diff options
author | Sam Thursfield <sam@afuera.me.uk> | 2014-08-29 10:20:13 +0000 |
---|---|---|
committer | Sam Thursfield <sam@afuera.me.uk> | 2014-09-19 14:32:56 +0000 |
commit | 359248a35948d2060dba97ef7073c155e3b9c1bb (patch) | |
tree | f3794295153601b58a12c0576a12e3a89b0f6063 /morphlib/app.py | |
parent | a32de7934cce79dda2b8dc20be1c5ec94109869e (diff) | |
download | morph-359248a35948d2060dba97ef7073c155e3b9c1bb.tar.gz |
Don't log environment variables with 'PASSWORD' in their name.
This involved rewriting the util.log_dict_diff() function. It has been
renamed to log_environment_changes() to better reflect its purpose.
It no longer logs both the old and new values in the event of an
environment variable changing. It now just logs the new value. This makes
the code simpler and seems like it should not be a big problem.
Some projects recommend passing credentials through the environment.
OpenStack does this, for example, see:
<http://docs.openstack.org/user-guide/content/cli_openrc.html>
It's unlikely that users would be happy about applications saving
these passwords in log files all over their system.
I do not recommend ever storing valuable passwords in the environment.
Diffstat (limited to 'morphlib/app.py')
-rw-r--r-- | morphlib/app.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/morphlib/app.py b/morphlib/app.py index 88eb58a4..25f705f7 100644 --- a/morphlib/app.py +++ b/morphlib/app.py @@ -493,7 +493,7 @@ class Morph(cliapp.Application): # Log the environment. prev = getattr(self, 'prev_env', {}) - morphlib.util.log_dict_diff(self, kwargs['env'], prev) + morphlib.util.log_environment_changes(self, kwargs['env'], prev) self.prev_env = kwargs['env'] # run the command line |