*** openstack has joined #openstack-horizon | 12:40 | |
mrunge | mflobo, you have a feature request for a specific view right now, right? | 12:41 |
---|---|---|
mflobo | mrunge, yes | 12:41 |
mflobo | mrunge, I want to split the image list for project dahsboard in N HTML tables, instead only one | 12:42 |
mrunge | mflobo, yes, I saw your question on ask.openstack.org | 12:42 |
mflobo | mrunge, so, I want to modify all the _data_table HTML's related only for this view | 12:42 |
mrunge | mflobo, sorting of image list does not help you? | 12:42 |
mflobo | mrunge, no it doesn't, because I need separate tables, one table per "flavor" | 12:43 |
*** sayali has quit IRC | 12:43 | |
mrunge | mflobo, because you'll have different actions? | 12:44 |
mrunge | mflobo, or is this to differentiate types better? | 12:45 |
mflobo | mrunge, it is to differentiate types better | 12:45 |
mflobo | mrunge, I will upload an picture example y ask.openstack.org question | 12:46 |
mrunge | mflobo, great. | 12:46 |
*** tosky has quit IRC | 12:48 | |
mflobo | mrunge, this is my use case https://ask.openstack.org/upfiles/14119948625876313.png | 12:48 |
mrunge | mflobo, and what about grouping them in instances as well? | 12:49 |
mflobo | mrunge, my use case is only for image list, not for other lists in Horizon like instances | 12:49 |
mrunge | mflobo, no interest for this in other instance lists as well? | 12:50 |
mflobo | mrunge, no, only in image list | 12:50 |
mrunge | mflobo, how do you differentiate your images? | 12:51 |
mrunge | just by *naming* convention? | 12:51 |
mflobo | mrunge, in this case by images properties | 12:51 |
mrunge | mflobo, we were thinking about adding arbitrary tags to images | 12:52 |
mrunge | so, I was currently thinking of making a view sorted by tags | 12:52 |
mrunge | (or so) | 12:52 |
mflobo | mrunge, In that case you need something similar than me: the capability to re-define some HTML views | 12:53 |
mrunge | mflobo, in my case, that should be available in other tables as well | 12:54 |
mrunge | mflobo, could you please file a blueprint: https://blueprints.launchpad.net/horizon | 12:54 |
mflobo | mrunge, ok, understand, your case is different | 12:54 |
mrunge | and attach your image there? | 12:55 |
mrunge | mflobo, sorry, I have to run out to get my kids from school | 12:55 |
mflobo | mrunge, ok, don't worry, thanks a lot for your time! | 12:55 |
*** sayali has joined #openstack-horizon | 12:57 | |
*** neelashah has joined #openstack-horizon | 12:58 | |
*** _crobertsrh is now known as crobertsrh | 13:01 | |
*** jacalcat has joined #openstack-horizon | 13:01 | |
*** aberezin has quit IRC | 13:05 | |
*** jacalcat has quit IRC | 13:17 | |
*** julim has joined #openstack-horizon | 13:24 | |
*** tosky has joined #openstack-horizon | 13:29 | |
*** gokrokve has joined #openstack-horizon | 13:32 | |
*** pawels has joined #openstack-horizon | 13:32 | |
*** krykowski has joined #openstack-horizon | 13:34 | |
*** gokrokve has quit IRC | 13:36 | |
*** mrunge has quit IRC | 13:38 | |
*** sigmavirus24 has joined #openstack-horizon | 13:43 | |
*** Dafna has quit IRC | 13:46 | |
*** radez_g0n3 is now known as radez | 13:46 | |
*** masco has quit IRC | 13:47 | |
*** Dafna has joined #openstack-horizon | 13:53 | |
*** bfic has quit IRC | 13:58 | |
*** gokrokve has joined #openstack-horizon | 13:58 | |
*** krykowski has quit IRC | 14:04 | |
*** pawels has quit IRC | 14:05 | |
sambetts | doug-fish: ping | 14:08 |
*** woodm1979 has joined #openstack-horizon | 14:09 | |
doug-fish | sambetts: hi | 14:09 |
sambetts | doug-fish: Hi! o/ Just wondering if you had a chance to look at my reply here: https://review.openstack.org/#/c/118334/ and if you had any more thoughts on the way forward with this patch | 14:10 |
