Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Filter password in connstr before logging it #6

Merged
merged 1 commit into from

2 participants

@antiveeranna

python/skytools/scripting.py logs full connstr on debug level, but there might be password inside this connstr. This change will filter the password before logging, so it wont leak out. (think environments that replicate logs out of the box running skytools)

@markokr markokr merged commit 5e8f9a2 into markokr:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Dec 6, 2011
  1. filter potential passwords in connstr before logging it

    anti.veeranna authored
This page is out of date. Refresh to see the latest.
Showing with 4 additions and 2 deletions.
  1. +4 −2 python/skytools/scripting.py
View
6 python/skytools/scripting.py
@@ -3,7 +3,7 @@
"""
-import sys, os, signal, optparse, time, errno, select
+import sys, os, signal, optparse, time, errno, select, re
import logging, logging.handlers, logging.config
import skytools
@@ -712,7 +712,9 @@ def get_database(self, dbname, autocommit = 0, isolation_level = -1,
else:
if not connstr:
connstr = self.cf.get(dbname)
- self.log.debug("Connect '%s' to '%s'" % (cache, connstr))
+ # connstr might contain password, it is not a good idea to log it
+ filtered_connstr = re.sub(' password=\S+', ' password=***HIDDEN***', connstr)
+ self.log.debug("Connect '%s' to '%s'" % (cache, filtered_connstr))
dbc = DBCachedConn(cache, connstr, params['max_age'], setup_func = self.connection_hook)
self.db_cache[cache] = dbc
Something went wrong with that request. Please try again.