Reviewed: https://review.openstack.org/367629 Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=d07fedc45f91449787d939a5bf4cc00a0d100652 Submitter: Jenkins Branch: master
commit d07fedc45f91449787d939a5bf4cc00a0d100652 Author: Matt Borland <[email protected]> Date: Thu Sep 8 14:50:23 2016 -0600 Use POST not GET for keypair generation This patch fixes the Cross-Site Request Forgery (CSRF) attack against the keypair generation pages: - HORIZON_URL/project/key_pairs/PAIRNAME/generate/ - HORIZON_URL/project/key_pairs/PAIRNAME/download/ These pages exposed creating and/or overwriting a keypair with a given name via a CSRF attack. This patch closes these holes by using only POST-based keypair creation, and exposing the keypair in the contents of a modal dialog instead of a download, which ultimately requires a GET. It uses the same client-side features for both the Launch Instance keypair creation and Compute / Key Pairs panel. Closes-Bug: 1575913 Change-Id: Ie5ca28ff2bd806eb1481eba6f419b797b68856b6 ** Changed in: horizon Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1575913 Title: Generate and download keypair GET endpoint allows CSRF attacks Status in OpenStack Dashboard (Horizon): Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Requests to create (and download) nova keypairs are made as GETs. As such the CSRF token is not sent nor validated on these requests. This breaks the principle Django's CSRF middleware relies upon which is that requests with side effects should not cause side effects. I'm told there was a reason for doing this related to being able to send the data back to the browser, and that this may not be trivial to fix. Filing this as a security bug since a malicious site could fool a user into creating keypairs. The attacker would not gain access to the contents, so the impact is not as serious as it might seem at first glance. See https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/access_and_security/keypairs/views.py#L112 To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1575913/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
