yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #64927
[Bug 1575913] Re: Generate and download keypair GET endpoint allows CSRF attacks
Reviewed: https://review.openstack.org/367629
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=d07fedc45f91449787d939a5bf4cc00a0d100652
Submitter: Jenkins
Branch: master
commit d07fedc45f91449787d939a5bf4cc00a0d100652
Author: Matt Borland <matt.borland@xxxxxxx>
Date: Thu Sep 8 14:50:23 2016 -0600
Use POST not GET for keypair generation
This patch fixes the Cross-Site Request Forgery (CSRF) attack against
the keypair generation pages:
- HORIZON_URL/project/key_pairs/PAIRNAME/generate/
- HORIZON_URL/project/key_pairs/PAIRNAME/download/
These pages exposed creating and/or overwriting a keypair with a given
name via a CSRF attack.
This patch closes these holes by using only POST-based keypair creation,
and exposing the keypair in the contents of a modal dialog instead of a
download, which ultimately requires a GET. It uses the same client-side
features for both the Launch Instance keypair creation and Compute / Key
Pairs panel.
Closes-Bug: 1575913
Change-Id: Ie5ca28ff2bd806eb1481eba6f419b797b68856b6
** Changed in: horizon
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1575913
Title:
Generate and download keypair GET endpoint allows CSRF attacks
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Requests to create (and download) nova keypairs are made as GETs. As
such the CSRF token is not sent nor validated on these requests. This
breaks the principle Django's CSRF middleware relies upon which is
that requests with side effects should not cause side effects. I'm
told there was a reason for doing this related to being able to send
the data back to the browser, and that this may not be trivial to fix.
Filing this as a security bug since a malicious site could fool a user
into creating keypairs. The attacker would not gain access to the
contents, so the impact is not as serious as it might seem at first
glance.
See
https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/access_and_security/keypairs/views.py#L112
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1575913/+subscriptions