Exposing the internalURL is not a bug either way one views the
internalURL, either it's a freely accessible endpoint to authorized
users, or it's hidden behind a firewall. There is a related bug
https://bugs.launchpad.net/horizon/+bug/1597864
** Changed in: horizon
Status: Confirmed => Invalid
** Changed in: horizon
Importance: High => Undecided
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1585831
Title:
Horizon dashboard leaks internal information through cookies
Status in OpenStack Dashboard (Horizon):
Invalid
Status in OpenStack Security Notes:
Confirmed
Bug description:
When horizon is configured where:
1) internalURL and publicURL are on different networks
2) horizon uses the internalURL endpoint for authentication
The cookie "login_region" will be set to the value configured as
OPENSTACK_KEYSTONE_URL.
This URL contains the IP address of the internalURL of keystone.
In the case of a deployment where the internal network is different
than the public network, the IP address of the internal network is
considered sensitive information. By putting the
OPENSTACK_KEYSTONE_URL in the cookie that is sent to the public
network, horizon leaks the values of the internal network IP
addresses.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1585831/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
