From fc028bf57a3ff128d21b904583f9ea02f672ed5b Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 8 Jan 2019 14:03:25 +0000 Subject: [PATCH] v2v: -o openstack: Don't echo full commands (RHBZ#1664310). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit They can contain passwords or tokens if for example the ‘-oo os-password’ option is used. Thanks: Tomáš Golembiovský, Brett Thurber. --- v2v/output_openstack.ml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/v2v/output_openstack.ml b/v2v/output_openstack.ml index 95c42cbed..d187f1d5d 100644 --- a/v2v/output_openstack.ml +++ b/v2v/output_openstack.ml @@ -177,8 +177,11 @@ class output_openstack output_conn output_password output_storage let stdout_fd = if verbose () then None else Some (openfile "/dev/null" [O_WRONLY] 0) in - (* Note that run_command will close stdout_fd if defined. *) - Tools_utils.run_command ?stdout_fd cmd + (* Note that run_command will close stdout_fd if defined. + * Don't echo the whole command because it can contain passwords. + *) + debug "openstack [...] %s" (String.concat " " args); + Tools_utils.run_command ~echo_cmd:false ?stdout_fd cmd in (* Similar to above, run the openstack command and capture the @@ -192,8 +195,11 @@ class output_openstack output_conn output_password output_storage unlink_on_exit json; let fd = descr_of_out_channel chan in - (* Note that Tools_utils.run_command closes fd. *) - if Tools_utils.run_command ~stdout_fd:fd cmd <> 0 then + (* Note that Tools_utils.run_command closes fd. + * Don't echo the whole command because it can contain passwords. + *) + debug "openstack [...] %s" (String.concat " " args); + if Tools_utils.run_command ~echo_cmd:false ~stdout_fd:fd cmd <> 0 then None else ( let json = json_parser_tree_parse_file json in