upstream/oracle/userland-gate: components/openstack/keystone/patches/04-CVE-2014-2828.patch@77584387a894 (annotated)

3178 77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	1	Upstream patch for bug 1300274.
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	2
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	3	Fixed in Havana 2013.2.4, Icehouse 2014.1
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	4
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	5	From: Florent Flament <[email protected]>
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	6	Date: Tue, 1 Apr 2014 12:48:22 +0000 (+0000)
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	7	Subject: Sanitizes authentication methods received in requests.
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	8	X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff_plain;h=e364ba5b12de8e4c11bd80bcca903f9615dcfc2e
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	9
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	10	Sanitizes authentication methods received in requests.
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	11
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	12	When a user authenticates against Identity V3 API, he can specify
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	13	multiple authentication methods. This patch removes duplicates, which
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	14	could have been used to achieve DoS attacks.
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	15
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	16	Closes-Bug: 1300274
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	17	(cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	18	Cherry-pick from https://review.openstack.org/#/c/84425/
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	19
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	20	Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	21	---
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	22
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	23	diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	24	index c3399df..4944316 100644
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	25	--- a/keystone/auth/controllers.py
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	26	+++ b/keystone/auth/controllers.py
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	27	@@ -225,7 +225,13 @@ class AuthInfo(object):
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	28	:returns: list of auth method names
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	29
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	30	"""
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	31	- return self.auth['identity']['methods'] or []
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	32	+ # Sanitizes methods received in request's body
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	33	+ # Filters out duplicates, while keeping elements' order.
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	34	+ method_names = []
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	35	+ for method in self.auth['identity']['methods']:
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	36	+ if method not in method_names:
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	37	+ method_names.append(method)
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	38	+ return method_names
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	39
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	40	def get_method_data(self, method):
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	41	"""Get the auth method payload.
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	42	diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	43	index d07e6ae..e89e29f 100644
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	44	--- a/keystone/tests/test_v3_auth.py
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	45	+++ b/keystone/tests/test_v3_auth.py
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	46	@@ -81,6 +81,18 @@ class TestAuthInfo(test_v3.RestfulTestCase):
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	47	None,
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	48	auth_data)
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	49
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	50	+ def test_get_method_names_duplicates(self):
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	51	+ auth_data = self.build_authentication_request(
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	52	+ token='test',
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	53	+ user_id='test',
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	54	+ password='test')['auth']
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	55	+ auth_data['identity']['methods'] = ['password', 'token',
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	56	+ 'password', 'password']
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	57	+ context = None
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	58	+ auth_info = auth.controllers.AuthInfo(context, auth_data)
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	59	+ self.assertEqual(auth_info.get_method_names(),
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	60	+ ['password', 'token'])
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	61	+
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	62	def test_get_method_data_invalid_method(self):
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	63	auth_data = self.build_authentication_request(
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	64	user_id='test',

author	Drew Fisher <drew.fisher@oracle.com>
	Fri, 13 Jun 2014 09:10:23 -0700
branch	s11-update
changeset 3178	77584387a894
permissions	-rw-r--r--