From 111a4b546dd1bcaab182d5c8ad694404c2c2f91c Mon Sep 17 00:00:00 2001
From: Ben Hughes <ben@puppetlabs.com>
Date: Fri, 1 Apr 2011 15:23:14 +1100
Subject: (#6857) Password disclosure when changing a user's password

Make the should_to_s and is_to_s functions to return a form of 'redacted'.

Rather than send the password hash to system logs in cases of failure or
running in --noop mode, just state whether it's the new or old hash. We're
already doing this with password changes that work, so this just brings it
inline with those, albeit via a slightly different pair of methods.
---
 lib/puppet/type/user.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'lib')

diff --git a/lib/puppet/type/user.rb b/lib/puppet/type/user.rb
index f74e4266f..8d04fdc30 100755
--- a/lib/puppet/type/user.rb
+++ b/lib/puppet/type/user.rb
@@ -165,6 +165,14 @@ module Puppet
           return "changed password"
         end
       end
+
+      def is_to_s( currentvalue )
+        return '[old password hash redacted]'
+      end
+      def should_to_s( newvalue )
+        return '[new password hash redacted]'
+      end
+
     end
 
     newproperty(:password_min_age, :required_features => :manages_password_age) do
-- 
cgit