This patch fixes the Cross-Site Request Forgery (CSRF) attack against
the keypair generation pages:
- HORIZON_URL/project/key_pairs/PAIRNAME/generate/
- HORIZON_URL/project/key_pairs/PAIRNAME/download/
These pages exposed creating and/or overwriting a keypair with a given
name via a CSRF attack.
This patch closes these holes by using only POST-based keypair creation,
and exposing the keypair in the contents of a modal dialog instead of a
download, which ultimately requires a GET. It uses the same client-side
features for both the Launch Instance keypair creation and Compute / Key
Pairs panel.
Reviewed: https:/ /review. openstack. org/367629 /git.openstack. org/cgit/ openstack/ horizon/ commit/ ?id=d07fedc45f9 1449787d939a5bf 4cc00a0d100652
Committed: https:/
Submitter: Jenkins
Branch: master
commit d07fedc45f91449 787d939a5bf4cc0 0a0d100652
Author: Matt Borland <email address hidden>
Date: Thu Sep 8 14:50:23 2016 -0600
Use POST not GET for keypair generation
This patch fixes the Cross-Site Request Forgery (CSRF) attack against URL/project/ key_pairs/ PAIRNAME/ generate/ URL/project/ key_pairs/ PAIRNAME/ download/
the keypair generation pages:
- HORIZON_
- HORIZON_
These pages exposed creating and/or overwriting a keypair with a given
name via a CSRF attack.
This patch closes these holes by using only POST-based keypair creation,
and exposing the keypair in the contents of a modal dialog instead of a
download, which ultimately requires a GET. It uses the same client-side
features for both the Launch Instance keypair creation and Compute / Key
Pairs panel.
Closes-Bug: 1575913 eb1481eba6f419b 797b68856b6
Change-Id: Ie5ca28ff2bd806