Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

currently http error logging of urls contains full URL including passwords. #49988

whytewolf opened this issue Oct 10, 2018 · 3 comments


None yet
3 participants
Copy link

commented Oct 10, 2018

Description of Issue/Question

Currently whenever a log uses cp.get_url or most other https actions that could result in a http error. that error is logged with the URL. However that url could contain the username and password information for a basic authentication scheme.

Since central logging could be in use it is difficult to control who has access to those logs.

So password masking would be of great help with url logging.


Simplest test is to use file.managed. and a downed http server. But really any kind of logging that has a URL in it will do this two examples follow

2018-09-27 21:01:39,124 [salt.state       :310 ][ERROR   ][7841] Unable to verify upstream hash of source file http://test:test@localhost:80/index.jinja, please set source_hash or set skip_verify to True
2018-09-27 21:02:55,370 [salt.state       :310 ][ERROR   ][7972] Failed to cache http://test:test@localhost:80/index.jinja: [Errno 111] Connection refused

Ideally something like the following would be better

2018-09-27 21:02:55,370 [salt.state       :310 ][ERROR   ][7972] Failed to cache http://test:xxxx@localhost:80/index.jinja: [Errno 111] Connection refused

Steps to Reproduce Issue

see above

Versions Report

happens in all versions

Salt Version:
           Salt: 2018.3.2

Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: Not Installed
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.7.2
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.5 (default, Aug  4 2017, 00:39:18)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.3.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4

System Versions:
           dist: centos 7.4.1708 Core
         locale: UTF-8
        machine: x86_64
        release: 3.10.0-693.11.6.el7.x86_64
         system: Linux
        version: CentOS Linux 7.4.1708 Core

@whytewolf whytewolf added the ZD label Oct 10, 2018


This comment has been minimized.

Copy link
Contributor Author

commented Oct 10, 2018



This comment has been minimized.

Copy link

commented Oct 11, 2018

@garethgreenaway Can you take a look at this one for 2018.3.4?


This comment has been minimized.

Copy link

commented Oct 16, 2018

@whytewolf This is fixed with #50066

@rallytime rallytime closed this Oct 30, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.