logging.debug('stdout=%s' % stdout) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index fddb73747..22d4e1ae5 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -55,15 +55,16 @@ def replica_conn_check(master_host, host_name, realm, check_ca, "--auto-master-check", "--realm", realm, "--principal", "admin", "--hostname", host_name] + nolog=tuple() if admin_password: args.extend(["--password", admin_password]) + nolog=(admin_password,) if check_ca: args.append('--check-ca') - logging.debug("Running ipa-replica-conncheck with following arguments: %s" % - " ".join(args)) - (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False, capture_output=False) + (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False,capture_output=False, + nolog=nolog) if returncode != 0: sys.exit("Connection check failed!" +