--- a/components/openstack/keystone/patches/04-CVE-2014-2828.patch Fri Mar 20 22:56:27 2015 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,64 +0,0 @@
-Upstream patch for bug 1300274.
-
-Fixed in Havana 2013.2.4, Icehouse 2014.1
-
-From: Florent Flament <[email protected]>
-Date: Tue, 1 Apr 2014 12:48:22 +0000 (+0000)
-Subject: Sanitizes authentication methods received in requests.
-X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff_plain;h=e364ba5b12de8e4c11bd80bcca903f9615dcfc2e
-
-Sanitizes authentication methods received in requests.
-
-When a user authenticates against Identity V3 API, he can specify
-multiple authentication methods. This patch removes duplicates, which
-could have been used to achieve DoS attacks.
-
-Closes-Bug: 1300274
-(cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
-Cherry-pick from https://review.openstack.org/#/c/84425/
-
-Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab
----
-
-diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py
-index c3399df..4944316 100644
---- a/keystone/auth/controllers.py
-+++ b/keystone/auth/controllers.py
-@@ -225,7 +225,13 @@ class AuthInfo(object):
- :returns: list of auth method names
-
- """
-- return self.auth['identity']['methods'] or []
-+ # Sanitizes methods received in request's body
-+ # Filters out duplicates, while keeping elements' order.
-+ method_names = []
-+ for method in self.auth['identity']['methods']:
-+ if method not in method_names:
-+ method_names.append(method)
-+ return method_names
-
- def get_method_data(self, method):
- """Get the auth method payload.
-diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
-index d07e6ae..e89e29f 100644
---- a/keystone/tests/test_v3_auth.py
-+++ b/keystone/tests/test_v3_auth.py
-@@ -81,6 +81,18 @@ class TestAuthInfo(test_v3.RestfulTestCase):
- None,
- auth_data)
-
-+ def test_get_method_names_duplicates(self):
-+ auth_data = self.build_authentication_request(
-+ token='test',
-+ user_id='test',
-+ password='test')['auth']
-+ auth_data['identity']['methods'] = ['password', 'token',
-+ 'password', 'password']
-+ context = None
-+ auth_info = auth.controllers.AuthInfo(context, auth_data)
-+ self.assertEqual(auth_info.get_method_names(),
-+ ['password', 'token'])
-+
- def test_get_method_data_invalid_method(self):
- auth_data = self.build_authentication_request(
- user_id='test',