1 Upstream patch for bug 1300274. |
|
2 |
|
3 Fixed in Havana 2013.2.4, Icehouse 2014.1 |
|
4 |
|
5 From e364ba5b12de8e4c11bd80bcca903f9615dcfc2e Mon Sep 17 00:00:00 2001 |
|
6 From: Florent Flament <[email protected]> |
|
7 Date: Tue, 1 Apr 2014 12:48:22 +0000 |
|
8 Subject: Sanitizes authentication methods received in requests. |
|
9 |
|
10 When a user authenticates against Identity V3 API, he can specify |
|
11 multiple authentication methods. This patch removes duplicates, which |
|
12 could have been used to achieve DoS attacks. |
|
13 |
|
14 Closes-Bug: 1300274 |
|
15 (cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c) |
|
16 Cherry-pick from https://review.openstack.org/#/c/84425/ |
|
17 |
|
18 Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab |
|
19 |
|
20 --- keystone-2013.1.4/keystone/auth/controllers.py.orig 2014-04-10 14:46:27.890585026 -0600 |
|
21 +++ keystone-2013.1.4/keystone/auth/controllers.py 2014-04-10 14:47:53.783687911 -0600 |
|
22 @@ -228,7 +228,13 @@ |
|
23 :returns: list of auth method names |
|
24 |
|
25 """ |
|
26 - return self.auth['identity']['methods'] |
|
27 + # Sanitizes methods received in request's body |
|
28 + # Filters out duplicates, while keeping elements' order. |
|
29 + method_names = [] |
|
30 + for method in self.auth['identity']['methods']: |
|
31 + if method not in method_names: |
|
32 + method_names.append(method) |
|
33 + return method_names |
|
34 |
|
35 def get_method_data(self, method): |
|
36 """ Get the auth method payload. |
|
37 --- keystone-2013.1.4/tests/test_v3_auth.py.orig 2014-04-10 14:50:45.929495618 -0600 |
|
38 +++ keystone-2013.1.4/tests/test_v3_auth.py 2014-04-10 14:50:48.764440233 -0600 |
|
39 @@ -83,6 +83,17 @@ |
|
40 None, |
|
41 auth_data) |
|
42 |
|
43 + def test_get_method_names_duplicates(self): |
|
44 + auth_data = self.build_authentication_request( |
|
45 + token='test', |
|
46 + user_id='test', |
|
47 + password='test')['auth'] |
|
48 + auth_data['identity']['methods'] = ['password', 'token', |
|
49 + 'password', 'password'] |
|
50 + context = None |
|
51 + auth_info = auth.controllers.AuthInfo(context, auth_data) |
|
52 + self.assertEqual(auth_info.get_method_names(), |
|
53 + ['password', 'token']) |
|
54 |
|
55 class TestTokenAPIs(test_v3.RestfulTestCase): |
|
56 def setUp(self): |
|