Do not leak X-Auth-Token when logging curl requests

We pass *encoded* headers to log_curl_request, but then compare them to *unencoded* sensitive headers that must be redacted (basically comparing bytes to strings). This means no header is ever redacted. Store sensitive headers as bytes rather than strings to fix this issue. Change-Id: I06785704750e8c4b23d1276514949655e6dcb7ab Closes-Bug: #2051712
2024-03-27 19:37:25 +01:00 · 2024-03-27 19:37:25 +01:00 · 28497adc33
commit 28497adc33
parent 769dd2e78d
1 changed files with 4 additions and 1 deletions
--- a/glanceclient/common/utils.py
+++ b/glanceclient/common/utils.py
@ -42,7 +42,10 @@ from glanceclient import exc

 _memoized_property_lock = threading.Lock()

-SENSITIVE_HEADERS = ('X-Auth-Token', )
+# NOTE(cyril): Sensitive headers must be bytes, not strings, because when we
+# compare them to actual headers in safe_header, headers have already been
+# encoded.
+SENSITIVE_HEADERS = (b'X-Auth-Token', )
 REQUIRED_FIELDS_ON_DATA = ('disk_format', 'container_format')