Comment 16 for bug 1308413

OK, so I discussed this with various fellows on the Glance and VMT side. Our take is that the Registry server, as it currently stands, is designed to be operated on a trusted network, which feeds it proper headers. If you don't run Keystone, the header should be set by whatever you use. If you operate in noAuth mode, security should be handled higher in the stack. So this is not an exploitable vulnerability, and shall result in no OSSA.

That said, there certainly seems to be room for improvement here, which would allow the Registry server to be operated over untrusted networks. That includes (but probably is not limited to) defaulting to list less things if you fail to provide it the proper headers. That's security strengthening, and we encourage it in future versions of OpenStack, and shall be developed in the open.

Therefore I suggest that this bug is kept open so that improvements in this area can continue to be discussed. It shall be publicly opened so that everyone can participate in the discussion. Unless someone involved complains, this bug shall therefore be open in a few days.