Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/keystone/patches/04-CVE-2014-2828.patch
changeset 1944 56ac2df1785b 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/keystone/patches/04-CVE-2014-2828.patch	Wed Jun 11 17:13:12 2014 -0700
@@ -0,0 +1,64 @@
+Upstream patch for bug 1300274.
+
+Fixed in Havana 2013.2.4, Icehouse 2014.1
+
+From: Florent Flament <[email protected]>
+Date: Tue, 1 Apr 2014 12:48:22 +0000 (+0000)
+Subject: Sanitizes authentication methods received in requests.
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff_plain;h=e364ba5b12de8e4c11bd80bcca903f9615dcfc2e
+
+Sanitizes authentication methods received in requests.
+
+When a user authenticates against Identity V3 API, he can specify
+multiple authentication methods. This patch removes duplicates, which
+could have been used to achieve DoS attacks.
+
+Closes-Bug: 1300274
+(cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
+Cherry-pick from https://review.openstack.org/#/c/84425/
+
+Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab
+---
+
+diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py
+index c3399df..4944316 100644
+--- a/keystone/auth/controllers.py
++++ b/keystone/auth/controllers.py
+@@ -225,7 +225,13 @@ class AuthInfo(object):
+         :returns: list of auth method names
+ 
+         """
+-        return self.auth['identity']['methods'] or []
++        # Sanitizes methods received in request's body
++        # Filters out duplicates, while keeping elements' order.
++        method_names = []
++        for method in self.auth['identity']['methods']:
++            if method not in method_names:
++                method_names.append(method)
++        return method_names
+ 
+     def get_method_data(self, method):
+         """Get the auth method payload.
+diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
+index d07e6ae..e89e29f 100644
+--- a/keystone/tests/test_v3_auth.py
++++ b/keystone/tests/test_v3_auth.py
+@@ -81,6 +81,18 @@ class TestAuthInfo(test_v3.RestfulTestCase):
+                           None,
+                           auth_data)
+ 
++    def test_get_method_names_duplicates(self):
++        auth_data = self.build_authentication_request(
++            token='test',
++            user_id='test',
++            password='test')['auth']
++        auth_data['identity']['methods'] = ['password', 'token',
++                                            'password', 'password']
++        context = None
++        auth_info = auth.controllers.AuthInfo(context, auth_data)
++        self.assertEqual(auth_info.get_method_names(),
++                         ['password', 'token'])
++
+     def test_get_method_data_invalid_method(self):
+         auth_data = self.build_authentication_request(
+             user_id='test',
upstream/oracle/userland-gate