Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/horizon/patches/14-CVE-2014-8124.patch
branchs11u2-sru
changeset 4156 4b1def16fe9b
parent 4146 097063f324c0
child 4157 92532a6159e7 
--- a/components/openstack/horizon/patches/14-CVE-2014-8124.patch	Thu Apr 16 01:36:32 2015 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,55 +0,0 @@
-Upstream patch to fix CVE-2014-8124.  This will be fixed in future
-2014.1.3 and 2014.2.1 releases.
-
-From 61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a Mon Sep 17 00:00:00 2001
-From: lin-hua-cheng <[email protected]>
-Date: Mon, 1 Dec 2014 18:16:15 -0800
-Subject: [PATCH] Horizon login page contains DOS attack mechanism
-
-the horizon login page (really the middleware) accesses the session
-too early in the login process, which will create session records
-in the session backend.  This is especially problematic when non-cookie
-backends are used.
-
-Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
-Closes-Bug: 1394370
-
---- horizon-2013.2.3/horizon/middleware.py.orig	2014-12-10 12:59:24.714541383 -0700
-+++ horizon-2013.2.3/horizon/middleware.py	2014-12-10 13:00:30.362642269 -0700
-@@ -49,6 +49,17 @@ class HorizonMiddleware(object):
- 
-     def process_request(self, request):
-         """ Adds data necessary for Horizon to function to the request. """
-+
-+        request.horizon = {'dashboard': None,
-+                           'panel': None,
-+                           'async_messages': []}
-+        if not hasattr(request, "user") or not request.user.is_authenticated():
-+            # proceed no further if the current request is already known
-+            # not to be authenticated
-+            # it is CRITICAL to perform this check as early as possible
-+            # to avoid creating too many sessions
-+            return None
-+
-         # Activate timezone handling
-         tz = request.session.get('django_timezone')
-         if tz:
-@@ -62,9 +73,6 @@ class HorizonMiddleware(object):
- 
-         last_activity = request.session.get('last_activity', None)
-         timestamp = int(time.time())
--        request.horizon = {'dashboard': None,
--                           'panel': None,
--                           'async_messages': []}
-         if (isinstance(last_activity, int)
-                 and (timestamp - last_activity) > timeout):
-             request.session.pop('last_activity')
---- horizon-2013.2.3/openstack_dashboard/views.py.orig	2014-12-10 13:01:22.648498614 -0700
-+++ horizon-2013.2.3/openstack_dashboard/views.py	2014-12-10 13:01:29.987667852 -0700
-@@ -33,6 +33,4 @@ def splash(request):
-     if request.user.is_authenticated():
-         return shortcuts.redirect(get_user_home(request.user))
-     form = views.Login(request)
--    request.session.clear()
--    request.session.set_test_cookie()
-     return shortcuts.render(request, 'splash.html', {'form': form})
upstream/oracle/userland-gate