*** krykowski has joined #openstack-horizon | 14:13 | |
doug-fish | sambetts: Just looking at your response now ... AFAIK there isn't an obivous solution to the problem you are working. Horizon itself doen't have any persistent storage. Django supports that (of course), but then really steps up the amount of release to release maintentance that needed, so that approach proabably won't be well received ... | 14:13 |
doug-fish | I think there is some idea/discussion/concept of adding metadata to keystone users, that might be a better approach | 14:14 |
sambetts | doug-fish: haha thats what I was just asking :-P | 14:14 |
doug-fish | oh | 14:14 |
sambetts | doug-fish: meant about to ask | 14:14 |
doug-fish | I was going to say ... I must have really misunderstood your question! | 14:15 |
sambetts | sorry about that, it I just found it funny that we came to a simlar thought at the same time, do you think I should hold off on working on that patch further then, its really just a bandaid until that keystone stuff gets implemented | 14:16 |
doug-fish | well I think its worth figuring out the current state of keystone ... | 14:17 |
doug-fish | if the support is there maybe you should just make Horizon use that as storage? | 14:18 |
*** john-davidge has joined #openstack-horizon | 14:18 | |
*** sayan has joined #openstack-horizon | 14:18 | |
*** jomara has joined #openstack-horizon | 14:19 | |
*** jomara_ has quit IRC | 14:21 | |
*** dkorn has quit IRC | 14:21 | |
*** ZZelle has quit IRC | 14:28 | |
*** ZZelle has joined #openstack-horizon | 14:28 | |
doug-fish | it's not clear to me keystone has the support. I'm asking in their channel now | 14:28 |
*** jrist has joined #openstack-horizon | 14:30 | |
*** aix has quit IRC | 14:31 | |
*** krykowski has quit IRC | 14:31 | |
*** rwsu has joined #openstack-horizon | 14:33 | |
*** k4n0 has quit IRC | 14:34 | |
*** gokrokve_ has joined #openstack-horizon | 14:35 | |
*** gokrokve_ has quit IRC | 14:37 | |
*** gokrokve_ has joined #openstack-horizon | 14:37 | |
*** gokrokve has quit IRC | 14:38 | |
*** jprovazn has quit IRC | 14:40 | |
*** ericpeterson has joined #openstack-horizon | 14:41 | |
*** Drago has joined #openstack-horizon | 14:52 | |
*** Drago1 has joined #openstack-horizon | 14:54 | |
*** bpokorny has quit IRC | 14:54 | |
*** bpokorny has joined #openstack-horizon | 15:03 | |
*** julim has quit IRC | 15:04 | |
*** vijendar has joined #openstack-horizon | 15:06 | |
*** med_ has quit IRC | 15:07 | |
*** julim has joined #openstack-horizon | 15:08 | |
*** rbertram has joined #openstack-horizon | 15:10 | |
*** Drago has quit IRC | 15:12 | |
*** Drago has joined #openstack-horizon | 15:12 | |
doug-fish | sambetts: so using keystone won't be an option | 15:17 |
sambetts | doug-fish: seems like it | 15:17 |
doug-fish | We've avoided using a DB in Horizon ... I think its mostly because of the release to release resposibilities for managing it | 15:17 |
sambetts | Yes, I get that, I've had that issue managing migrations before | 15:18 |
doug-fish | I think if you could make the preferences optionally readable/writeable to a configurable DB or cookies that would solve the problem. | 15:19 |
*** rdopieralski has quit IRC | 15:20 | |
*** Longgeek has quit IRC | 15:20 | |
doug-fish | sort of like how the session data can be configured to use different backends | 15:20 |
sambetts | with the cookie mode should we maintain the fix I've proposed? Otherwise there will still be the inter-user settings leak | 15:21 |
*** david-lyle has joined #openstack-horizon | 15:21 | |
*** jacalcat has joined #openstack-horizon | 15:22 | |
doug-fish | I dont' think so, to me the complications of using per user cookies are greater than the benefits | 15:22 |
sambetts | what complication are you seeing? | 15:23 |
doug-fish | complication is taht the request sizes will get larger for each user than has ever signed in to that browser | 15:23 |
