From 264f3b0d9640edeac743f339786e0a3b22c0f6c2 Mon Sep 17 00:00:00 2001 From: Grant Murphy Date: Mon, 23 Jun 2014 05:07:54 +0000 Subject: [PATCH] remove token from notifier middleware oslo-incubator sync to address the security bug in middleware (as below). notifier middleware is capturing token and sending it to MQ. this is not advisable so we should filter it out. Change-Id: Ia1bfa1bd24989681db1d2f385defc12e69a01f8d Closes-Bug: #1321080 --- ceilometer/openstack/common/middleware/audit.py | 2 +- ceilometer/openstack/common/middleware/notifier.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ceilometer/openstack/common/middleware/audit.py b/ceilometer/openstack/common/middleware/audit.py index 1bda8d1172..bb69e313a7 100644 --- a/ceilometer/openstack/common/middleware/audit.py +++ b/ceilometer/openstack/common/middleware/audit.py @@ -1,6 +1,6 @@ # vim: tabstop=4 shiftwidth=4 softtabstop=4 -# Copyright (c) 2013 OpenStack LLC. +# Copyright (c) 2013 OpenStack Foundation # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may diff --git a/ceilometer/openstack/common/middleware/notifier.py b/ceilometer/openstack/common/middleware/notifier.py index ab744ff0e6..8006fe7493 100644 --- a/ceilometer/openstack/common/middleware/notifier.py +++ b/ceilometer/openstack/common/middleware/notifier.py @@ -66,7 +66,7 @@ class RequestNotifier(base.Middleware): """ return dict((k, v) for k, v in environ.iteritems() - if k.isupper()) + if k.isupper() and k != 'HTTP_X_AUTH_TOKEN') @log_and_ignore_error def process_request(self, request):