Module: check_mk
Branch: master
Commit: 4bfdc76bd04eaafe106ec8e5405b46f948f6cefe
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=4bfdc76bd04eaa…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Sep 5 10:20:41 2018 +0200
6549 FIX Crash reports: Filter out password/_password from HTTP vars of GUI crashes
When a crash occurs during the login procedure where a user entered his password during
verification of this password, the crash could contain this password in plain text in
the HTTP variable data structure. The vars named password/_password are now explicitly
filtered to prevent this.
FEED-932
Change-Id: Ief4909a2a64e2ac8f79521a273170a4fa0a710a3
---
.werks/6549 | 14 ++++++++++++++
cmk/gui/crash_reporting.py | 3 ++-
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/.werks/6549 b/.werks/6549
new file mode 100644
index 0000000..1564ca1
--- /dev/null
+++ b/.werks/6549
@@ -0,0 +1,14 @@
+Title: Crash reports: Filter out password/_password from HTTP vars of GUI crashes
+Level: 1
+Component: multisite
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.6.0i1
+Date: 1536130136
+
+When a crash occurs during the login procedure where a user entered his password during
+verification of this password, the crash could contain this password in plain text in
+the HTTP variable data structure. The vars named password/_password are now explicitly
+filtered to prevent this.
diff --git a/cmk/gui/crash_reporting.py b/cmk/gui/crash_reporting.py
index 3ac10d8..57d20d6 100644
--- a/cmk/gui/crash_reporting.py
+++ b/cmk/gui/crash_reporting.py
@@ -444,7 +444,8 @@ def show_agent_output(tardata):
def create_crash_dump_info_file(tar, what):
crash_info = cmk.crash_reporting.create_crash_info(what, details={
"page" : html.myfile+".py",
- "vars" : html.request.vars,
+ "vars" : {key: "***" if value in
["password", "_password"] else value
+ for key, value in html.request.vars.iteritems()},
"username" : config.user.id,
"user_agent" : html.request.user_agent,
"referer" : html.request.referer,