yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1489415] Re: Cross-site Request Forgery token is static throughout the application

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lin Hua Cheng <1489415@xxxxxxxxxxxxxxxxxx>
Date: Mon, 05 Oct 2015 16:37:47 -0000
Reply-to: Bug 1489415 <1489415@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Setting to "won't fix" for horizon,  since it is by design in django.

** Changed in: horizon
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1489415

Title:
  Cross-site Request Forgery token is static throughout the application

Status in OpenStack Dashboard (Horizon):
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Description:
  It was observed the application is setting cookie on every request but the parameters like session id, csrf token, etc were static.

  Affected URL :
  Throughout the application

  The functionality allowed by the website can be performed by an
  attacker utilizing CSRF. Attackers can easily forge a series of
  requests by using multiple tags or possibly JavaScript and force the
  victim to perform undesired functions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1489415/+subscriptions