# HG changeset patch # User Drew Fisher # Date 1420839880 28800 # Node ID b2728fae8d90a13dae0c56cd9a8e3bf360dcc614 # Parent e09fa6c4472b8a49c5d624c4df50018a107ec3c9 20192118 problem in SERVICE/HORIZON 20192127 problem in PYTHON-MOD/OPENSTACK-AUTH diff -r e09fa6c4472b -r b2728fae8d90 components/openstack/horizon/patches/14-CVE-2014-8124.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openstack/horizon/patches/14-CVE-2014-8124.patch Fri Jan 09 13:44:40 2015 -0800 @@ -0,0 +1,55 @@ +Upstream patch to fix CVE-2014-8124. This will be fixed in future +2014.1.3 and 2014.2.1 releases. + +From 61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a Mon Sep 17 00:00:00 2001 +From: lin-hua-cheng +Date: Mon, 1 Dec 2014 18:16:15 -0800 +Subject: [PATCH] Horizon login page contains DOS attack mechanism + +the horizon login page (really the middleware) accesses the session +too early in the login process, which will create session records +in the session backend. This is especially problematic when non-cookie +backends are used. + +Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71 +Closes-Bug: 1394370 + +--- horizon-2013.2.3/horizon/middleware.py.orig 2014-12-10 12:59:24.714541383 -0700 ++++ horizon-2013.2.3/horizon/middleware.py 2014-12-10 13:00:30.362642269 -0700 +@@ -49,6 +49,17 @@ class HorizonMiddleware(object): + + def process_request(self, request): + """ Adds data necessary for Horizon to function to the request. """ ++ ++ request.horizon = {'dashboard': None, ++ 'panel': None, ++ 'async_messages': []} ++ if not hasattr(request, "user") or not request.user.is_authenticated(): ++ # proceed no further if the current request is already known ++ # not to be authenticated ++ # it is CRITICAL to perform this check as early as possible ++ # to avoid creating too many sessions ++ return None ++ + # Activate timezone handling + tz = request.session.get('django_timezone') + if tz: +@@ -62,9 +73,6 @@ class HorizonMiddleware(object): + + last_activity = request.session.get('last_activity', None) + timestamp = int(time.time()) +- request.horizon = {'dashboard': None, +- 'panel': None, +- 'async_messages': []} + if (isinstance(last_activity, int) + and (timestamp - last_activity) > timeout): + request.session.pop('last_activity') +--- horizon-2013.2.3/openstack_dashboard/views.py.orig 2014-12-10 13:01:22.648498614 -0700 ++++ horizon-2013.2.3/openstack_dashboard/views.py 2014-12-10 13:01:29.987667852 -0700 +@@ -33,6 +33,4 @@ def splash(request): + if request.user.is_authenticated(): + return shortcuts.redirect(get_user_home(request.user)) + form = views.Login(request) +- request.session.clear() +- request.session.set_test_cookie() + return shortcuts.render(request, 'splash.html', {'form': form}) diff -r e09fa6c4472b -r b2728fae8d90 components/python/django_openstack_auth/patches/CVE-2014-8124.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/python/django_openstack_auth/patches/CVE-2014-8124.patch Fri Jan 09 13:44:40 2015 -0800 @@ -0,0 +1,29 @@ +django_openstack_auth patch for CVE-2014-8124. This will be fixed in +a future version of django_openstack_auth + +From e676c88a329af57d6c4f13df54f6e1e06c1f8360 Mon Sep 17 00:00:00 2001 +From: eric +Date: Mon, 8 Dec 2014 16:38:26 -0700 +Subject: [PATCH] Horizon login page contains DOS attack mechanism + +the horizon login page (and middleware) accesses the session +too early in the login process, which will create session records +in the session backend. This is especially problematic when non-cookie +backends are used. + +Co-Authored-By: Tihomir Trifonov +Co-Authored-By: Eric Peterson + +Change-Id: I9a4999eb5f053515575ef09b8ba9d3bb3f114e5c +Closes-Bug: 1394370 + +--- django_openstack_auth-1.1.3/openstack_auth/forms.py.orig ++++ django_openstack_auth-1.1.3/openstack_auth/forms.py +@@ -96,7 +96,6 @@ class Login(AuthenticationForm): + msg = 'Login failed for user "%(username)s".' % \ + {'username': username} + LOG.warning(msg) +- self.request.session.flush() + raise forms.ValidationError(exc) + if hasattr(self, 'check_for_test_cookie'): # Dropped in django 1.7 + self.check_for_test_cookie()