equal
deleted
inserted
replaced
|
1 django_openstack_auth patch for CVE-2014-8124. This will be fixed in |
|
2 a future version of django_openstack_auth |
|
3 |
|
4 From e676c88a329af57d6c4f13df54f6e1e06c1f8360 Mon Sep 17 00:00:00 2001 |
|
5 From: eric <[email protected]> |
|
6 Date: Mon, 8 Dec 2014 16:38:26 -0700 |
|
7 Subject: [PATCH] Horizon login page contains DOS attack mechanism |
|
8 |
|
9 the horizon login page (and middleware) accesses the session |
|
10 too early in the login process, which will create session records |
|
11 in the session backend. This is especially problematic when non-cookie |
|
12 backends are used. |
|
13 |
|
14 Co-Authored-By: Tihomir Trifonov <[email protected]> |
|
15 Co-Authored-By: Eric Peterson <[email protected]> |
|
16 |
|
17 Change-Id: I9a4999eb5f053515575ef09b8ba9d3bb3f114e5c |
|
18 Closes-Bug: 1394370 |
|
19 |
|
20 --- django_openstack_auth-1.1.3/openstack_auth/forms.py.orig |
|
21 +++ django_openstack_auth-1.1.3/openstack_auth/forms.py |
|
22 @@ -96,7 +96,6 @@ class Login(AuthenticationForm): |
|
23 msg = 'Login failed for user "%(username)s".' % \ |
|
24 {'username': username} |
|
25 LOG.warning(msg) |
|
26 - self.request.session.flush() |
|
27 raise forms.ValidationError(exc) |
|
28 if hasattr(self, 'check_for_test_cookie'): # Dropped in django 1.7 |
|
29 self.check_for_test_cookie() |