morganfainberg | doug-fish, i might be forgetting this, but i *think* you can do sub-cookies that are independent of the site-cookie | 15:25 |
*** sbfox has joined #openstack-horizon | 15:25 | |
morganfainberg | doug-fish, but honestly it's been since 2010 since i've had to fight with web apps | 15:25 |
doug-fish | morganfainberg: are you thinking of cookies scoped to the path? | 15:25 |
sambetts | I can see having 1 - 3 but I can't see that one browser would be used for more than that? | 15:25 |
morganfainberg | doug-fish, hm, maybe. | 15:25 |
sambetts | if thats the case, then the operator might need to consider changing horizon storage backend anyway | 15:26 |
morganfainberg | doug-fish, i remember having to solve this issue / work with it when i worked at $big_social_network_that_isnt_facebook$ | 15:26 |
*** sbfox has quit IRC | 15:27 | |
*** Guest73730 is now known as mgagne | 15:29 | |
*** mgagne has quit IRC | 15:29 | |
*** mgagne has joined #openstack-horizon | 15:29 | |
doug-fish | sambetts: it could be that I'm paranoid. I'm concerned about this kind of multiple-user behavior being able to affect the site performance. | 15:29 |
*** vokhrimenko has quit IRC | 15:33 | |
*** Ala has quit IRC | 15:34 | |
sambetts | doug-fish: Its certainly tricky, what if we moved the user prefs into JSON, so you had 1 cookie entry per user | 15:35 |
*** radez is now known as radez_g0n3 | 15:36 | |
*** EmilyW has joined #openstack-horizon | 15:36 | |
doug-fish | maybe. Again, my concern is really that the size of the cookies being passed back and forth is going to grow each time a new user has preferences .... | 15:37 |
doug-fish | putting in one cookie per user would help some because the user id wouldn't be repeated in each cookie name | 15:37 |
*** gokrokve has joined #openstack-horizon | 15:38 | |
sambetts | doug-fish: How about this, if we use scoped cookies, scoped to auth/login or something so that those user prefs aren't sent everytime, just sent once then held in the session? | 15:39 |
ericpeterson | reality: if you have a decent sized deployment, you won't use cookies as the main session backend | 15:40 |
doug-fish | I wonder if it would be too obscure to remove the name for each value from the cookie as well. It could just be treated like a tuple where the position of the value implies which name is goes with | 15:40 |
doug-fish | ericpeterson: we are talking about user prefs | 15:40 |
ericpeterson | yeah, and that stuff is fine to store in the cookies doug-fish | 15:40 |
doug-fish | and https://review.openstack.org/#/c/118334/ | 15:40 |
doug-fish | ericpeterson: if that change doesn't concern you I'd feel much better about it. | 15:40 |
ericpeterson | yeah, those cookies are going to be pretty small. those I think are fine with that change | 15:42 |
*** gokrokve_ has quit IRC | 15:42 | |
*** gokrokve has quit IRC | 15:42 | |
*** radez_g0n3 is now known as radez | 15:42 | |
ericpeterson | it's the token / session cookie that blows up at 4k or whatever the limit is.... that's the killer one | 15:42 |
david-lyle | doug-fish the upper limit for total cookie size is 4K | 15:43 |
ericpeterson | stuff like eric_page_limit=20 or whatever is minor | 15:43 |
ericpeterson | stuff like erics | 15:43 |
doug-fish | yeah, so these per user cookies are cutting in to the same space | 15:43 |
ericpeterson | _seccion= dfsgsegsergsregesg (+4k+ is the hassle | 15:43 |
doug-fish | the same 4k limit | 15:43 |
ericpeterson | oh that sucks. I didn't realize they share the same limit | 15:44 |
david-lyle | Yeah you can have like 50 cookies, but they can only sum to 4K | 15:44 |
*** rebelagentm has joined #openstack-horizon | 15:45 | |
ericpeterson | but again, for this change..... how many times do you have multiple logins on that same machine??? we would be more impacted than most users, I bet | 15:45 |
