--- a/components/openstack/horizon/patches/14-CVE-2014-8124.patch Thu Apr 16 01:36:32 2015 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,55 +0,0 @@
-Upstream patch to fix CVE-2014-8124. This will be fixed in future
-2014.1.3 and 2014.2.1 releases.
-
-From 61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a Mon Sep 17 00:00:00 2001
-From: lin-hua-cheng <[email protected]>
-Date: Mon, 1 Dec 2014 18:16:15 -0800
-Subject: [PATCH] Horizon login page contains DOS attack mechanism
-
-the horizon login page (really the middleware) accesses the session
-too early in the login process, which will create session records
-in the session backend. This is especially problematic when non-cookie
-backends are used.
-
-Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
-Closes-Bug: 1394370
-
---- horizon-2013.2.3/horizon/middleware.py.orig 2014-12-10 12:59:24.714541383 -0700
-+++ horizon-2013.2.3/horizon/middleware.py 2014-12-10 13:00:30.362642269 -0700
-@@ -49,6 +49,17 @@ class HorizonMiddleware(object):
-
- def process_request(self, request):
- """ Adds data necessary for Horizon to function to the request. """
-+
-+ request.horizon = {'dashboard': None,
-+ 'panel': None,
-+ 'async_messages': []}
-+ if not hasattr(request, "user") or not request.user.is_authenticated():
-+ # proceed no further if the current request is already known
-+ # not to be authenticated
-+ # it is CRITICAL to perform this check as early as possible
-+ # to avoid creating too many sessions
-+ return None
-+
- # Activate timezone handling
- tz = request.session.get('django_timezone')
- if tz:
-@@ -62,9 +73,6 @@ class HorizonMiddleware(object):
-
- last_activity = request.session.get('last_activity', None)
- timestamp = int(time.time())
-- request.horizon = {'dashboard': None,
-- 'panel': None,
-- 'async_messages': []}
- if (isinstance(last_activity, int)
- and (timestamp - last_activity) > timeout):
- request.session.pop('last_activity')
---- horizon-2013.2.3/openstack_dashboard/views.py.orig 2014-12-10 13:01:22.648498614 -0700
-+++ horizon-2013.2.3/openstack_dashboard/views.py 2014-12-10 13:01:29.987667852 -0700
-@@ -33,6 +33,4 @@ def splash(request):
- if request.user.is_authenticated():
- return shortcuts.redirect(get_user_home(request.user))
- form = views.Login(request)
-- request.session.clear()
-- request.session.set_test_cookie()
- return shortcuts.render(request, 'splash.html', {'form': form})