openstack
/
horizon
Code Issues Proposed changes
horizon/openstack_dashboard/dashboards/project/key_pairs/templates/key_pairs
History
Matt Borland d07fedc45f Use POST not GET for keypair generation 
This patch fixes the Cross-Site Request Forgery (CSRF) attack against
the keypair generation pages:
- HORIZON_URL/project/key_pairs/PAIRNAME/generate/
- HORIZON_URL/project/key_pairs/PAIRNAME/download/
These pages exposed creating and/or overwriting a keypair with a given
name via a CSRF attack.

This patch closes these holes by using only POST-based keypair creation,
and exposing the keypair in the contents of a modal dialog instead of a
download, which ultimately requires a GET.  It uses the same client-side
features for both the Launch Instance keypair creation and Compute / Key
Pairs panel.

Closes-Bug: 1575913
Change-Id: Ie5ca28ff2bd806eb1481eba6f419b797b68856b6
 		2017-06-08 11:13:31 -07:00
..
_import.html Make Key Pairs tab a panel under Compute 2017-01-30 12:52:12 +00:00
detail.html Make Key Pairs tab a panel under Compute 2017-01-30 12:52:12 +00:00
download.html Make Key Pairs tab a panel under Compute 2017-01-30 12:52:12 +00:00
import.html Update the access_and_security url 2017-04-05 03:33:50 +00:00