Public bug reported: Bug #1354208 reported a security flaw in the way that we performed substitution for catalog URLs. The immediate solution was to add a whitelist of config fields that are safe to use with substitution. The long term goal is to get rid of this feature and only allow tenant_id and user_id to be used for substitution.
The first step for the Kilo release is to deprecate the feature. ** Affects: keystone Importance: High Assignee: David Stanek (dstanek) Status: In Progress -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1383817 Title: Deprecate catalog replacements and whitelists Status in OpenStack Identity (Keystone): In Progress Bug description: Bug #1354208 reported a security flaw in the way that we performed substitution for catalog URLs. The immediate solution was to add a whitelist of config fields that are safe to use with substitution. The long term goal is to get rid of this feature and only allow tenant_id and user_id to be used for substitution. The first step for the Kilo release is to deprecate the feature. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1383817/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp