← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #33591

[Bug 1463533] [NEW] generate keypair no cache directive

  Thread PreviousDate PreviousThread Next 
Public bug reported:

There is no cache-control directive in when generating a key/pair, which
could cause some browsers to cache the private key.

Example:
HTTP Request
GET /project/access_and_security/keypairs/testkey2/generate/ HTTP/1.1
....
HTTP Response:
HTTP/1.1 200 OK
Date: Mon, 20 Apr 2015 19:07:27 GMT
Server: Apache/2.4.10 (Debian)
Content-Disposition: attachment; filename=testkey2.pem
Content-Language: en
Vary: Accept-Language,Cookie
X-Frame-Options: SAMEORIGIN
Set-Cookie: sessionid="session"
Content-Length: 1675
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/binary
The following cache directives should be added to all sensitive information:
Cache-control: no-store
Pragma: no-cache

** Affects: horizon
     Importance: Undecided
     Assignee: Ryan Peters (rjpeter2)
         Status: New

** Changed in: horizon
     Assignee: (unassigned) => Ryan Peters (rjpeter2)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1463533

Title:
  generate keypair no cache directive

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  There is no cache-control directive in when generating a key/pair,
  which could cause some browsers to cache the private key.

  Example:
  HTTP Request
  GET /project/access_and_security/keypairs/testkey2/generate/ HTTP/1.1
  ....
  HTTP Response:
  HTTP/1.1 200 OK
  Date: Mon, 20 Apr 2015 19:07:27 GMT
  Server: Apache/2.4.10 (Debian)
  Content-Disposition: attachment; filename=testkey2.pem
  Content-Language: en
  Vary: Accept-Language,Cookie
  X-Frame-Options: SAMEORIGIN
  Set-Cookie: sessionid="session"
  Content-Length: 1675
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: application/binary
  The following cache directives should be added to all sensitive information:
  Cache-control: no-store
  Pragma: no-cache

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1463533/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next