From 390259bb40f85b20ea181166bf082f8b97c0a824 Mon Sep 17 00:00:00 2001 From: Tristan Cacqueray Date: Tue, 7 Oct 2014 18:55:54 +0000 Subject: [PATCH] Sync process utils from oslo This patch backports the missing change to fix ssh_execute password leak ------------------------------------------------ The sync pulls in the following changes: 105169f8 - Mask passwords in exceptions and error messages (SSH) ----------------------------------------------- Closes-Bug: 1377981 Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958 --- cinder/openstack/common/processutils.py | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/cinder/openstack/common/processutils.py b/cinder/openstack/common/processutils.py index d163124e9b6..24d0ba3e5cb 100644 --- a/cinder/openstack/common/processutils.py +++ b/cinder/openstack/common/processutils.py @@ -221,7 +221,8 @@ def trycmd(*args, **kwargs): def ssh_execute(ssh, cmd, process_input=None, addl_env=None, check_exit_code=True): - LOG.debug(_('Running cmd (SSH): %s'), cmd) + sanitized_cmd = strutils.mask_password(cmd) + LOG.debug(_('Running cmd (SSH): %s'), sanitized_cmd) if addl_env: raise InvalidArgumentError(_('Environment not supported over SSH')) @@ -235,7 +236,10 @@ def ssh_execute(ssh, cmd, process_input=None, # NOTE(justinsb): This seems suspicious... # ...other SSH clients have buffering issues with this approach stdout = stdout_stream.read() + sanitized_stdout = strutils.mask_password(stdout) stderr = stderr_stream.read() + sanitized_stderr = strutils.mask_password(stderr) + stdin_stream.close() exit_status = channel.recv_exit_status() @@ -245,8 +249,8 @@ def ssh_execute(ssh, cmd, process_input=None, LOG.debug(_('Result was %s') % exit_status) if check_exit_code and exit_status != 0: raise ProcessExecutionError(exit_code=exit_status, - stdout=stdout, - stderr=stderr, - cmd=cmd) + stdout=sanitized_stdout, + stderr=sanitized_stderr, + cmd=sanitized_cmd) - return (stdout, stderr) + return (sanitized_stdout, sanitized_stderr)