From nobody Thu Apr 25 10:16:39 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 205.139.110.61 as permitted sender) client-ip=205.139.110.61;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1589288851; cv=none;
	d=zohomail.com; s=zohoarc;
	b=nfdE0+dE8lJg14NHNg76BwbpV0ycE+dTWO9/fqftn+meIO58O3m4FWhz0TgczhITgLFmctcAJZV7xBG5w9rjaDBKta/25/K7NFrTBH2Fs0L5f143f4omiDclihk07BO1xAlxCU4ylD2w3DOdG7qyRlqRa3AxC6ydAkTpLV5cHEI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1589288851;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=XGOzJLNdE+d+U2P/AsCd8ezae8UFf0XxA5vYhlalFCY=;
	b=bZekA8yuwiVfzAnHtg3eeIuHL2cw2uD+z1BjE44sZI1jOrIVtOhA6oGvk9khgKbub8JsEqjMbN1NiEswd7ZqzvlAQHb3qmBfLYkU2ul9FYa6ktiQvyu3DQ8/56osCniVpDMe32yyl/vSlCXE18pN3aUZTwiK7c7loUgK5tfNc40=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com
 [205.139.110.61]) by mx.zohomail.com
	with SMTPS id 1589288851363436.62539383548585;
 Tue, 12 May 2020 06:07:31 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-42-0ziZkBX6O62-6m1BrZDuFg-1; Tue, 12 May 2020 09:07:27 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2DD03800687;
	Tue, 12 May 2020 13:07:21 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 68ED95D9DD;
	Tue, 12 May 2020 13:07:17 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 0CA351809543;
	Tue, 12 May 2020 13:07:12 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
	[10.11.54.4])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 04CD7BMF010636 for <libvir-list@listman.util.phx.redhat.com>;
	Tue, 12 May 2020 09:07:11 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 1FF242029F6F; Tue, 12 May 2020 13:07:11 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 1A225202683E
	for <libvir-list@redhat.com>; Tue, 12 May 2020 13:07:07 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
	[207.211.31.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6126980CDB3
	for <libvir-list@redhat.com>; Tue, 12 May 2020 13:07:07 +0000 (UTC)
Received: from huawei.com (szxga07-in.huawei.com [45.249.212.35]) (Using
	TLS) by relay.mimecast.com with ESMTP id
	us-mta-429-DDsmNyL2MGqgDE5BsgbuUA-1; Tue, 12 May 2020 09:07:04 -0400
Received: from DGGEMS409-HUB.china.huawei.com (unknown [172.30.72.58])
	by Forcepoint Email with ESMTP id AD9E6F5FAFEA197027A8
	for <libvir-list@redhat.com>; Tue, 12 May 2020 21:06:59 +0800 (CST)
Received: from huawei.com (10.133.210.227) by DGGEMS409-HUB.china.huawei.com
	(10.3.19.209) with Microsoft SMTP Server id 14.3.487.0; Tue, 12 May 2020
	21:06:18 +0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1589288850;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=XGOzJLNdE+d+U2P/AsCd8ezae8UFf0XxA5vYhlalFCY=;
	b=f/sDB+Sn5ci7T0ChBDF23wDY3jBUK1FWusPllcRmgjberxUEmWh01X8ErqFBdsZB29i7TQ
	nj74iO+yLO2EM1jhOf4Dg3s5pJvnzxhqh1NFX+IPTdk57bM1ml0wQcD2F8m+FTZMcuNmeX
	C81B+N1msNhJFtZUH+IPbwpeTw07XYs=
X-MC-Unique: 0ziZkBX6O62-6m1BrZDuFg-1
X-MC-Unique: DDsmNyL2MGqgDE5BsgbuUA-1
From: Zhang Bo <oscar.zhangbo@huawei.com>
To: <libvir-list@redhat.com>
Subject: [PATCH] security: do not log password
Date: Tue, 12 May 2020 21:06:14 +0800
Message-ID: <20200512130614.829-1-oscar.zhangbo@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.133.210.227]
X-CFilter-Loop: Reflected
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-MIME-Autoconverted: from quoted-printable to 8bit by
	lists01.pubmisc.prod.ext.phx2.redhat.com id 04CD7BMF010636
X-loop: libvir-list@redhat.com
Cc: xuding42@huawei.com, Zhang Bo <oscar.zhangbo@huawei.com>,
	wujing42@huawei.com, dengkai1@huawei.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

It's insecure to log password, nomatter the password is encrypted or
not. And do not log it even in debug mode, in the consideration of
resilience, surposing that the log mode has been modified by the
attacker.

Signed-off-by: Zhang Bo <oscar.zhangbo@huawei.com>
---
 src/libvirt-domain.c    | 3 +--
 src/qemu/qemu_monitor.c | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
index a12809c2d5..e2a57c178b 100644
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -11340,8 +11340,7 @@ virDomainSetUserPassword(virDomainPtr dom,
                          const char *password,
                          unsigned int flags)
 {
-    VIR_DOMAIN_DEBUG(dom, "user=3D%s, password=3D%s, flags=3D0x%x",
-                     NULLSTR(user), NULLSTR(password), flags);
+    VIR_DOMAIN_DEBUG(dom, "user=3D%s, flags=3D0x%x", NULLSTR(user), flags);
=20
     virResetLastError();
=20
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 9c853ccb93..9bfaf53b65 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -2241,8 +2241,7 @@ qemuMonitorSetPassword(qemuMonitorPtr mon,
     if (!protocol)
         return -1;
=20
-    VIR_DEBUG("protocol=3D%s, password=3D%p, action_if_connected=3D%s",
-              protocol, password, action_if_connected);
+    VIR_DEBUG("protocol=3D%s, action_if_connected=3D%s", protocol, action_=
if_connected);
=20
     QEMU_CHECK_MONITOR(mon);
=20
--=20
2.23.0.windows.1