diff options
| author | Matthew Oliver <matt@oliver.net.au> | 2022-02-03 16:29:53 +1100 |
|---|---|---|
| committer | Alistair Coles <alistairncoles@gmail.com> | 2022-02-09 10:53:46 +0000 |
| commit | f2c279bae94689e2062beb6d0030d168a0b4cbdf (patch) | |
| tree | 7b3d56149b30b96280a4db12e1c8cb859946cc42 /etc | |
| parent | 57f17ace7c911b80587a03634346478b6ca432e8 (diff) | |
| download | swift-f2c279bae94689e2062beb6d0030d168a0b4cbdf.tar.gz | |
Trim sensitive information in the logs (CVE-2017-8761)
Several headers and query params were previously revealed in logs but
are now redacted:
* X-Auth-Token header (previously redacted in the {auth_token} field,
but not the {headers} field)
* temp_url_sig query param (used by tempurl middleware)
* Authorization header and X-Amz-Signature and Signature query
parameters (used by s3api middleware)
This patch adds some new middleware helper methods to track headers and
query parameters that should be redacted by proxy-logging. While
instantiating the middleware, authors can call either:
register_sensitive_header('case-insensitive-header-name')
register_sensitive_param('case-sensitive-query-param-name')
to add items that should be redacted. The redaction uses proxy-logging's
existing reveal_sensitive_prefix config option to determine how much to
reveal.
Note that query params will still be logged in their entirety if
eventlet_debug is enabled.
UpgradeImpact
=============
The reveal_sensitive_prefix config option now applies to more items;
operators should review their currently-configured value to ensure it
is appropriate for these new contexts. In particular, operators should
consider reducing the value if it is more than 20 or so, even if that
previously offered sufficient protection for auth tokens.
Co-Authored-By: Tim Burke <tim.burke@gmail.com>
Closes-Bug: #1685798
Change-Id: I88b8cfd30292325e0870029058da6fb38026ae1a
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/proxy-server.conf-sample | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index 759bd7cd2..ef49c430f 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -86,6 +86,9 @@ bind_port = 8080 # cors_expose_headers = # # client_timeout = 60.0 +# +# Note: enabling evenlet_debug might reveal sensitive information, for example +# signatures for temp urls # eventlet_debug = false # # You can set scheduling priority of processes. Niceness values range from -20 @@ -998,16 +1001,17 @@ use = egg:swift#proxy_logging # list like this: access_log_headers_only = Host, X-Object-Meta-Mtime # access_log_headers_only = # -# By default, the X-Auth-Token is logged. To obscure the value, -# set reveal_sensitive_prefix to the number of characters to log. -# For example, if set to 12, only the first 12 characters of the -# token appear in the log. An unauthorized access of the log file -# won't allow unauthorized usage of the token. However, the first -# 12 or so characters is unique enough that you can trace/debug -# token usage. Set to 0 to suppress the token completely (replaced -# by '...' in the log). -# Note: reveal_sensitive_prefix will not affect the value -# logged with access_log_headers=True. +# The default log format includes several sensitive values in logs: +# * X-Auth-Token header +# * temp_url_sig query parameter +# * Authorization header +# * X-Amz-Signature query parameter +# To prevent an unauthorized access of the log file leading to an unauthorized +# access of cluster data, only a portion of these values are written, with the +# remainder replaced by '...' in the log. Set reveal_sensitive_prefix to the +# number of characters to log. Set to 0 to suppress the values entirely; set +# to something large (1000, say) to write full values. Note that some values +# may start appearing in full at values as low as 33. # reveal_sensitive_prefix = 16 # # What HTTP methods are allowed for StatsD logging (comma-sep); request methods |