yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1463533] Re: generate keypair no cache directive

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Doug Hellmann <doug@xxxxxxxxxxxxxxxx>
Date: Tue, 23 Jun 2015 21:57:52 -0000
Reply-to: Bug 1463533 <1463533@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: horizon
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1463533

Title:
  generate keypair no cache directive

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  There is no cache-control directive in when generating a key/pair,
  which could cause some browsers to cache the private key.

  Example:
  HTTP Request
  GET /project/access_and_security/keypairs/testkey2/generate/ HTTP/1.1
  ....
  HTTP Response:
  HTTP/1.1 200 OK
  Date: Mon, 20 Apr 2015 19:07:27 GMT
  Server: Apache/2.4.10 (Debian)
  Content-Disposition: attachment; filename=testkey2.pem
  Content-Language: en
  Vary: Accept-Language,Cookie
  X-Frame-Options: SAMEORIGIN
  Set-Cookie: sessionid="session"
  Content-Length: 1675
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: application/binary
  The following cache directives should be added to all sensitive information:
  Cache-control: no-store
  Pragma: no-cache

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1463533/+subscriptions

References

[Bug 1463533] [NEW] generate keypair no cache directive
From: Ryan Peters, 2015-06-09