Comment 2 for bug 1628031
Revision history for this message
| Jamie Lennox (jamielennox) wrote Re: keystonemiddleware logs token in stacktrace | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
So we should definitely fix the OSError thrown by auth_token middleware however this is going to happen with anything that gets caught by catch_errors. By printing the webob request the whole request is going to be printed into the log including headers. I'm not sure what happens here with large binary data in the request.
There are two ways we can fix this.
Either we change the logging to log only the url and basic data, or we scrub the sensitive data from the full output. Having never used the middleware I don't know which is more useful for people.
I'm attaching a patch that would scrub the token data from the logged request. We would want to scrub at least X-Auth-Token, X-Service-Token and X-Subject-Token. I don't mind if we log a simpler version of the request instead.
IMO this bug doesn't need to be private.