Let's not expose user & admin passwords neither by having an option to be used to set those passwords nor in the debug messages. 'CVE-2019-10183' has been assigned to the virt-install --unattended admin-password=xxx disclosure issue. Changes since v1: https://www.redhat.com/archives/virt-tools-list/2019-July/msg00013.html - passowrd -> password; - pwd.read().rstrip("\n\r") -> pwd.readline().rstrip("\n\r") + document this in our manpage; - create a new config, with the sanitised password, and use it to print the script content as a debug message; Fabiano Fidêncio (2): unattended: Read the passwords from a file unattended: Don't log user & admin passwords man/virt-install.pod | 24 ++++++++---- tests/cli-test-xml/admin-password.txt | 1 + tests/cli-test-xml/user-password.txt | 3 ++ tests/clitest.py | 18 +++++---- virtinst/cli.py | 4 +- virtinst/install/unattended.py | 56 ++++++++++++++++++++------- 6 files changed, 76 insertions(+), 30 deletions(-) create mode 100644 tests/cli-test-xml/admin-password.txt create mode 100644 tests/cli-test-xml/user-password.txt -- 2.21.0 _______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
