Public bug reported: When horizon is configured where: 1) internalURL and publicURL are on different networks 2) horizon uses the internalURL endpoint for authentication
The cookie "login_region" will be set to the value configured as OPENSTACK_KEYSTONE_URL. This URL contains the IP address of the internalURL of keystone. In the case of a deployment where the internal network is different than the public network, the IP address of the internal network is considered sensitive information. By putting the OPENSTACK_KEYSTONE_URL in the cookie that is sent to the public network, horizon leaks the values of the internal network IP addresses. ** Affects: horizon Importance: Undecided Status: New ** Affects: ossn Importance: Undecided Status: New ** Also affects: ossn Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1585831 Title: Horizon dashboard leaks internal information through cookies Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Notes: New Bug description: When horizon is configured where: 1) internalURL and publicURL are on different networks 2) horizon uses the internalURL endpoint for authentication The cookie "login_region" will be set to the value configured as OPENSTACK_KEYSTONE_URL. This URL contains the IP address of the internalURL of keystone. In the case of a deployment where the internal network is different than the public network, the IP address of the internal network is considered sensitive information. By putting the OPENSTACK_KEYSTONE_URL in the cookie that is sent to the public network, horizon leaks the values of the internal network IP addresses. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1585831/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp