← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #23132

[Bug 1369880] Re: Autocomplete HTML Attribute Not Disabled for Password Field in Horizon

  Thread PreviousDate PreviousThread Next 
** Changed in: horizon
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1369880

Title:
  Autocomplete HTML Attribute Not Disabled for Password Field in Horizon

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  Risk:  It maybe possible to bypass the web application's
  authentication mechanism.

  Recommend fix:  Correctly set the "autocomplete" attribute to "off"
  Affected URL: https://Ip_address/settings/password/
  https://Ip_address/auth/login/

  Take the second URL's  test result and response for example:
  GET /auth/login/?next=/admin/flavors/ HTTP/1.1
  Cookie: csrftoken=jlQrGLuo8FZiE9SXhdfTYG7kauyQszJy; sessionid=t5b0864y0q00ridvvh5hniczvv40pl4s
  Accept-Language: en-US
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Referer: https://9.5.29.52/auth/login/?next=/admin/flavors/
  Host: 9.5.29.52
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
  HTTP/1.1 200 OK
  Date: Thu, 11 Sep 2014 13:49:17 GMT
  Server: Apache
  Content-Language: en
  Expires: Thu, 11 Sep 2014 13:49:17 GMT
  Vary: Cookie,Accept-Language,Accept-Encoding
  Cache-Control: max-age=0
  X-Frame-Options: SAMEORIGIN
  Last-Modified: Thu, 11 Sep 2014 13:49:17 GMT
  Transfer-Encoding: chunked
  Content-Type: text/html; charset=utf-8
  Set-Cookie: csrftoken=jlQrGLuo8FZiE9SXhdfTYG7kauyQszJy; expires=Thu, 10-Sep-2015 13:49:19 GMT; Max-Age=31449600; Path=/; secure
  Set-Cookie: sessionid=t5b0864y0q00ridvvh5hniczvv40pl4s; httponly; Path=/; secure
  <!DOCTYPE html>
  <html>
  <head>
  <meta content='text/html; charset=utf-8' http-equiv='Content-Type' />
  <title>Login - Cloud Management Dashboard</title>
  <!--
  Copyright 2014 *** Corp.
  Copyright 2014 OpenStack Foundation and others
  -->
  <link rel="stylesheet" href="/static/dashboard/css/5730bed76fd3.css" type="text/css" media="screen" />
  <link rel="shortcut icon" href="/static/dashboard/img/favicon.png"/>
  <!--
  Fix header padding issue in IE < 10
  -->
  <!--[if lt IE 10 ]>
  <style>
  .topbar {
  padding-bottom: 0px;
  }
  </style>
  <![endif]-->
  <script type="text/javascript" src="/static/dashboard/js/841198948869.js"></script>
  <script type="text/javascript" charset="utf-8">
  /*
  Added so that we can append Horizon scoped JS events to
  the DOM load events without running in to the "horizon"
  name-space not currently being defined since we load the
  scripts at the bottom of the page.
  */
  var addHorizonLoadEvent = function(func) {
  var old_onload = window.onload;
  if (typeof window.onload != 'function') {
  window.onload = func;
  } else {
  window.onload = function() {
  old_onload();
  func();
  }
  }
  }
  </script>
  </head>
  <body id="splash" ng-app='hz'>
  <!--
  Copyright 2014 *** Corp.
  2014/9/12 222
  Copyright 2014 OpenStack Foundation and others
  -->
  <div id="" class="login ">
  <div class="">
  <div class="">
  <div class="modal-header">
  <h3>Cloud Management Dashboard</h3>
  </div>
  <form id=""
  ng-controller="DummyCtrl"
  name=""
  autocomplete="on"
  class=""
  action="/auth/login/"
  method="POST"
  ><input type='hidden' name='csrfmiddlewaretoken' value='jlQrGLuo8FZiE9SXhdfTYG7kauyQszJy' />
  <div class="modal-body clearfix">
  <fieldset>
  <div class="form-group clearfix error">
  <span class="help-block"><p>You do not have permission to access the resource:</p>
  <p><b>/admin/flavors/</b></p>
  <p>Login as different user or go back to <a href="/home/"> home page</a></p>
  </span>
  </div>
  <input type="hidden" name="next" value="/admin/flavors/" />
  <input id="id_region" name="region" type="hidden" value="http://9.5.29.52:5000/v2.0"; />
  <!-- <div class="form-group form-field clearfix ">
  <label for="id_username">User Name:</label>
  <span class="help-block"> </span>
  <input autofocus="autofocus" id="id_username" name="username" type="text" />
  </div>
  -->
  <div class="form-group ">
  <label class="control-label " for="id_username">User Name</label>
  <div class=" ">
  <input autofocus="autofocus" class=" form-control" id="id_username" name="username" type="text" />
  </div>
  </div>
  <!-- <div class="form-group form-field clearfix ">
  <label for="id_password">Password:</label>
  <span class="help-block"> </span>
  <input id="id_password" name="password" type="password" />    ---------------------------->> issue here
  </div>
  -->
  <div class="form-group ">
  <label class="control-label " for="id_password">Password</label>
  <div class=" ">
  <input class=" form-control" id="id_password" name="password" type="password" />  ------------------->>issue here
  </div>
  </div>
  </fieldset>
  </div>
  <div class="modal-footer">
  <button type="submit" class="btn btn-primary pull-right">Sign In</button>
  <div class="openstack-logo"></div>
  <div class="copyright">
  Licensed Materials - Property of *** Corp. <br/>
  &copy; Copyright *** Corp. 2010, 2014 All Rights Reserved<br/>
  &copy; Copyright 2014 
  </div>
  </div>
  </form>
  </div>
  </div>
  </div>
  2014/9/12 223
  TOC
  <div id="footer">
  </div>
  <!--
  Copyright 2014 *** Corp.
  Copyright 2014 OpenStack Foundation and oth
  ...
  ...
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1369880/+subscriptions

References

  Thread PreviousDate PreviousThread Next