(#6857) Password disclosure when changing a user's password

Make the should_to_s and is_to_s functions to return a form of 'redacted'. Rather than send the password hash to system logs in cases of failure or running in --noop mode, just state whether it's the new or old hash. We're already doing this with password changes that work, so this just brings it inline with those, albeit via a slightly different pair of methods.
author: Ben Hughes <ben@puppetlabs.com> 2011-04-01 15:23:14 +1100
committer: Ben Hughes <ben@puppetlabs.com> 2011-06-01 12:35:27 -0700
commit: 111a4b546dd1bcaab182d5c8ad694404c2c2f91c (patch)
tree: 86a685fa69e176d094decb205c37046d8b680064 /lib
parent: 805b2878d0b23d76917f5210abe35489f6f84c74 (diff)
download: puppet-111a4b546dd1bcaab182d5c8ad694404c2c2f91c.tar.gz
puppet-111a4b546dd1bcaab182d5c8ad694404c2c2f91c.tar.xz
puppet-111a4b546dd1bcaab182d5c8ad694404c2c2f91c.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/puppet/type/user.rb b/lib/puppet/type/user.rb
index f74e4266f..8d04fdc30 100755
--- a/lib/puppet/type/user.rb
+++ b/lib/puppet/type/user.rb
@@ -165,6 +165,14 @@ module Puppet
           return "changed password"
         end
       end
+
+      def is_to_s( currentvalue )
+        return '[old password hash redacted]'
+      end
+      def should_to_s( newvalue )
+        return '[new password hash redacted]'
+      end
+
     end
 
     newproperty(:password_min_age, :required_features => :manages_password_age) do
author	Ben Hughes <ben@puppetlabs.com>	2011-04-01 15:23:14 +1100
committer	Ben Hughes <ben@puppetlabs.com>	2011-06-01 12:35:27 -0700
commit	111a4b546dd1bcaab182d5c8ad694404c2c2f91c (patch)
tree	86a685fa69e176d094decb205c37046d8b680064 /lib
parent	805b2878d0b23d76917f5210abe35489f6f84c74 (diff)
download	puppet-111a4b546dd1bcaab182d5c8ad694404c2c2f91c.tar.gz puppet-111a4b546dd1bcaab182d5c8ad694404c2c2f91c.tar.xz puppet-111a4b546dd1bcaab182d5c8ad694404c2c2f91c.zip