Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/keystone/patches/07-CVE-2014-2828.patch
changeset 1944 56ac2df1785b
parent 1943 1a27f000029f
child 1945 3dc1935a2189
equal deleted inserted replaced
1943:1a27f000029f 1944:56ac2df1785b 
     1 Upstream patch for bug 1300274.
 
       
     2 
       
     3 Fixed in Havana 2013.2.4, Icehouse 2014.1
 
       
     4 
       
     5 From e364ba5b12de8e4c11bd80bcca903f9615dcfc2e Mon Sep 17 00:00:00 2001
 
       
     6 From: Florent Flament <[email protected]>
 
       
     7 Date: Tue, 1 Apr 2014 12:48:22 +0000
 
       
     8 Subject: Sanitizes authentication methods received in requests.
 
       
     9 
       
    10 When a user authenticates against Identity V3 API, he can specify
 
       
    11 multiple authentication methods. This patch removes duplicates, which
 
       
    12 could have been used to achieve DoS attacks.
 
       
    13 
       
    14 Closes-Bug: 1300274
 
       
    15 (cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
 
       
    16 Cherry-pick from https://review.openstack.org/#/c/84425/
 
       
    17 
       
    18 Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab
 
       
    19 
       
    20 --- keystone-2013.1.4/keystone/auth/controllers.py.orig	2014-04-10 14:46:27.890585026 -0600
 
       
    21 +++ keystone-2013.1.4/keystone/auth/controllers.py	2014-04-10 14:47:53.783687911 -0600
 
       
    22 @@ -228,7 +228,13 @@
 
       
    23          :returns: list of auth method names
 
       
    24  
       
    25          """
 
       
    26 -        return self.auth['identity']['methods']
 
       
    27 +        # Sanitizes methods received in request's body
 
       
    28 +        # Filters out duplicates, while keeping elements' order.
 
       
    29 +        method_names = []
 
       
    30 +        for method in self.auth['identity']['methods']:
 
       
    31 +            if method not in method_names:
 
       
    32 +                method_names.append(method)
 
       
    33 +        return method_names
 
       
    34  
       
    35      def get_method_data(self, method):
 
       
    36          """ Get the auth method payload.
 
       
    37 --- keystone-2013.1.4/tests/test_v3_auth.py.orig	2014-04-10 14:50:45.929495618 -0600
 
       
    38 +++ keystone-2013.1.4/tests/test_v3_auth.py	2014-04-10 14:50:48.764440233 -0600
 
       
    39 @@ -83,6 +83,17 @@
 
       
    40                            None,
 
       
    41                            auth_data)
 
       
    42  
       
    43 +    def test_get_method_names_duplicates(self):
 
       
    44 +        auth_data = self.build_authentication_request(
 
       
    45 +            token='test',
 
       
    46 +            user_id='test',
 
       
    47 +            password='test')['auth']
 
       
    48 +        auth_data['identity']['methods'] = ['password', 'token',
 
       
    49 +                                            'password', 'password']
 
       
    50 +        context = None
 
       
    51 +        auth_info = auth.controllers.AuthInfo(context, auth_data)
 
       
    52 +        self.assertEqual(auth_info.get_method_names(),
 
       
    53 +                         ['password', 'token'])
 
       
    54  
       
    55  class TestTokenAPIs(test_v3.RestfulTestCase):
 
       
    56      def setUp(self):
upstream/oracle/userland-gate