doug-fish | sure, but why exacerbate the cookie problem if this isn't a real user problem? | 15:46 |
ericpeterson | yeah, I'm kind of -0.5 - + 0.25 on this change | 15:47 |
doug-fish | lol | 15:47 |
doug-fish | that's not an option | 15:47 |
doug-fish | commit man! | 15:48 |
ericpeterson | I wish gerrit had a range of how I felt | 15:48 |
doug-fish | lol | 15:48 |
doug-fish | I'd feel better about it if the names were shorter | 15:49 |
doug-fish | 89cfffa8541245ce91a49a4cdeff4cf2_django_timezone | 15:49 |
ericpeterson | better that than the user name, sec consideration | 15:49 |
sambetts | I would think something like 89cfffa8541245ce91a49a4cdeff4cf2 : { tz:, lang:, items: } would be neater | 15:51 |
sambetts | less repetition of the user ID | 15:51 |
ericpeterson | +1 on that approach | 15:51 |
doug-fish | yep, that's looking pretty good | 15:52 |
doug-fish | and if you used a user name instead of id that woud save some space too | 15:52 |
doug-fish | (in most cases) | 15:52 |
sambetts | are user names unique? | 15:52 |
ericpeterson | no user name | 15:52 |
doug-fish | unique enough for this purpose? | 15:53 |
ericpeterson | I think the concern is more that the user name is left in the browser, which might be a secret | 15:53 |
doug-fish | oh | 15:54 |
doug-fish | hadn't thought of that | 15:54 |
doug-fish | uid isn't secret? | 15:54 |
ericpeterson | it is kind of... but you don't login with the user id | 15:54 |
*** nlahouti has joined #openstack-horizon | 15:54 | |
doug-fish | yes I see | 15:54 |
ericpeterson | so exposing that doesn't give someone 50% of the login info | 15:54 |
sambetts | it definatly provides less information about whos logged in to the browser previously | 15:54 |
doug-fish | so I can +1 the 89cfffa8541245ce91a49a4cdeff4cf2 : { tz:, lang:, items: } idea | 15:55 |
*** jcoufal has quit IRC | 15:56 | |
*** EMW has joined #openstack-horizon | 16:00 | |
sambetts | doug-fish: Ok I'll get that implemented and pushed up :-) | 16:01 |
doug-fish | sambetts: sounds good! | 16:03 |
*** EmilyW has quit IRC | 16:03 | |
*** Drago has quit IRC | 16:14 | |
*** rm_work is now known as rm_work|away | 16:14 | |
*** Drago has joined #openstack-horizon | 16:16 | |
*** Drago has quit IRC | 16:16 | |
*** Drago has joined #openstack-horizon | 16:16 | |
*** EMW has quit IRC | 16:18 | |
*** rm_work|away is now known as rm_work | 16:20 | |
*** pkarikh has quit IRC | 16:21 | |
*** amotoki has quit IRC | 16:27 | |
*** radez is now known as radez_g0n3 | 16:27 | |
*** jasondotstar has joined #openstack-horizon | 16:29 | |
*** alexpilotti_ has joined #openstack-horizon | 16:33 | |
*** sambetts has quit IRC | 16:34 | |
*** gokrokve has joined #openstack-horizon | 16:34 | |
*** radez_g0n3 is now known as radez | 16:34 | |
*** alexpilotti has quit IRC | 16:34 | |
*** alexpilotti_ is now known as alexpilotti | 16:34 | |
*** tosky has quit IRC | 16:43 | |
*** ygbo has quit IRC | 16:44 | |
*** sbfox has joined #openstack-horizon | 16:49 | |
*** ArcTanSusan has joined #openstack-horizon | 16:50 | |
*** jrist has quit IRC | 16:58 | |
*** gokrokve has quit IRC | 16:59 | |
*** gokrokve has joined #openstack-horizon | 16:59 | |
*** e0ne has quit IRC | 17:02 | |
ericpeterson | low hanging fruit bugs..... when you have certain listings that don't and instead we list a bunch of entries.... the overflow css should turn on scrolling past a reasonable limit | 17:04 |
ericpeterson | that don't page I meant | 17:04 |
