yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1379515] Re: GET requests in workflows expose IDs and query parameters

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1379515@xxxxxxxxxxxxxxxxxx>
Date: Mon, 12 Jan 2015 04:18:24 -0000
Reply-to: Bug 1379515 <1379515@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

[Expired for OpenStack Dashboard (Horizon) because there has been no
activity for 60 days.]

** Changed in: horizon
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1379515

Title:
  GET requests in workflows expose IDs and query parameters

Status in OpenStack Dashboard (Horizon):
  Expired

Bug description:
  As identified by an automated vulnerability scanner, workflow in
  Horizon for instances, volumes, images, aggregates, users, etc.,
  expose identifiers and steps in the workflow.

  Example URIs:
  https://172.20.39.10/project/instances/6eb73aea-d992-4192-9506-60a20a6a5f2d/?tab=instance_details__log
  https://172.20.39.10/project/volumes/ecf5e3af-52e7-4f23-a47e-fe91f469fc2c/update/
  https://172.20.39.10/project/instances/launch?source_id=49a84978-914f-40f1-b886-5fa72092548a&source_type=image_id
  https://172.20.39.10/admin/users/b5a25808e7cf4b74ae1007515975ca7f/update/

  The best practice recommended by the vulnerability scanner report is
  to change these requests to use HTTP POST.

  
  As most traffic to Horizon should already be over HTTPS, there is likely a very low risk of leaking identifiers.

  A downside to using POST is that users won't be able to bookmark into
  specific resource workflow.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1379515/+subscriptions

References

[Bug 1379515] [NEW] GET requests in workflows expose IDs and query parameters
From: Chris Jones, 2014-10-09