Horizon dashboard leaks internal information through cookies
Bug #1585831 reported by
Dave McCowan
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
Khanak Nangia |
Bug Description
When horizon is configured where:
1) internalURL and publicURL are on different networks
2) horizon uses the internalURL endpoint for authentication
The cookie "login_region" will be set to the value configured as OPENSTACK_
This URL contains the IP address of the internalURL of keystone.
In the case of a deployment where the internal network is different than the public network, the IP address of the internal network is considered sensitive information. By putting the OPENSTACK_
Changed in ossn: | |
assignee: | nobody → Aastha Dixit (aastha-dixit) |
Changed in ossn: | |
assignee: | Aastha Dixit (aastha-dixit) → Khanak Nangia (knangia) |
Changed in ossn: | |
status: | New → Confirmed |
To post a comment you must log in.
Yeah, it seems that we should research the value of this specific data being passed back to the client; in theory in a situation where there's an internalURL it shouldn't be exposed. It generally wouldn't provide any utility to the client that I can think of other than to glean internal information.