Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/keystone/patches/07-CVE-2014-2828.patch
author Drew Fisher <drew.fisher@oracle.com>
Tue, 15 Apr 2014 07:31:13 -0700
branchs11-update
changeset 3077 3e8d5f02f4a0
permissions -rw-r--r--
18416129 neutron-l3-agent should include dependency on ipfilter service 18407503 neutron net-delete doesn't delete subnets/ports with no VM associated 18545343 nova-conductor's method shouldn't try to enable mysql 18545393 cinder-volume's method shouldn't try to enable iscsi/target 18545462 Some panels, menus, and options should be removed from Horizon 18545581 upstream bug 1187129 should be patched in 18551500 keystone's SMF method shouldn't try to enable mysql 18553610 problem in SERVICE/KEYSTONE

Upstream patch for bug 1300274.

Fixed in Havana 2013.2.4, Icehouse 2014.1

From e364ba5b12de8e4c11bd80bcca903f9615dcfc2e Mon Sep 17 00:00:00 2001
From: Florent Flament <[email protected]>
Date: Tue, 1 Apr 2014 12:48:22 +0000
Subject: Sanitizes authentication methods received in requests.

When a user authenticates against Identity V3 API, he can specify
multiple authentication methods. This patch removes duplicates, which
could have been used to achieve DoS attacks.

Closes-Bug: 1300274
(cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
Cherry-pick from https://review.openstack.org/#/c/84425/

Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab

--- keystone-2013.1.4/keystone/auth/controllers.py.orig	2014-04-10 14:46:27.890585026 -0600
+++ keystone-2013.1.4/keystone/auth/controllers.py	2014-04-10 14:47:53.783687911 -0600
@@ -228,7 +228,13 @@
         :returns: list of auth method names
 
         """
-        return self.auth['identity']['methods']
+        # Sanitizes methods received in request's body
+        # Filters out duplicates, while keeping elements' order.
+        method_names = []
+        for method in self.auth['identity']['methods']:
+            if method not in method_names:
+                method_names.append(method)
+        return method_names
 
     def get_method_data(self, method):
         """ Get the auth method payload.
--- keystone-2013.1.4/tests/test_v3_auth.py.orig	2014-04-10 14:50:45.929495618 -0600
+++ keystone-2013.1.4/tests/test_v3_auth.py	2014-04-10 14:50:48.764440233 -0600
@@ -83,6 +83,17 @@
                           None,
                           auth_data)
 
+    def test_get_method_names_duplicates(self):
+        auth_data = self.build_authentication_request(
+            token='test',
+            user_id='test',
+            password='test')['auth']
+        auth_data['identity']['methods'] = ['password', 'token',
+                                            'password', 'password']
+        context = None
+        auth_info = auth.controllers.AuthInfo(context, auth_data)
+        self.assertEqual(auth_info.get_method_names(),
+                         ['password', 'token'])
 
 class TestTokenAPIs(test_v3.RestfulTestCase):
     def setUp(self):
upstream/oracle/userland-gate