yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1585831] Re: Horizon dashboard leaks internal information through cookies

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: David Lyle <dklyle0@xxxxxxxxx>
Date: Wed, 17 Aug 2016 20:33:45 -0000
Reply-to: Bug 1585831 <1585831@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Exposing the internalURL is not a bug either way one views the
internalURL, either it's a freely accessible endpoint to authorized
users, or it's hidden behind a firewall. There is a related bug
https://bugs.launchpad.net/horizon/+bug/1597864

** Changed in: horizon
       Status: Confirmed => Invalid

** Changed in: horizon
   Importance: High => Undecided

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1585831

Title:
  Horizon dashboard leaks internal information through cookies

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Notes:
  Confirmed

Bug description:
  When horizon is configured where:
  1) internalURL and publicURL are on different networks
  2) horizon uses the internalURL endpoint for authentication

  The cookie "login_region" will be set to the value configured as
  OPENSTACK_KEYSTONE_URL.

  This URL contains the IP address of the internalURL of keystone.

  In the case of a deployment where the internal network is different
  than the public network, the IP address of the internal network is
  considered sensitive information.  By putting the
  OPENSTACK_KEYSTONE_URL in the cookie that is sent to the public
  network, horizon leaks the values of the internal network IP
  addresses.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1585831/+subscriptions

References

[Bug 1585831] [NEW] Horizon dashboard leaks internal information through cookies
From: Dave McCowan, 2016-05-25