yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1787943] Re: Internal endpoint address revealed in a cookie

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1787943@xxxxxxxxxxxxxxxxxx>
Date: Thu, 06 Sep 2018 00:16:32 -0000
Reply-to: Bug 1787943 <1787943@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/593650
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=16c4f4c3a294040bb87386156dab49f2b782ce21
Submitter: Zuul
Branch:    master

commit 16c4f4c3a294040bb87386156dab49f2b782ce21
Author: Radomir Dopieralski <openstack@xxxxxxxxxxxx>
Date:   Mon Aug 20 16:41:30 2018 +0200

    Don't expose endpoint URLs in the login form
    
    Instead of using endpoint URLs to designate regions in the login
    form and its cookies, use numbers. This way, if internal URLs are
    configured, they won't be exposed to the outside.
    
    Change-Id: Ifed089e7cee3075bf2dc5d1ce77b0e1b1d091ca0
    Closes-bug: #1787943


** Changed in: horizon
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1787943

Title:
  Internal endpoint address revealed in a cookie

Status in django-openstack-auth:
  New
Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  When the user logs in, django-openstack-auth sets a "login_region" key
  in the cookie to the value of the internal Keystone address. This is a
  potential security problem, as information about the internal
  addresses is leaked to the outside.

To manage notifications about this bug go to:
https://bugs.launchpad.net/django-openstack-auth/+bug/1787943/+subscriptions