*** sigmavirus24 is now known as sigmavirus24_awa | 17:05 | |
*** dsneddon has joined #openstack-horizon | 17:10 | |
*** qba73 has quit IRC | 17:10 | |
*** sbfox has quit IRC | 17:11 | |
*** athomas has quit IRC | 17:13 | |
*** harlowja has joined #openstack-horizon | 17:16 | |
*** hhuang has quit IRC | 17:19 | |
*** Dafna has quit IRC | 17:21 | |
*** harlowja has quit IRC | 17:22 | |
*** jrist has joined #openstack-horizon | 17:24 | |
*** harlowja has joined #openstack-horizon | 17:24 | |
*** sbfox has joined #openstack-horizon | 17:26 | |
*** halede has joined #openstack-horizon | 17:27 | |
*** ZZelle_ has joined #openstack-horizon | 17:28 | |
*** clu_ has joined #openstack-horizon | 17:28 | |
*** david-lyle has quit IRC | 17:29 | |
*** david-lyle has joined #openstack-horizon | 17:29 | |
*** athomas has joined #openstack-horizon | 17:31 | |
*** john-davidge has quit IRC | 17:31 | |
*** regebro has quit IRC | 17:33 | |
*** bpokorny_ has joined #openstack-horizon | 17:33 | |
*** EMW has joined #openstack-horizon | 17:34 | |
*** bpokorny has quit IRC | 17:36 | |
*** romainh has left #openstack-horizon | 17:37 | |
*** david-lyle has quit IRC | 17:38 | |
*** bpokorny has joined #openstack-horizon | 17:43 | |
*** e0ne has joined #openstack-horizon | 17:44 | |
*** ArcTanSusan has quit IRC | 17:46 | |
*** bpokorny_ has quit IRC | 17:46 | |
*** lsmola has quit IRC | 18:01 | |
*** sbfox has quit IRC | 18:04 | |
*** vijendar has quit IRC | 18:04 | |
*** jgravel_ has quit IRC | 18:05 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 18:10 | |
*** gokrokve has quit IRC | 18:14 | |
*** gary-smith has quit IRC | 18:17 | |
*** sbfox has joined #openstack-horizon | 18:21 | |
*** akrivoka has quit IRC | 18:24 | |
*** sayan has quit IRC | 18:25 | |
*** gokrokve has joined #openstack-horizon | 18:26 | |
*** gokrokve has quit IRC | 18:27 | |
*** gary-smith has joined #openstack-horizon | 18:29 | |
*** gokrokve has joined #openstack-horizon | 18:29 | |
*** gary-smith has quit IRC | 18:30 | |
*** gary-smith has joined #openstack-horizon | 18:32 | |
*** gokrokve has quit IRC | 18:34 | |
*** gokrokve has joined #openstack-horizon | 18:35 | |
*** e0ne has quit IRC | 18:35 | |
*** EMW has quit IRC | 18:40 | |
*** vijendar has joined #openstack-horizon | 18:41 | |
*** bpokorny has quit IRC | 18:50 | |
*** AndroUser2 has joined #openstack-horizon | 18:50 | |
*** AndroUser2 is now known as david-lyle | 18:51 | |
*** bpokorny has joined #openstack-horizon | 18:53 | |
*** ArcTanSusan has joined #openstack-horizon | 18:56 | |
*** Drago has quit IRC | 18:56 | |
*** Sukhdev has joined #openstack-horizon | 18:58 | |
*** pawels has joined #openstack-horizon | 19:00 | |
*** bpokorny_ has joined #openstack-horizon | 19:09 | |
*** jay-atl has quit IRC | 19:10 | |
*** bpokorny has quit IRC | 19:12 | |
*** radez is now known as radez_g0n3 | 19:20 | |
*** jacalcat has quit IRC | 19:21 | |
*** ericpeterson has quit IRC | 19:22 | |
*** ericpeterson has joined #openstack-horizon | 19:26 | |
*** EmilyW has joined #openstack-horizon | 19:26 | |
*** alexpilotti has quit IRC | 19:29 | |
doug-fish | hey gary-smith, are you avail to talk about https://bugs.launchpad.net/horizon/+bug/1369865 | 19:30 |
doug-fish | I'm wondering if we should invalidate that bug. It seems to me the CSRFtoken it suppose to have a very long expiration: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works | 19:31 |
doug-fish | But I have to confess, I can't fully understand the problems that token is suppose to solve | 19:32 |
gary-smith | ok | 19:32 |
doug-fish | you think there is some risk with that? | 19:33 |
gary-smith | I had seen some hack mentioned wrt to this. I'll have to go dig it up | 19:34 |
ericpeterson | expires=Fri, 11-Sep-2015 07:52:52 GMT -> that is probably a bit too long. you want that to be something like how long would someone reasonably keep their browser open for | 19:34 |
*** e0ne has joined #openstack-horizon | 19:38 | |
gary-smith | that or just use a session cookie | 19:38 |
doug-fish | ericpeterson: when I read that django doc I linked above it sounded to me that they really wanted it to never expire | 19:38 |
