yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1597864] Re: Horizon exposes keystone endpoint url when viewing login source code

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: David Lyle <dklyle0@xxxxxxxxx>
Date: Wed, 17 Aug 2016 20:33:05 -0000
Reply-to: Bug 1597864 <1597864@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Exposing the internalURL is not a bug either way one views the
internalURL, either it's a freely accessible endpoint to authorized
users, or it's hidden behind a firewall.

** Changed in: horizon
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1597864

Title:
  Horizon exposes keystone endpoint url when viewing login source code

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  When viewing source code on Horizon login this line of code is
  exposing the Keystone internal url endpoint. Both examples are
  default, no customizations.

  MOS 6.1
  <input id="id_region" name="region" type="hidden" value="http://172.16.108.2:5000/v2.0"; />

   root@node-6:~# openstack endpoint show keystone
  +--------------+----------------------------------+
  | Field        | Value                            |
  +--------------+----------------------------------+
  | adminurl     | http://172.16.108.2:35357/v2.0   |
  | enabled      | True                             |
  | id           | 4f781d4ac9f9463d9ab37632146d45bc |
  | internalurl  | http://172.16.108.2:5000/v2.0    |
  | publicurl    | http://172.16.107.226:5000/v2.0  |
  | region       | RegionOne                        |
  | service_id   | 1a4391f1448a4225846e0a9d01b9af90 |
  | service_name | keystone                         |
  | service_type | identity                         |
  +--------------+—————————————————+

  http://pastebin.com/yHC8eT8g

  MOS 8.0
  <input id="id_region" name="region" type="hidden" value="http://192.168.0.2:5000/v2.0"; />

  root@node-27:~# openstack endpoint show identity
  +--------------+----------------------------------+
  | Field        | Value                            |
  +--------------+----------------------------------+
  | adminurl     | http://192.168.0.2:35357/v2.0    |
  | enabled      | True                             |
  | id           | 2c02316fd1684863b1858da06a766535 |
  | internalurl  | http://192.168.0.2:5000/v2.0     |
  | publicurl    | http://172.16.0.3:5000/v2.0      |
  | region       | RegionOne                        |
  | service_id   | 6e7a33ba6751453fb96d497244a89470 |
  | service_name | keystone                         |
  | service_type | identity                         |
  +--------------+----------------------------------+


  I was not able to find an associated CVE for this issue but it looks
  like there should be.

  Environment MOS 6.1, 8.0

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1597864/+subscriptions