[PATCH] security: do not log password
Zhang Bo
oscar.zhangbo at huawei.com
Tue May 12 13:06:14 UTC 2020
It's insecure to log password, nomatter the password is encrypted or
not. And do not log it even in debug mode, in the consideration of
resilience, surposing that the log mode has been modified by the
attacker.
Signed-off-by: Zhang Bo <oscar.zhangbo at huawei.com>
---
src/libvirt-domain.c | 3 +--
src/qemu/qemu_monitor.c | 3 +--
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
index a12809c2d5..e2a57c178b 100644
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -11340,8 +11340,7 @@ virDomainSetUserPassword(virDomainPtr dom,
const char *password,
unsigned int flags)
{
- VIR_DOMAIN_DEBUG(dom, "user=%s, password=%s, flags=0x%x",
- NULLSTR(user), NULLSTR(password), flags);
+ VIR_DOMAIN_DEBUG(dom, "user=%s, flags=0x%x", NULLSTR(user), flags);
virResetLastError();
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 9c853ccb93..9bfaf53b65 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -2241,8 +2241,7 @@ qemuMonitorSetPassword(qemuMonitorPtr mon,
if (!protocol)
return -1;
- VIR_DEBUG("protocol=%s, password=%p, action_if_connected=%s",
- protocol, password, action_if_connected);
+ VIR_DEBUG("protocol=%s, action_if_connected=%s", protocol, action_if_connected);
QEMU_CHECK_MONITOR(mon);
--
2.23.0.windows.1
More information about the libvir-list
mailing list