author | Drew Fisher <drew.fisher@oracle.com> |
Fri, 19 Dec 2014 14:29:54 -0800 | |
branch | s11-update |
changeset 3564 | 8c7929b76aec |
permissions | -rw-r--r-- |
3564
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
1 |
Upstream patch to fix CVE-2014-8124. This will be fixed in future |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
2 |
2014.1.3 and 2014.2.1 releases. |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
3 |
|
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
4 |
From 61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a Mon Sep 17 00:00:00 2001 |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
5 |
From: lin-hua-cheng <[email protected]> |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
6 |
Date: Mon, 1 Dec 2014 18:16:15 -0800 |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
7 |
Subject: [PATCH] Horizon login page contains DOS attack mechanism |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
8 |
|
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
9 |
the horizon login page (really the middleware) accesses the session |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
10 |
too early in the login process, which will create session records |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
11 |
in the session backend. This is especially problematic when non-cookie |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
12 |
backends are used. |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
13 |
|
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
14 |
Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71 |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
15 |
Closes-Bug: 1394370 |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
16 |
|
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
17 |
--- horizon-2013.2.3/horizon/middleware.py.orig 2014-12-10 12:59:24.714541383 -0700 |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
18 |
+++ horizon-2013.2.3/horizon/middleware.py 2014-12-10 13:00:30.362642269 -0700 |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
19 |
@@ -49,6 +49,17 @@ class HorizonMiddleware(object): |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
20 |
|
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
21 |
def process_request(self, request): |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
22 |
""" Adds data necessary for Horizon to function to the request. """ |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
23 |
+ |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
24 |
+ request.horizon = {'dashboard': None, |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
25 |
+ 'panel': None, |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
26 |
+ 'async_messages': []} |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
27 |
+ if not hasattr(request, "user") or not request.user.is_authenticated(): |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
28 |
+ # proceed no further if the current request is already known |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
29 |
+ # not to be authenticated |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
30 |
+ # it is CRITICAL to perform this check as early as possible |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
31 |
+ # to avoid creating too many sessions |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
32 |
+ return None |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
33 |
+ |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
34 |
# Activate timezone handling |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
35 |
tz = request.session.get('django_timezone') |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
36 |
if tz: |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
37 |
@@ -62,9 +73,6 @@ class HorizonMiddleware(object): |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
38 |
|
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
39 |
last_activity = request.session.get('last_activity', None) |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
40 |
timestamp = int(time.time()) |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
41 |
- request.horizon = {'dashboard': None, |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
42 |
- 'panel': None, |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
43 |
- 'async_messages': []} |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
44 |
if (isinstance(last_activity, int) |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
45 |
and (timestamp - last_activity) > timeout): |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
46 |
request.session.pop('last_activity') |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
47 |
--- horizon-2013.2.3/openstack_dashboard/views.py.orig 2014-12-10 13:01:22.648498614 -0700 |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
48 |
+++ horizon-2013.2.3/openstack_dashboard/views.py 2014-12-10 13:01:29.987667852 -0700 |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
49 |
@@ -33,6 +33,4 @@ def splash(request): |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
50 |
if request.user.is_authenticated(): |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
51 |
return shortcuts.redirect(get_user_home(request.user)) |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
52 |
form = views.Login(request) |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
53 |
- request.session.clear() |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
54 |
- request.session.set_test_cookie() |
8c7929b76aec
20192118 problem in SERVICE/HORIZON
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
55 |
return shortcuts.render(request, 'splash.html', {'form': form}) |