@Eric alright, sadly I suspect Paul's comment #13 to be still valid (considering the attack only need an extra crafted cookie).
In order to threat this as a Class A, we need a fix that really mitigate the attack for all supported release...
FYI, the other options are:
* fix this publicly (might help to get a patch in).
* threat this as a B2 class type of bug (which mean fix and/or security note).
How long do you think it will take to have such a fix covering django-openstack-auth ?
@Eric alright, sadly I suspect Paul's comment #13 to be still valid (considering the attack only need an extra crafted cookie).
In order to threat this as a Class A, we need a fix that really mitigate the attack for all supported release...
FYI, the other options are:
* fix this publicly (might help to get a patch in).
* threat this as a B2 class type of bug (which mean fix and/or security note).
How long do you think it will take to have such a fix covering django- openstack- auth ?