[Openstack-security] [Bug 1400872] Re: Show password feature should be configurable
OpenStack Infra
1400872 at bugs.launchpad.net
Tue Jan 13 01:58:43 UTC 2015
Reviewed: https://review.openstack.org/140862
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=afbca3d4310073b3a6bf1127890fe9d756ab5418
Submitter: Jenkins
Branch: master
commit afbca3d4310073b3a6bf1127890fe9d756ab5418
Author: Cindy Lu <clu at us.ibm.com>
Date: Thu Jan 8 11:39:43 2015 -0800
Password reveal feature should be configurable
Horizon has a password reveal eye button which allows the
password field to be viewed in plain text. This is a security risk
because a malicious user can check the OpenStack password at an
unattended computer.
Add new DISABLE_PASSWORD_REVEAL setting which is by default, False.
DocImpact
Change-Id: I21a2eaedbff4c1ee73d97c5674eca43c0258ca1a
Closes-Bug: #1400872
** Changed in: horizon
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1400872
Title:
Show password feature should be configurable
Status in OpenStack Dashboard (Horizon):
Fix Committed
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
Horizon allows the password field to be displayed in plain text. This introduces a potential security risk. Imagine a user leaving their desktop unlock, if the user saved their password on the browser, a malicious user could go into the Login page and display the Openstack password.
The show password feature should be made configurable for operators
who wants a more secure deployment of Horizon.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1400872/+subscriptions
More information about the Openstack-security
mailing list