On 2017-11-17 15:55:33 +0000 (+0000), Tristan Cacqueray wrote: [...] > We had similar issues[0][1] in the past where we already draw the line > that it is the client responsibility to filter out API response. > > Thus I agree with Jeremy, perhaps it is not ideal, but at least it > doesn't give a false sense of security if^Wwhen the server side > filtering let unpredicted malicious content through. [...]
To be clear, I don't object to making whatever developers and API SIG members feel are sane filtering choices service-side, it's just that I think the VMT will consider those security hardening patches and not vulnerability fixes. If Horizon or any other consuming application fails to properly sanitize data before performing potentially unsafe actions with it, that's a vulnerability and would generally warrant an official security advisory. -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev