Horizon dashboard leaks internal information through cookies
Bug #1585831 reported by
Dave McCowan
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Dashboard (Horizon) |
Invalid
|
Undecided
|
Unassigned | ||
| OpenStack Security Notes |
Fix Released
|
Undecided
|
Khanak Nangia | ||
Bug Description
When horizon is configured where:
1) internalURL and publicURL are on different networks
2) horizon uses the internalURL endpoint for authentication
The cookie "login_region" will be set to the value configured as OPENSTACK_
This URL contains the IP address of the internalURL of keystone.
In the case of a deployment where the internal network is different than the public network, the IP address of the internal network is considered sensitive information. By putting the OPENSTACK_
Revision history for this message
| Matt Borland (palecrow) wrote | #1 |
| Changed in horizon: | |
| status: | New → Confirmed |
| importance: | Undecided → High |
| Changed in ossn: | |
| assignee: | nobody → Aastha Dixit (aastha-dixit) |
| Changed in ossn: | |
| assignee: | Aastha Dixit (aastha-dixit) → Khanak Nangia (knangia) |
| Changed in ossn: | |
| status: | New → Confirmed |
Revision history for this message
| Khanak Nangia (knangia) wrote | #2 |
Revision history for this message
| David Lyle (david-lyle) wrote | #3 |
| Changed in horizon: | |
| status: | Confirmed → Invalid |
| importance: | High → Undecided |
Revision history for this message
| Luke Hinds (lhinds) wrote | #4 |
Revision history for this message
| Luke Hinds (lhinds) wrote | #5 |
| Changed in ossn: | |
| status: | Confirmed → Fix Released |
To post a comment you must log in.
Yeah, it seems that we should research the value of this specific data being passed back to the client; in theory in a situation where there's an internalURL it shouldn't be exposed. It generally wouldn't provide any utility to the client that I can think of other than to glean internal information.