20192118 problem in SERVICE/HORIZON
20192127 problem in PYTHON-MOD/OPENSTACK-AUTH
django_openstack_auth patch for CVE-2014-8124. This will be fixed in
a future version of django_openstack_auth
From e676c88a329af57d6c4f13df54f6e1e06c1f8360 Mon Sep 17 00:00:00 2001
From: eric <[email protected]>
Date: Mon, 8 Dec 2014 16:38:26 -0700
Subject: [PATCH] Horizon login page contains DOS attack mechanism
the horizon login page (and middleware) accesses the session
too early in the login process, which will create session records
in the session backend. This is especially problematic when non-cookie
backends are used.
Co-Authored-By: Tihomir Trifonov <[email protected]>
Co-Authored-By: Eric Peterson <[email protected]>
Change-Id: I9a4999eb5f053515575ef09b8ba9d3bb3f114e5c
Closes-Bug: 1394370
--- django_openstack_auth-1.1.3/openstack_auth/forms.py.orig
+++ django_openstack_auth-1.1.3/openstack_auth/forms.py
@@ -96,7 +96,6 @@ class Login(AuthenticationForm):
msg = 'Login failed for user "%(username)s".' % \
{'username': username}
LOG.warning(msg)
- self.request.session.flush()
raise forms.ValidationError(exc)
if hasattr(self, 'check_for_test_cookie'): # Dropped in django 1.7
self.check_for_test_cookie()