Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/python/keystonemiddleware/patches/CVE-2015-1852.patch
author Devjani Ray <devjani.ray@oracle.com>
Mon, 20 Apr 2015 12:33:41 -0400
changeset 4149 66170a6a2d90
permissions -rw-r--r--
20885269 problem in PYTHON-MOD/KEYSTONEMIDDLE 20885288 problem in SERVICE/KEYSTONE

This upstream patch addresses CVE-2015-1852 in keystonemiddleware. It
should be able to be removed when keystoneclient 1.6.0 or later is
integrated.

From 59f720ccc9a92da025baf7dc692e8e582ebfae0a Mon Sep 17 00:00:00 2001
From: Brant Knudson <[email protected]>
Date: Mon, 23 Mar 2015 18:19:18 -0500
Subject: [PATCH] Fix s3_token middleware parsing insecure option

The "insecure" option was being treated as a bool when it was
actually provided as a string. The fix is to parse the string to
a bool.

Closes-Bug: 1411063
Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3
---
 keystonemiddleware/s3_token.py                     |    3 ++-
 .../tests/test_s3_token_middleware.py              |   24 +++++++++++++++++++-
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/keystonemiddleware/s3_token.py b/keystonemiddleware/s3_token.py
index 37bcf4c..6c716c3 100644
--- a/keystonemiddleware/s3_token.py
+++ b/keystonemiddleware/s3_token.py
@@ -35,6 +35,7 @@ import logging
 import webob
 
 from oslo.serialization import jsonutils
+from oslo.utils import strutils
 import requests
 import six
 from six.moves import urllib
@@ -116,7 +117,7 @@ class S3Token(object):
                                             auth_port)
 
         # SSL
-        insecure = conf.get('insecure', False)
+        insecure = strutils.bool_from_string(conf.get('insecure', False))
         cert_file = conf.get('certfile')
         key_file = conf.get('keyfile')
 
diff --git a/keystonemiddleware/tests/test_s3_token_middleware.py b/keystonemiddleware/tests/test_s3_token_middleware.py
index bf94391..6545fa3 100644
--- a/keystonemiddleware/tests/test_s3_token_middleware.py
+++ b/keystonemiddleware/tests/test_s3_token_middleware.py
@@ -124,7 +124,7 @@ class S3TokenMiddlewareTestGood(S3TokenMiddlewareTestBase):
     @mock.patch.object(requests, 'post')
     def test_insecure(self, MOCK_REQUEST):
         self.middleware = (
-            s3_token.filter_factory({'insecure': True})(FakeApp()))
+            s3_token.filter_factory({'insecure': 'True'})(FakeApp()))
 
         text_return_value = jsonutils.dumps(GOOD_RESPONSE)
         if six.PY3:
@@ -142,6 +142,28 @@ class S3TokenMiddlewareTestGood(S3TokenMiddlewareTestBase):
         mock_args, mock_kwargs = MOCK_REQUEST.call_args
         self.assertIs(mock_kwargs['verify'], False)
 
+    def test_insecure_option(self):
+        # insecure is passed as a string.
+
+        # Some non-secure values.
+        true_values = ['true', 'True', '1', 'yes']
+        for val in true_values:
+            config = {'insecure': val, 'certfile': 'false_ind'}
+            middleware = s3_token.filter_factory(config)(FakeApp())
+            self.assertIs(False, middleware._verify)
+
+        # Some "secure" values, including unexpected value.
+        false_values = ['false', 'False', '0', 'no', 'someweirdvalue']
+        for val in false_values:
+            config = {'insecure': val, 'certfile': 'false_ind'}
+            middleware = s3_token.filter_factory(config)(FakeApp())
+            self.assertEqual('false_ind', middleware._verify)
+
+        # Default is secure.
+        config = {'certfile': 'false_ind'}
+        middleware = s3_token.filter_factory(config)(FakeApp())
+        self.assertIs('false_ind', middleware._verify)
+
 
 class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):
     def setUp(self):
-- 
1.7.9.2
upstream/oracle/userland-gate