1 django_openstack_auth patch for CVE-2014-8124.  This will be fixed in

     2 a future version of django_openstack_auth

     3 

     4 From e676c88a329af57d6c4f13df54f6e1e06c1f8360 Mon Sep 17 00:00:00 2001

     5 From: eric <[email protected]>

     6 Date: Mon, 8 Dec 2014 16:38:26 -0700

     7 Subject: [PATCH] Horizon login page contains DOS attack mechanism

     8 

     9 the horizon login page (and middleware) accesses the session

    10 too early in the login process, which will create session records

    11 in the session backend.  This is especially problematic when non-cookie

    12 backends are used.

    13 

    14 Co-Authored-By: Tihomir Trifonov <[email protected]>

    15 Co-Authored-By: Eric Peterson <[email protected]>

    16 

    17 Change-Id: I9a4999eb5f053515575ef09b8ba9d3bb3f114e5c

    18 Closes-Bug: 1394370

    19 

    20 --- django_openstack_auth-1.1.3/openstack_auth/forms.py.orig

    21 +++ django_openstack_auth-1.1.3/openstack_auth/forms.py

    22 @@ -96,7 +96,6 @@ class Login(AuthenticationForm):

    23              msg = 'Login failed for user "%(username)s".' % \

    24                  {'username': username}

    25              LOG.warning(msg)

    26 -            self.request.session.flush()

    27              raise forms.ValidationError(exc)

    28          if hasattr(self, 'check_for_test_cookie'):  # Dropped in django 1.7

    29              self.check_for_test_cookie()