doug-fish | isn't this an additional protection, used along with a session cookie? | 19:38 |
doug-fish | sorry | 19:38 |
doug-fish | I'm mixing up terms | 19:38 |
ericpeterson | it's used on every form post, with or without the user being logged in | 19:39 |
doug-fish | I don't really understand what its supposed to be protecting | 19:39 |
*** nlahouti has quit IRC | 19:39 | |
ericpeterson | the server gives out a random token to the browser.... this prevents anyone from randomly posting from any site.... or at least is filters out many initial DOS attacks | 19:40 |
doug-fish | but stealing one isn't especially helpful is it? | 19:40 |
doug-fish | Horizon will give anyone a CSRFToken who points their browser at it | 19:41 |
*** dsneddon is now known as dsneddon_lunch | 19:41 | |
ericpeterson | correct, but i think part of that csrf thing helps cylce the token frequently and keep you from just reusing it | 19:42 |
gary-smith | I believe if a hacker had access to the csrftoken, they could include it in a post, making it appear legit | 19:42 |
ericpeterson | yep | 19:42 |
doug-fish | wouldn't they need a sessionId cookie as well? | 19:43 |
gary-smith | no | 19:43 |
gary-smith | with csrf attacks, the idea is that the hacker creates a web page that does a post (in this case) to horizon | 19:44 |
ericpeterson | but the chttps://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern | 19:44 |
ericpeterson | sorry, that link might not have come through :o | 19:44 |
gary-smith | and the browser will automatically give the session token to horizon | 19:44 |
gary-smith | (although the hacker's site will not have access to that token) | 19:44 |
doug-fish | okay, I'll read up a bit ... thanks for the info + the link! | 19:46 |
gary-smith | the page ericpeterson points to suggests going further and re-generating a new csrf token for every request | 19:47 |
ericpeterson | yeah, that might be overkill | 19:47 |
gary-smith | but i would suspect that that would require more changes in horizon. At a minimum, making it a session token (one with expires=0) would be an improvement | 19:48 |
ericpeterson | but I have seen cases where horizon gets an error where your csrf stuff doesn't match up. I think if you change your secret_key that is one way to almost force the issue | 19:48 |
ericpeterson | (not that changing the secret_key is a good idea, it is supposed to break stuff when you change that) | 19:48 |
gary-smith | what is "secret_key" ? | 19:48 |
gary-smith | doesn't appear to be a cookie | 19:49 |
*** harlowja has quit IRC | 19:50 | |
ericpeterson | it's a django setting to setup determine how to encrypt stuff like the session info | 19:50 |
gary-smith | ah, ok | 19:50 |
ericpeterson | https://docs.djangoproject.com/en/1.7/ref/settings/#std:setting-SECRET_KEY | 19:50 |
ericpeterson | in the case of horizon, if you set it up in a HA mode you will want to have a shared secret key | 19:51 |
doug-fish | gary-smith, ericpeterson: you guys think this is nonsense? https://groups.google.com/forum/#!msg/django-developers/3vG7H3kRBZ0/rZmJFazA4YMJ | 19:52 |
*** radez_g0n3 is now known as radez | 19:53 | |
ericpeterson | it's on the internet, it's totally true | 19:53 |
ericpeterson | seriously, I believe that though | 19:53 |
ericpeterson | not that all things on the internet are true.... but that link sounds right to me | 19:54 |
*** harlowja has joined #openstack-horizon | 19:55 | |
*** pawels has quit IRC | 19:55 | |
gary-smith | FWIW, this bug (1369865) appears to be the output of some automatic website security evaluation tool that doesn't take this kind of stuff into account | 19:55 |
doug-fish | gary-smith, agreed. | 19:56 |
doug-fish | I'm just trying to sort out if there is a real security exposure here, and how serious it is | 19:56 |
