yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1585831] Re: Horizon dashboard leaks internal information through cookies

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Luke Hinds <lhinds@xxxxxxxxxx>
Date: Thu, 08 Sep 2016 20:39:50 -0000
Reply-to: Bug 1585831 <1585831@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

OSSN released: https://wiki.openstack.org/wiki/OSSN/OSSN-0073

** Changed in: ossn
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1585831

Title:
  Horizon dashboard leaks internal information through cookies

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  When horizon is configured where:
  1) internalURL and publicURL are on different networks
  2) horizon uses the internalURL endpoint for authentication

  The cookie "login_region" will be set to the value configured as
  OPENSTACK_KEYSTONE_URL.

  This URL contains the IP address of the internalURL of keystone.

  In the case of a deployment where the internal network is different
  than the public network, the IP address of the internal network is
  considered sensitive information.  By putting the
  OPENSTACK_KEYSTONE_URL in the cookie that is sent to the public
  network, horizon leaks the values of the internal network IP
  addresses.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1585831/+subscriptions

References

[Bug 1585831] [NEW] Horizon dashboard leaks internal information through cookies
From: Dave McCowan, 2016-05-25