[yast-devel] Use URL::HidePassword() when logging an URL
Hi all, keep in mind that URL may contain a user name and a password. When an URL with password is logged to y2log the password should be hidden for security reasons (see bnc#441944). There are new functions URL::HidePassword() and URL::HidePasswordToken() for hiding the password in an URL (added in yast2-2.17.47). The first one takes an URL string as the input, the second one takes a map (as returned by URL::Parse() function). Both functions replace the password by string 'PASSWORD' so we can detect in y2log that an URL with password was used. So instead of y2milestone("Adding repository %1", url); use y2milestone("Adding repository %1", URL::HidePassword(url)); Fortunately libzypp hides the password by default so there should not be many places which logs a full URL. And of course, this won't help if Y2DEBUG is enabled. We would need a new datatype or a flag in the interpreter to fix it with Y2DEBUG enabled. -- Best Regards Ladislav Slezák Yast Developer ------------------------------------------------------------------------ SUSE LINUX, s.r.o. e-mail: lslezak@suse.cz Lihovarská 1060/12 tel: +420 284 028 960 190 00 Prague 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
Ladislav Slezak wrote:
Fortunately libzypp hides the password by default so there should not be many places which logs a full URL.
Yes, the asString method hides it, but there is one method available that display it "as it is". Duncan -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
Duncan Mac-Vicar Prett wrote:
Ladislav Slezak wrote:
Fortunately libzypp hides the password by default so there should not be many places which logs a full URL.
Yes, the asString method hides it, but there is one method available that display it "as it is".
zypp::Url::asCompleteString() is used only in Pkg::SourceURL() and Pkg::ServiceURL(). So you have to explicitly request the full URL if you need it. Also URLs in the product map (e.g. key "relnotes_urls") returned by Pkg::SourceProductData() and Pkg::ResolvableProperties(`product) are complete. All other bindings return URL without password. -- Best Regards Ladislav Slezák Yast Developer ------------------------------------------------------------------------ SUSE LINUX, s.r.o. e-mail: lslezak@suse.cz Lihovarská 1060/12 tel: +420 284 028 960 190 00 Prague 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
On Mittwoch, 26. November 2008, Ladislav Slezak wrote:
And of course, this won't help if Y2DEBUG is enabled. We would need a new datatype or a flag in the interpreter to fix it with Y2DEBUG enabled.
I don't think this can be done in the general case: Both the YCP interpreter
and the UI are logging entire statements or statement snippets. You can never
tell what part of that might contain confidential data like passwords.
Example:
UI::OpenDialog(`VBox(..., `Password( _( "Password:" ), "b1g*s3cr3t", ...);
In full debug mode, the YCP interpreter will write this to the log, and if
there is a YCP or a UI syntax error or another UI exception, the offending
statement (which might easily contain something like the above example) will
be logged.
CU
--
Stefan Hundhammer
On Wed, Nov 26, 2008 at 11:47:53AM +0100, Stefan Hundhammer wrote:
On Mittwoch, 26. November 2008, Ladislav Slezak wrote:
And of course, this won't help if Y2DEBUG is enabled. We would need a new datatype or a flag in the interpreter to fix it with Y2DEBUG enabled.
I don't think this can be done in the general case: Both the YCP interpreter and the UI are logging entire statements or statement snippets. You can never tell what part of that might contain confidential data like passwords.
Example:
UI::OpenDialog(`VBox(..., `Password( _( "Password:" ), "b1g*s3cr3t", ...);
In full debug mode, the YCP interpreter will write this to the log, and if there is a YCP or a UI syntax error or another UI exception, the offending statement (which might easily contain something like the above example) will be logged.
A nice feature would be to tell YCP that a string is a password and thus the string is never logged. ciao Arvin -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
On Wednesday 26 November 2008 11:57:49 Arvin Schnell wrote:
On Wed, Nov 26, 2008 at 11:47:53AM +0100, Stefan Hundhammer wrote:
On Mittwoch, 26. November 2008, Ladislav Slezak wrote:
And of course, this won't help if Y2DEBUG is enabled. We would need a new datatype or a flag in the interpreter to fix it with Y2DEBUG enabled.
I don't think this can be done in the general case: Both the YCP interpreter and the UI are logging entire statements or statement snippets. You can never tell what part of that might contain confidential data like passwords.
Example:
UI::OpenDialog(`VBox(..., `Password( _( "Password:" ), "b1g*s3cr3t", ...);
In full debug mode, the YCP interpreter will write this to the log, and if there is a YCP or a UI syntax error or another UI exception, the offending statement (which might easily contain something like the above example) will be logged.
A nice feature would be to tell YCP that a string is a password and thus the string is never logged.
We had there a long time ago, but turned out to me a quite some hassle because you have to deal with a fact that you cannot use this type as a normal string. And we don't have any way to attach flags to string values to identify passwords or similar. Stano -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
On Wed, Nov 26, 2008 at 12:32:44PM +0100, Stanislav Visnovsky wrote:
On Wednesday 26 November 2008 11:57:49 Arvin Schnell wrote:
On Wed, Nov 26, 2008 at 11:47:53AM +0100, Stefan Hundhammer wrote:
In full debug mode, the YCP interpreter will write this to the log, and if there is a YCP or a UI syntax error or another UI exception, the offending statement (which might easily contain something like the above example) will be logged.
A nice feature would be to tell YCP that a string is a password and thus the string is never logged.
We had there a long time ago, but turned out to me a quite some hassle because you have to deal with a fact that you cannot use this type as a normal string. And we don't have any way to attach flags to string values to identify passwords or similar.
I can't remember those times. Was this in libzypp or in YCP? For YCP I don't see the problem you mention. Just add a flag to YCPString and propagate it in all builtins. Then check the flag in the logging functions, in ".target.ycp" and similar. I could use this feature to save the password for encryption in the storage target map. Right now the passwords are saved in an extra map where the key is the device name *or* the file name for crypt files. This is not really straightforward and has caused bugs during the partitioner redesign. ciao Arvin -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
participants (5)
-
Arvin Schnell
-
Duncan Mac-Vicar Prett
-
Ladislav Slezak
-
Stanislav Visnovsky
-
Stefan Hundhammer