doug-fish | My first assertion is that this isn't a security problem, its what the django developers had in mind. But I dont' understand the concept well enough yet to really make that assertion. | 19:57 |
gary-smith | that is much appreciated. I took a look, read a few pages, and it looked like a potential problem, with probably a simple solution (changing the expiration) | 19:57 |
gary-smith | but if further research shows that it's not a problem, then that is fine, too | 19:57 |
*** gokrokve has quit IRC | 19:58 | |
gary-smith | (I am not a web security expert, in case that was not abundantly clear) | 19:58 |
doug-fish | lol | 19:58 |
doug-fish | understood. | 19:58 |
*** gokrokve has joined #openstack-horizon | 19:59 | |
gary-smith | There is a similar bug, https://bugs.launchpad.net/horizon/+bug/1369870, found by that same tool. Have you guys ever heard of a "messages" cookie? | 20:00 |
*** pawels has joined #openstack-horizon | 20:01 | |
doug-fish | gary-smith ... I'm almost certain I've reviewed code related to the messages cookie .... | 20:02 |
*** jay-atl has joined #openstack-horizon | 20:03 | |
gary-smith | I found a use in horizon/test/helpers.py... now I just have to see where this is test-only | 20:04 |
gary-smith | c/where/whether/ | 20:04 |
doug-fish | no, I don't think so ... | 20:04 |
doug-fish | I think its these things: https://docs.djangoproject.com/en/1.6/ref/contrib/messages/ | 20:05 |
doug-fish | oh nice: | 20:06 |
doug-fish | https://docs.djangoproject.com/en/1.6/ref/contrib/messages/#django.contrib.messages.storage.cookie.CookieStorage | 20:06 |
doug-fish | it looks like the messages are signed | 20:06 |
*** jacalcat has joined #openstack-horizon | 20:06 | |
gary-smith | very helpful | 20:06 |
*** jay-atl has quit IRC | 20:08 | |
*** jay-atl has joined #openstack-horizon | 20:09 | |
doug-fish | ooh check this out: https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-age | 20:09 |
doug-fish | once we get to 1.7 we can set the age of the csrf cookie | 20:10 |
*** jay-atl has quit IRC | 20:10 | |
gary-smith | good. Is there a way to adjust this pre-1.7 ? | 20:12 |
*** jay-atl has joined #openstack-horizon | 20:13 | |
gary-smith | Similarly, https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-secure is only available in 1.7 to secure the messages cookie | 20:13 |
*** subbu_ has joined #openstack-horizon | 20:14 | |
*** julim has quit IRC | 20:17 | |
*** pawels has quit IRC | 20:17 | |
*** sbfox has quit IRC | 20:20 | |
*** ArcTanSusan has quit IRC | 20:24 | |
doug-fish | gary-smith: I'd think the only way to adjust the age of the csrf cookie prior to 1.7 would be to patch this code: https://github.com/django/django/blob/1.6c1/django/middleware/csrf.py#L197 | 20:25 |
*** ttrifonov is now known as ttrifonov_zZzz | 20:25 | |
gary-smith | yuck | 20:27 |
gary-smith | or maybe extend the CsrfViewMiddleware class and supply an alternate process_response method | 20:28 |
doug-fish | I understand why the CSRF token works if its on a per request basis, but for these longer ones (either sesssion or a year) I don't understand what it provides beyond requiring a valid sessionId | 20:28 |
doug-fish | yeah that's better | 20:28 |
*** ArcTanSusan has joined #openstack-horizon | 20:29 | |
gary-smith | I think the idea is that the csrf token has to be somewhere in the payload of the POST, and that CSRF attacks don't have access to these cookies | 20:30 |
