OpenStack Dashboard (Horizon)

  1. Bug #1575913
  2. Comment #17

Comment 17 for bug 1575913

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/367629
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=d07fedc45f91449787d939a5bf4cc00a0d100652
Submitter: Jenkins
Branch: master

commit d07fedc45f91449787d939a5bf4cc00a0d100652
Author: Matt Borland <email address hidden>
Date: Thu Sep 8 14:50:23 2016 -0600

    Use POST not GET for keypair generation

    This patch fixes the Cross-Site Request Forgery (CSRF) attack against
    the keypair generation pages:
    - HORIZON_URL/project/key_pairs/PAIRNAME/generate/
    - HORIZON_URL/project/key_pairs/PAIRNAME/download/
    These pages exposed creating and/or overwriting a keypair with a given
    name via a CSRF attack.

    This patch closes these holes by using only POST-based keypair creation,
    and exposing the keypair in the contents of a modal dialog instead of a
    download, which ultimately requires a GET. It uses the same client-side
    features for both the Launch Instance keypair creation and Compute / Key
    Pairs panel.

    Closes-Bug: 1575913
    Change-Id: Ie5ca28ff2bd806eb1481eba6f419b797b68856b6