1 This upstream patch addresses CVE-2015-1852 in keystoneclient. It

     2 should be able to be removed when keystoneclient 1.4.0 or later is

     3 integrated.

     4 

     5 From 710402426c6bda2fe9d9b4fde2f5b54f1790a60e Mon Sep 17 00:00:00 2001

     6 From: Brant Knudson <[email protected]>

     7 Date: Tue, 7 Apr 2015 19:38:29 +0000

     8 Subject: [PATCH] Fix s3_token middleware parsing insecure option

     9 

    10 The "insecure" option was being treated as a bool when it was

    11 actually provided as a string. The fix is to parse the string to

    12 a bool.

    13 

    14 Closes-Bug: 1411063

    15 Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3

    16 ---

    17 

    18 --- python-keystoneclient-1.0.0/keystoneclient/middleware/s3_token.py.~1~	2014-12-18 09:37:35.000000000 -0800

    19 +++ python-keystoneclient-1.0.0/keystoneclient/middleware/s3_token.py	2015-04-14 14:23:08.294228633 -0700

    20 @@ -34,6 +34,7 @@ This WSGI component:

    21  import logging

    22  

    23  from oslo.serialization import jsonutils

    24 +from oslo.utils import strutils

    25  import requests

    26  import six

    27  from six.moves import urllib

    28 @@ -116,7 +117,7 @@ class S3Token(object):

    29          self.request_uri = '%s://%s:%s' % (auth_protocol, auth_host, auth_port)

    30  

    31          # SSL

    32 -        insecure = conf.get('insecure', False)

    33 +        insecure = strutils.bool_from_string(conf.get('insecure', False))

    34          cert_file = conf.get('certfile')

    35          key_file = conf.get('keyfile')

    36  

    37 --- python-keystoneclient-1.0.0/keystoneclient/tests/test_s3_token_middleware.py.~1~	2014-12-18 09:37:35.000000000 -0800

    38 +++ python-keystoneclient-1.0.0/keystoneclient/tests/test_s3_token_middleware.py	2015-04-14 14:23:09.919217052 -0700

    39 @@ -124,7 +124,7 @@ class S3TokenMiddlewareTestGood(S3TokenM

    40      @mock.patch.object(requests, 'post')

    41      def test_insecure(self, MOCK_REQUEST):

    42          self.middleware = (

    43 -            s3_token.filter_factory({'insecure': True})(FakeApp()))

    44 +            s3_token.filter_factory({'insecure': 'True'})(FakeApp()))

    45  

    46          text_return_value = jsonutils.dumps(GOOD_RESPONSE)

    47          if six.PY3:

    48 @@ -142,6 +142,28 @@ class S3TokenMiddlewareTestGood(S3TokenM

    49          mock_args, mock_kwargs = MOCK_REQUEST.call_args

    50          self.assertIs(mock_kwargs['verify'], False)

    51  

    52 +    def test_insecure_option(self):

    53 +        # insecure is passed as a string.

    54 +

    55 +        # Some non-secure values.

    56 +        true_values = ['true', 'True', '1', 'yes']

    57 +        for val in true_values:

    58 +            config = {'insecure': val, 'certfile': 'false_ind'}

    59 +            middleware = s3_token.filter_factory(config)(FakeApp())

    60 +            self.assertIs(False, middleware.verify)

    61 +

    62 +        # Some "secure" values, including unexpected value.

    63 +        false_values = ['false', 'False', '0', 'no', 'someweirdvalue']

    64 +        for val in false_values:

    65 +            config = {'insecure': val, 'certfile': 'false_ind'}

    66 +            middleware = s3_token.filter_factory(config)(FakeApp())

    67 +            self.assertEqual('false_ind', middleware.verify)

    68 +

    69 +        # Default is secure.

    70 +        config = {'certfile': 'false_ind'}

    71 +        middleware = s3_token.filter_factory(config)(FakeApp())

    72 +        self.assertIs('false_ind', middleware.verify)

    73 +

    74  

    75  class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):

    76      def setUp(self):