*** ArcTanSusan has quit IRC | 20:31 | |
*** bpokorny_ has quit IRC | 20:36 | |
*** nlahouti has joined #openstack-horizon | 20:36 | |
*** sbfox has joined #openstack-horizon | 20:37 | |
*** bpokorny has joined #openstack-horizon | 20:40 | |
*** crobertsrh is now known as _crobertsrh | 20:48 | |
*** radez is now known as radez_g0n3 | 20:48 | |
*** e0ne has quit IRC | 20:52 | |
*** aix has joined #openstack-horizon | 20:56 | |
*** e0ne has joined #openstack-horizon | 20:56 | |
*** Sukhdev has quit IRC | 20:58 | |
*** ArcTanSusan has joined #openstack-horizon | 21:01 | |
*** jcoufal has joined #openstack-horizon | 21:02 | |
*** cedrics has quit IRC | 21:03 | |
*** TravT has joined #openstack-horizon | 21:03 | |
*** Sukhdev has joined #openstack-horizon | 21:09 | |
*** EMW has joined #openstack-horizon | 21:09 | |
*** EmilyW has quit IRC | 21:11 | |
*** Drago1 has quit IRC | 21:12 | |
*** EmilyW has joined #openstack-horizon | 21:13 | |
*** sayali has quit IRC | 21:16 | |
*** EMW has quit IRC | 21:17 | |
*** Drago1 has joined #openstack-horizon | 21:18 | |
*** david-lyle has quit IRC | 21:19 | |
*** Drago has joined #openstack-horizon | 21:24 | |
*** Drago has quit IRC | 21:25 | |
*** Drago has joined #openstack-horizon | 21:25 | |
*** bpokorny has quit IRC | 21:27 | |
*** david-lyle has joined #openstack-horizon | 21:30 | |
*** david-lyle has quit IRC | 21:31 | |
*** david-lyle has joined #openstack-horizon | 21:32 | |
*** jtomasek has quit IRC | 21:32 | |
*** bpokorny has joined #openstack-horizon | 21:35 | |
*** ArcTanSusan has quit IRC | 21:37 | |
*** neelashah has quit IRC | 21:47 | |
*** ArcTanSusan has joined #openstack-horizon | 21:48 | |
*** jgravel has joined #openstack-horizon | 21:49 | |
*** ericpeterson has quit IRC | 21:56 | |
*** aix_ has joined #openstack-horizon | 21:57 | |
*** rebelagentm has quit IRC | 21:57 | |
*** dsneddon_lunch is now known as dsneddon | 21:58 | |
*** jcoufal has quit IRC | 21:59 | |
*** nlahouti has quit IRC | 22:00 | |
*** aix has quit IRC | 22:00 | |
*** nlahouti has joined #openstack-horizon | 22:00 | |
*** nlahouti has quit IRC | 22:03 | |
*** EMW has joined #openstack-horizon | 22:05 | |
*** EmilyW has quit IRC | 22:06 | |
*** mikedillion has joined #openstack-horizon | 22:10 | |
*** rbertram has quit IRC | 22:17 | |
*** mikedillion has quit IRC | 22:23 | |
*** e0ne has quit IRC | 22:29 | |
*** mikedillion has joined #openstack-horizon | 22:30 | |
*** jasondotstar has quit IRC | 22:33 | |
*** e0ne has joined #openstack-horizon | 22:33 | |
*** e0ne has quit IRC | 22:33 | |
*** alexpilotti has joined #openstack-horizon | 22:38 | |
*** neillc has joined #openstack-horizon | 22:38 | |
*** nlahouti has joined #openstack-horizon | 22:47 | |
*** ZZelle_ has quit IRC | 22:47 | |
*** nlahouti has quit IRC | 22:47 | |
*** woodm1979 has quit IRC | 22:48 | |
*** r1chardj0n3s is now known as r1chardj0n3s_afk | 22:48 | |
*** nlahouti has joined #openstack-horizon | 22:51 | |
*** nlahouti has quit IRC | 22:51 | |
*** jacalcat has quit IRC | 22:52 | |
gary-smith | david-lyle: question about https://bugs.launchpad.net/horizon/+bug/1374931 | 22:54 |
gary-smith | think that oughta be critical? | 22:54 |
gary-smith | it prevents launching instances from volume snapshots | 22:55 |
*** nlahouti has joined #openstack-horizon | 23:00 | |
*** sigmavirus24 is now known as sigmavirus24_awa | 23:08 | |
*** Sukhdev has quit IRC | 23:08 | |
*** ArcTanSusan has quit IRC | 23:10 | |
*** ArcTanSusan has joined #openstack-horizon | 23:15 | |
*** david-lyle has quit IRC | 23:16 | |
*** doug-fish has left #openstack-horizon | 23:17 | |
*** r1chardj0n3s_afk is now known as r1chardj0n3s | 23:24 | |
*** mikedillion has quit IRC | 23:25 | |
*** neillc has quit IRC | 23:33 | |
*** EMW has quit IRC | 23:34 | |
*** Sukhdev has joined #openstack-horizon | 23:38 | |
*** lhcheng has joined #openstack-horizon | 23:54 | |
*** gokrokve has quit IRC | 23:55 | |
*** TravT has quit IRC | 23:56 | |
*** lhcheng has joined #openstack-horizon | 23:58 | |
*** lhcheng has left #openstack-horizon | 23:58 | |
*** harlowja is now known as harlowja_away | 23:59 | |
*** lhcheng has joined #openstack-horizon | 23:59 | |
*** lhcheng has left #openstack-horizon | 23:59 | |
*** lcheng has joined #openstack-horizon | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!