|
1 Upstream patch to fix CVE-2014-8124. This will be fixed in future |
|
2 2014.1.3 and 2014.2.1 releases. |
|
3 |
|
4 From 61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a Mon Sep 17 00:00:00 2001 |
|
5 From: lin-hua-cheng <[email protected]> |
|
6 Date: Mon, 1 Dec 2014 18:16:15 -0800 |
|
7 Subject: [PATCH] Horizon login page contains DOS attack mechanism |
|
8 |
|
9 the horizon login page (really the middleware) accesses the session |
|
10 too early in the login process, which will create session records |
|
11 in the session backend. This is especially problematic when non-cookie |
|
12 backends are used. |
|
13 |
|
14 Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71 |
|
15 Closes-Bug: 1394370 |
|
16 |
|
17 --- horizon-2013.2.3/horizon/middleware.py.orig 2014-12-10 12:59:24.714541383 -0700 |
|
18 +++ horizon-2013.2.3/horizon/middleware.py 2014-12-10 13:00:30.362642269 -0700 |
|
19 @@ -49,6 +49,17 @@ class HorizonMiddleware(object): |
|
20 |
|
21 def process_request(self, request): |
|
22 """ Adds data necessary for Horizon to function to the request. """ |
|
23 + |
|
24 + request.horizon = {'dashboard': None, |
|
25 + 'panel': None, |
|
26 + 'async_messages': []} |
|
27 + if not hasattr(request, "user") or not request.user.is_authenticated(): |
|
28 + # proceed no further if the current request is already known |
|
29 + # not to be authenticated |
|
30 + # it is CRITICAL to perform this check as early as possible |
|
31 + # to avoid creating too many sessions |
|
32 + return None |
|
33 + |
|
34 # Activate timezone handling |
|
35 tz = request.session.get('django_timezone') |
|
36 if tz: |
|
37 @@ -62,9 +73,6 @@ class HorizonMiddleware(object): |
|
38 |
|
39 last_activity = request.session.get('last_activity', None) |
|
40 timestamp = int(time.time()) |
|
41 - request.horizon = {'dashboard': None, |
|
42 - 'panel': None, |
|
43 - 'async_messages': []} |
|
44 if (isinstance(last_activity, int) |
|
45 and (timestamp - last_activity) > timeout): |
|
46 request.session.pop('last_activity') |
|
47 --- horizon-2013.2.3/openstack_dashboard/views.py.orig 2014-12-10 13:01:22.648498614 -0700 |
|
48 +++ horizon-2013.2.3/openstack_dashboard/views.py 2014-12-10 13:01:29.987667852 -0700 |
|
49 @@ -33,6 +33,4 @@ def splash(request): |
|
50 if request.user.is_authenticated(): |
|
51 return shortcuts.redirect(get_user_home(request.user)) |
|
52 form = views.Login(request) |
|
53 - request.session.clear() |
|
54 - request.session.set_test_cookie() |
|
55 return shortcuts.render(request, 'splash.html', {'form': form}) |