You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/12/05 04:11:10 UTC
[GitHub] [cloudstack] s-seitz opened a new issue #5749: UI compromises DIN EN ISO/IEC 27001 by trying to fetch images from gravatar.com
s-seitz opened a new issue #5749:
URL: https://github.com/apache/cloudstack/issues/5749
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete the comments.
-->
##### ISSUE TYPE
* Improvement Request
##### COMPONENT NAME
UI
~~~
~~~
##### CLOUDSTACK VERSION
4.16
~~~
~~~
##### CONFIGURATION
any
##### OS / ENVIRONMENT
any
##### SUMMARY
The UI tries to get a gravatar Image for each username in listUsers, which potentially compromises the audit trail of CS Installations in DIN EN ISO/IEC 27001-required environments.
##### STEPS TO REPRODUCE
Login into CS, and follow the requests, using the built-in Web-Developer-Tools of Firefox or Chrome.
~~~
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
No request to any external ressource.
~~~
~~~
##### ACTUAL RESULTS
The current CS UI tries to fetch an image from gravatar.com and compromises a private Infrastructure by exposing referrer and email-address of any listUser.
~~~
~~~
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on issue #5749: UI compromises DIN EN ISO/IEC 27001 by trying to fetch images from gravatar.com
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on issue #5749:
URL: https://github.com/apache/cloudstack/issues/5749#issuecomment-1000768503
> > @shwstppr @sureshanaparti cc @davidjumani Currently, I see these avatar objects just get and not used anywhere. So how do you think about removing it?
>
> @utchoang If these objects are unused, better to remove them (If needed later, can be added at later point of time). Any thoughts / comments @shwstppr @davidjumani @DaanHoogland @GabrielBrascher @rhtyd
If we add them later we abviously would have to guard that with a global setting. Not sure if that has UI repercusions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sureshanaparti commented on issue #5749: UI compromises DIN EN ISO/IEC 27001 by trying to fetch images from gravatar.com
Posted by GitBox <gi...@apache.org>.
sureshanaparti commented on issue #5749:
URL: https://github.com/apache/cloudstack/issues/5749#issuecomment-1000804771
thanks for fixing this @utchoang
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sureshanaparti commented on issue #5749: UI compromises DIN EN ISO/IEC 27001 by trying to fetch images from gravatar.com
Posted by GitBox <gi...@apache.org>.
sureshanaparti commented on issue #5749:
URL: https://github.com/apache/cloudstack/issues/5749#issuecomment-1000782198
I think, global setting to keep these is not the right way.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on issue #5749: UI compromises DIN EN ISO/IEC 27001 by trying to fetch images from gravatar.com
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on issue #5749:
URL: https://github.com/apache/cloudstack/issues/5749#issuecomment-986693309
seems like a legitimate request to even include in 4.16.1 (@sureshanaparti ?) I think we can make the gravatar pull dependend on a global setting.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sureshanaparti commented on issue #5749: UI compromises DIN EN ISO/IEC 27001 by trying to fetch images from gravatar.com
Posted by GitBox <gi...@apache.org>.
sureshanaparti commented on issue #5749:
URL: https://github.com/apache/cloudstack/issues/5749#issuecomment-1000040951
> @shwstppr @sureshanaparti cc @davidjumani Currently, I see these avatar objects just get and not used anywhere. So how do you think about removing it?
@utchoang If these objects are unused, better to remove them (If needed later, can be added at later point of time). Any thoughts / comments @shwstppr @davidjumani @DaanHoogland @GabrielBrascher @rhtyd
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sureshanaparti closed issue #5749: UI compromises DIN EN ISO/IEC 27001 by trying to fetch images from gravatar.com
Posted by GitBox <gi...@apache.org>.
sureshanaparti closed issue #5749:
URL: https://github.com/apache/cloudstack/issues/5749
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] RohitYadavCloud commented on issue #5749: UI compromises DIN EN ISO/IEC 27001 by trying to fetch images from gravatar.com
Posted by GitBox <gi...@apache.org>.
RohitYadavCloud commented on issue #5749:
URL: https://github.com/apache/cloudstack/issues/5749#issuecomment-1000782840
The gravataar based image was something I had added without thinking this through, now that we've resource icons feature this can be removed. cc @sureshanaparti @DaanHoogland
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] utchoang commented on issue #5749: UI compromises DIN EN ISO/IEC 27001 by trying to fetch images from gravatar.com
Posted by GitBox <gi...@apache.org>.
utchoang commented on issue #5749:
URL: https://github.com/apache/cloudstack/issues/5749#issuecomment-999349661
@shwstppr @sureshanaparti cc @davidjumani Currently, I see these avatar objects just get and not used anywhere. So how do you think about removing it?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org