← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1575913] Re: Generate and download keypair GET endpoint allows CSRF attacks

 

Reviewed:  https://review.openstack.org/367629
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=d07fedc45f91449787d939a5bf4cc00a0d100652
Submitter: Jenkins
Branch:    master

commit d07fedc45f91449787d939a5bf4cc00a0d100652
Author: Matt Borland <matt.borland@xxxxxxx>
Date:   Thu Sep 8 14:50:23 2016 -0600

    Use POST not GET for keypair generation
    
    This patch fixes the Cross-Site Request Forgery (CSRF) attack against
    the keypair generation pages:
    - HORIZON_URL/project/key_pairs/PAIRNAME/generate/
    - HORIZON_URL/project/key_pairs/PAIRNAME/download/
    These pages exposed creating and/or overwriting a keypair with a given
    name via a CSRF attack.
    
    This patch closes these holes by using only POST-based keypair creation,
    and exposing the keypair in the contents of a modal dialog instead of a
    download, which ultimately requires a GET.  It uses the same client-side
    features for both the Launch Instance keypair creation and Compute / Key
    Pairs panel.
    
    Closes-Bug: 1575913
    Change-Id: Ie5ca28ff2bd806eb1481eba6f419b797b68856b6


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1575913

Title:
  Generate and download keypair GET endpoint allows CSRF attacks

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Requests to create (and download) nova keypairs are made as GETs. As
  such the CSRF token is not sent nor validated on these requests. This
  breaks the principle Django's CSRF middleware relies upon which is
  that requests with side effects should not cause side effects. I'm
  told there was a reason for doing this related to being able to send
  the data back to the browser, and that this may not be trivial to fix.

  Filing this as a security bug since a malicious site could fool a user
  into creating keypairs. The attacker would not gain access to the
  contents, so the impact is not as serious as it might seem at first
  glance.

  See
  https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/access_and_security/keypairs/views.py#L112

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1575913/+subscriptions