django-openstack-auth

Internal endpoint address revealed in a cookie

Bug #1787943 reported by Radomir Dopieralski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Undecided
Radomir Dopieralski
django-openstack-auth
New
Undecided
Radomir Dopieralski

Bug Description

When the user logs in, django-openstack-auth sets a "login_region" key in the cookie to the value of the internal Keystone address. This is a potential security problem, as information about the internal addresses is leaked to the outside.

Revision history for this message
Radomir Dopieralski (deshipu) wrote :

The code responsible for this is here:
https://github.com/openstack/django_openstack_auth/blob/stable/ocata/openstack_auth/views.py#L108-L109

We should probably encrypt the value somehow before setting it.

Revision history for this message
Radomir Dopieralski (deshipu) wrote :

Also https://github.com/openstack/horizon/blob/master/openstack_auth/views.py#L125-L126

Radomir Dopieralski (deshipu)
Changed in django-openstack-auth:
assignee: nobody → Radomir Dopieralski (deshipu)
Radomir Dopieralski (deshipu)
Changed in horizon:
assignee: nobody → Radomir Dopieralski (deshipu)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/593650
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=16c4f4c3a294040bb87386156dab49f2b782ce21
Submitter: Zuul
Branch: master

commit 16c4f4c3a294040bb87386156dab49f2b782ce21
Author: Radomir Dopieralski <email address hidden>
Date: Mon Aug 20 16:41:30 2018 +0200

    Don't expose endpoint URLs in the login form

    Instead of using endpoint URLs to designate regions in the login
    form and its cookies, use numbers. This way, if internal URLs are
    configured, they won't be exposed to the outside.

    Change-Id: Ifed089e7cee3075bf2dc5d1ce77b0e1b1d091ca0
    Closes-bug: #1787943

Changed in horizon:
status: New → Fix Released
Revision history for this message
Adam Young (ayoung) wrote :

So...think about this:

OpenStack is first and foremost a set of APIs. These are web services, and they are meant for consumption from many clients, not just Horizon.

IFF Horizon is the only path into the systems, then those endpoints should not be publicly route-able. Thus, the security value of this change is merely hiding information that is non-usable.

OTOH, if the APIs are exposed to the outside world, this patch is hiding public information. It might minimize the exposure, but it really provides no security advantage.

And, the "fix" breaks WebSSO which IS a security enhancement.

I think you should revert the fix, and tag this bug as Wont' Fix.

Revision history for this message
Radomir Dopieralski (deshipu) wrote :

There are public endpoints, and those can be exposed, and there are private endpoints, and those should not.

Breaking websso is not an intended feature of this fix, merely a bug that slipped through because nobody ever uses or tests WebSSO here, and the automated tests didn't catch it. It can be fixed with a literally single-line change, and I have already submitted the fix at https://review.openstack.org/#/c/611387/ — if you have a working WebSSO setup, you can help by testing it.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon 15.0.0.0b1

This issue was fixed in the openstack/horizon 15.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.