Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/horizon/patches/14-CVE-2014-8124.patch
branchs11-update
changeset 3564 8c7929b76aec
equal deleted inserted replaced
3562:d0d2750c6f52 3564:8c7929b76aec 
       
     1 Upstream patch to fix CVE-2014-8124.  This will be fixed in future
 
       
     2 2014.1.3 and 2014.2.1 releases.
 
       
     3 
       
     4 From 61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a Mon Sep 17 00:00:00 2001
 
       
     5 From: lin-hua-cheng <[email protected]>
 
       
     6 Date: Mon, 1 Dec 2014 18:16:15 -0800
 
       
     7 Subject: [PATCH] Horizon login page contains DOS attack mechanism
 
       
     8 
       
     9 the horizon login page (really the middleware) accesses the session
 
       
    10 too early in the login process, which will create session records
 
       
    11 in the session backend.  This is especially problematic when non-cookie
 
       
    12 backends are used.
 
       
    13 
       
    14 Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
 
       
    15 Closes-Bug: 1394370
 
       
    16 
       
    17 --- horizon-2013.2.3/horizon/middleware.py.orig	2014-12-10 12:59:24.714541383 -0700
 
       
    18 +++ horizon-2013.2.3/horizon/middleware.py	2014-12-10 13:00:30.362642269 -0700
 
       
    19 @@ -49,6 +49,17 @@ class HorizonMiddleware(object):
 
       
    20  
       
    21      def process_request(self, request):
 
       
    22          """ Adds data necessary for Horizon to function to the request. """
 
       
    23 +
 
       
    24 +        request.horizon = {'dashboard': None,
 
       
    25 +                           'panel': None,
 
       
    26 +                           'async_messages': []}
 
       
    27 +        if not hasattr(request, "user") or not request.user.is_authenticated():
 
       
    28 +            # proceed no further if the current request is already known
 
       
    29 +            # not to be authenticated
 
       
    30 +            # it is CRITICAL to perform this check as early as possible
 
       
    31 +            # to avoid creating too many sessions
 
       
    32 +            return None
 
       
    33 +
 
       
    34          # Activate timezone handling
 
       
    35          tz = request.session.get('django_timezone')
 
       
    36          if tz:
 
       
    37 @@ -62,9 +73,6 @@ class HorizonMiddleware(object):
 
       
    38  
       
    39          last_activity = request.session.get('last_activity', None)
 
       
    40          timestamp = int(time.time())
 
       
    41 -        request.horizon = {'dashboard': None,
 
       
    42 -                           'panel': None,
 
       
    43 -                           'async_messages': []}
 
       
    44          if (isinstance(last_activity, int)
 
       
    45                  and (timestamp - last_activity) > timeout):
 
       
    46              request.session.pop('last_activity')
 
       
    47 --- horizon-2013.2.3/openstack_dashboard/views.py.orig	2014-12-10 13:01:22.648498614 -0700
 
       
    48 +++ horizon-2013.2.3/openstack_dashboard/views.py	2014-12-10 13:01:29.987667852 -0700
 
       
    49 @@ -33,6 +33,4 @@ def splash(request):
 
       
    50      if request.user.is_authenticated():
 
       
    51          return shortcuts.redirect(get_user_home(request.user))
 
       
    52      form = views.Login(request)
 
       
    53 -    request.session.clear()
 
       
    54 -    request.session.set_test_cookie()
 
       
    55      return shortcuts.render(request, 'splash.html', {'form': form})
upstream/oracle/userland-gate