|
1 This upstream patch addresses CVE-2015-1852 in keystoneclient. It |
|
2 should be able to be removed when keystoneclient 1.4.0 or later is |
|
3 integrated. |
|
4 |
|
5 From 710402426c6bda2fe9d9b4fde2f5b54f1790a60e Mon Sep 17 00:00:00 2001 |
|
6 From: Brant Knudson <[email protected]> |
|
7 Date: Tue, 7 Apr 2015 19:38:29 +0000 |
|
8 Subject: [PATCH] Fix s3_token middleware parsing insecure option |
|
9 |
|
10 The "insecure" option was being treated as a bool when it was |
|
11 actually provided as a string. The fix is to parse the string to |
|
12 a bool. |
|
13 |
|
14 Closes-Bug: 1411063 |
|
15 Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3 |
|
16 --- |
|
17 |
|
18 --- python-keystoneclient-1.0.0/keystoneclient/middleware/s3_token.py.~1~ 2014-12-18 09:37:35.000000000 -0800 |
|
19 +++ python-keystoneclient-1.0.0/keystoneclient/middleware/s3_token.py 2015-04-14 14:23:08.294228633 -0700 |
|
20 @@ -34,6 +34,7 @@ This WSGI component: |
|
21 import logging |
|
22 |
|
23 from oslo.serialization import jsonutils |
|
24 +from oslo.utils import strutils |
|
25 import requests |
|
26 import six |
|
27 from six.moves import urllib |
|
28 @@ -116,7 +117,7 @@ class S3Token(object): |
|
29 self.request_uri = '%s://%s:%s' % (auth_protocol, auth_host, auth_port) |
|
30 |
|
31 # SSL |
|
32 - insecure = conf.get('insecure', False) |
|
33 + insecure = strutils.bool_from_string(conf.get('insecure', False)) |
|
34 cert_file = conf.get('certfile') |
|
35 key_file = conf.get('keyfile') |
|
36 |
|
37 --- python-keystoneclient-1.0.0/keystoneclient/tests/test_s3_token_middleware.py.~1~ 2014-12-18 09:37:35.000000000 -0800 |
|
38 +++ python-keystoneclient-1.0.0/keystoneclient/tests/test_s3_token_middleware.py 2015-04-14 14:23:09.919217052 -0700 |
|
39 @@ -124,7 +124,7 @@ class S3TokenMiddlewareTestGood(S3TokenM |
|
40 @mock.patch.object(requests, 'post') |
|
41 def test_insecure(self, MOCK_REQUEST): |
|
42 self.middleware = ( |
|
43 - s3_token.filter_factory({'insecure': True})(FakeApp())) |
|
44 + s3_token.filter_factory({'insecure': 'True'})(FakeApp())) |
|
45 |
|
46 text_return_value = jsonutils.dumps(GOOD_RESPONSE) |
|
47 if six.PY3: |
|
48 @@ -142,6 +142,28 @@ class S3TokenMiddlewareTestGood(S3TokenM |
|
49 mock_args, mock_kwargs = MOCK_REQUEST.call_args |
|
50 self.assertIs(mock_kwargs['verify'], False) |
|
51 |
|
52 + def test_insecure_option(self): |
|
53 + # insecure is passed as a string. |
|
54 + |
|
55 + # Some non-secure values. |
|
56 + true_values = ['true', 'True', '1', 'yes'] |
|
57 + for val in true_values: |
|
58 + config = {'insecure': val, 'certfile': 'false_ind'} |
|
59 + middleware = s3_token.filter_factory(config)(FakeApp()) |
|
60 + self.assertIs(False, middleware.verify) |
|
61 + |
|
62 + # Some "secure" values, including unexpected value. |
|
63 + false_values = ['false', 'False', '0', 'no', 'someweirdvalue'] |
|
64 + for val in false_values: |
|
65 + config = {'insecure': val, 'certfile': 'false_ind'} |
|
66 + middleware = s3_token.filter_factory(config)(FakeApp()) |
|
67 + self.assertEqual('false_ind', middleware.verify) |
|
68 + |
|
69 + # Default is secure. |
|
70 + config = {'certfile': 'false_ind'} |
|
71 + middleware = s3_token.filter_factory(config)(FakeApp()) |
|
72 + self.assertIs('false_ind', middleware.verify) |
|
73 + |
|
74 |
|
75 class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase): |
|
76 def setUp(self): |