1 This upstream patch addresses CVE-2015-1852 in keystonemiddleware. It |
|
2 should be able to be removed when keystoneclient 1.6.0 or later is |
|
3 integrated. |
|
4 |
|
5 From 59f720ccc9a92da025baf7dc692e8e582ebfae0a Mon Sep 17 00:00:00 2001 |
|
6 From: Brant Knudson <[email protected]> |
|
7 Date: Mon, 23 Mar 2015 18:19:18 -0500 |
|
8 Subject: [PATCH] Fix s3_token middleware parsing insecure option |
|
9 |
|
10 The "insecure" option was being treated as a bool when it was |
|
11 actually provided as a string. The fix is to parse the string to |
|
12 a bool. |
|
13 |
|
14 Closes-Bug: 1411063 |
|
15 Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3 |
|
16 --- |
|
17 keystonemiddleware/s3_token.py | 3 ++- |
|
18 .../tests/test_s3_token_middleware.py | 24 +++++++++++++++++++- |
|
19 2 files changed, 25 insertions(+), 2 deletions(-) |
|
20 |
|
21 diff --git a/keystonemiddleware/s3_token.py b/keystonemiddleware/s3_token.py |
|
22 index 37bcf4c..6c716c3 100644 |
|
23 --- a/keystonemiddleware/s3_token.py |
|
24 +++ b/keystonemiddleware/s3_token.py |
|
25 @@ -35,6 +35,7 @@ import logging |
|
26 import webob |
|
27 |
|
28 from oslo.serialization import jsonutils |
|
29 +from oslo.utils import strutils |
|
30 import requests |
|
31 import six |
|
32 from six.moves import urllib |
|
33 @@ -116,7 +117,7 @@ class S3Token(object): |
|
34 auth_port) |
|
35 |
|
36 # SSL |
|
37 - insecure = conf.get('insecure', False) |
|
38 + insecure = strutils.bool_from_string(conf.get('insecure', False)) |
|
39 cert_file = conf.get('certfile') |
|
40 key_file = conf.get('keyfile') |
|
41 |
|
42 diff --git a/keystonemiddleware/tests/test_s3_token_middleware.py b/keystonemiddleware/tests/test_s3_token_middleware.py |
|
43 index bf94391..6545fa3 100644 |
|
44 --- a/keystonemiddleware/tests/test_s3_token_middleware.py |
|
45 +++ b/keystonemiddleware/tests/test_s3_token_middleware.py |
|
46 @@ -124,7 +124,7 @@ class S3TokenMiddlewareTestGood(S3TokenMiddlewareTestBase): |
|
47 @mock.patch.object(requests, 'post') |
|
48 def test_insecure(self, MOCK_REQUEST): |
|
49 self.middleware = ( |
|
50 - s3_token.filter_factory({'insecure': True})(FakeApp())) |
|
51 + s3_token.filter_factory({'insecure': 'True'})(FakeApp())) |
|
52 |
|
53 text_return_value = jsonutils.dumps(GOOD_RESPONSE) |
|
54 if six.PY3: |
|
55 @@ -142,6 +142,28 @@ class S3TokenMiddlewareTestGood(S3TokenMiddlewareTestBase): |
|
56 mock_args, mock_kwargs = MOCK_REQUEST.call_args |
|
57 self.assertIs(mock_kwargs['verify'], False) |
|
58 |
|
59 + def test_insecure_option(self): |
|
60 + # insecure is passed as a string. |
|
61 + |
|
62 + # Some non-secure values. |
|
63 + true_values = ['true', 'True', '1', 'yes'] |
|
64 + for val in true_values: |
|
65 + config = {'insecure': val, 'certfile': 'false_ind'} |
|
66 + middleware = s3_token.filter_factory(config)(FakeApp()) |
|
67 + self.assertIs(False, middleware._verify) |
|
68 + |
|
69 + # Some "secure" values, including unexpected value. |
|
70 + false_values = ['false', 'False', '0', 'no', 'someweirdvalue'] |
|
71 + for val in false_values: |
|
72 + config = {'insecure': val, 'certfile': 'false_ind'} |
|
73 + middleware = s3_token.filter_factory(config)(FakeApp()) |
|
74 + self.assertEqual('false_ind', middleware._verify) |
|
75 + |
|
76 + # Default is secure. |
|
77 + config = {'certfile': 'false_ind'} |
|
78 + middleware = s3_token.filter_factory(config)(FakeApp()) |
|
79 + self.assertIs('false_ind', middleware._verify) |
|
80 + |
|
81 |
|
82 class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase): |
|
83 def setUp(self): |
|
84 -- |
|
85 1.7.9.2 |
|
86 |
|