yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1116184] Re: nova-novncproxy allows directory listing

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 06 Mar 2013 15:32:57 -0000
Reply-to: Bug 1116184 <1116184@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This is not really under our control (part of novnc rather than nova),
and not really a info leak (everyone can tell what the listing will be),
so I'm opening this up and closing as Invalid. Feel free to reopen if
you disagree.

** Information type changed from Private Security to Public

** Changed in: nova
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1116184

Title:
  nova-novncproxy allows directory listing

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  If a web browser is directed at the nova-novncproxy web service,
  without the appropriate file name (vnc.html or vnc_auto.html), the a
  directory listing is shown.

  This is considered a low risk security problem.

  The web service should not allow directory listings and not give any
  hints about what service is running there. The client should only get
  access with an appropriate complete URI.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1116184/+subscriptions