Remove sensitive information from logs

When -w/--password option is passed to ipa-replica-install it is
printed to ipareplica-install.log. Make sure that the value of this
option is hidden.

https://fedorahosted.org/freeipa/ticket/1378
This commit is contained in:
Martin Kosek 2011-07-12 10:02:09 +02:00
parent 0cb65fd9f6
commit 02520ab98c
2 changed files with 11 additions and 11 deletions

View File

@ -210,8 +210,6 @@ def run(args, stdin=None, raiseonerr=True,
if capture_output: if capture_output:
p_out = subprocess.PIPE p_out = subprocess.PIPE
p_err = subprocess.PIPE p_err = subprocess.PIPE
elif len(nolog):
raise RuntimeError("Can't use nolog if output is not captured")
p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err, p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err,
close_fds=True, env=env) close_fds=True, env=env)
@ -224,13 +222,14 @@ def run(args, stdin=None, raiseonerr=True,
for value in nolog: for value in nolog:
if not isinstance(value, basestring): if not isinstance(value, basestring):
continue continue
args = args.replace(value, 'XXXXXXXX')
stdout = stdout.replace(value, 'XXXXXXXX')
stderr = stderr.replace(value, 'XXXXXXXX')
quoted = urllib2.quote(value) quoted = urllib2.quote(value)
args = args.replace(quoted, 'XXXXXXXX') for nolog_value in (value, quoted):
stdout = stdout.replace(quoted, 'XXXXXXXX') if capture_output:
stderr = stderr.replace(quoted, 'XXXXXXXX') stdout = stdout.replace(nolog_value, 'XXXXXXXX')
stderr = stderr.replace(nolog_value, 'XXXXXXXX')
args = args.replace(nolog_value, 'XXXXXXXX')
logging.debug('args=%s' % args) logging.debug('args=%s' % args)
if capture_output: if capture_output:
logging.debug('stdout=%s' % stdout) logging.debug('stdout=%s' % stdout)

View File

@ -55,15 +55,16 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
"--auto-master-check", "--realm", realm, "--auto-master-check", "--realm", realm,
"--principal", "admin", "--principal", "admin",
"--hostname", host_name] "--hostname", host_name]
nolog=tuple()
if admin_password: if admin_password:
args.extend(["--password", admin_password]) args.extend(["--password", admin_password])
nolog=(admin_password,)
if check_ca: if check_ca:
args.append('--check-ca') args.append('--check-ca')
logging.debug("Running ipa-replica-conncheck with following arguments: %s" % (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False,capture_output=False,
" ".join(args)) nolog=nolog)
(stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False, capture_output=False)
if returncode != 0: if returncode != 0:
sys.exit("Connection check failed!" + sys.exit("Connection check failed!" +