Horizon exposes url in Swift error message
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Undecided
|
Vadym Markov |
Bug Description
Horizon can be made to expose internal data structures from HTTP requests, this a security hazard.
See for example:
GET /api/swift/
Host: example.com
...
Response:
HTTP/1.1 404 Not Found
Date: Tue, 11 Sep 2018 19:30:11 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 98
Vary: Accept-
X-Frame-Options: SAMEORIGIN
Content-Language: en
Content-Type: application/json
"Object HEAD failed: http://
---------
Note, the Object Store endpoint configured on the /project/api_access page as "http://
It should return smth like:
"Object HEAD failed: http://
To reproduce:
1. Log into Horizon with Firefox
2. Open up Web Developer Tools
3. Navigate to Project -> Object Store -> Containers
4. pick a GET from the Network tab in developer tool that is for /api/swift/
Note you need to do this quickly otherwise the auth token will expire. If that happens just refresh page and edit request quickly.
5. Observe url present in response
Fix proposed to branch: master /review. openstack. org/605731
Review: https:/