d07fedc45f
This patch fixes the Cross-Site Request Forgery (CSRF) attack against
the keypair generation pages:
- HORIZON_URL/project/key_pairs/PAIRNAME/generate/
- HORIZON_URL/project/key_pairs/PAIRNAME/download/
These pages exposed creating and/or overwriting a keypair with a given
name via a CSRF attack.
This patch closes these holes by using only POST-based keypair creation,
and exposing the keypair in the contents of a modal dialog instead of a
download, which ultimately requires a GET. It uses the same client-side
features for both the Launch Instance keypair creation and Compute / Key
Pairs panel.
Closes-Bug:
|
||
---|---|---|
.. | ||
_import.html | ||
detail.html | ||
download.html | ||
import.html |