20192118 problem in SERVICE/HORIZON
20192127 problem in PYTHON-MOD/OPENSTACK-AUTH
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/horizon/patches/14-CVE-2014-8124.patch Fri Dec 19 14:29:54 2014 -0800
@@ -0,0 +1,55 @@
+Upstream patch to fix CVE-2014-8124. This will be fixed in future
+2014.1.3 and 2014.2.1 releases.
+
+From 61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a Mon Sep 17 00:00:00 2001
+From: lin-hua-cheng <[email protected]>
+Date: Mon, 1 Dec 2014 18:16:15 -0800
+Subject: [PATCH] Horizon login page contains DOS attack mechanism
+
+the horizon login page (really the middleware) accesses the session
+too early in the login process, which will create session records
+in the session backend. This is especially problematic when non-cookie
+backends are used.
+
+Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
+Closes-Bug: 1394370
+
+--- horizon-2013.2.3/horizon/middleware.py.orig 2014-12-10 12:59:24.714541383 -0700
++++ horizon-2013.2.3/horizon/middleware.py 2014-12-10 13:00:30.362642269 -0700
+@@ -49,6 +49,17 @@ class HorizonMiddleware(object):
+
+ def process_request(self, request):
+ """ Adds data necessary for Horizon to function to the request. """
++
++ request.horizon = {'dashboard': None,
++ 'panel': None,
++ 'async_messages': []}
++ if not hasattr(request, "user") or not request.user.is_authenticated():
++ # proceed no further if the current request is already known
++ # not to be authenticated
++ # it is CRITICAL to perform this check as early as possible
++ # to avoid creating too many sessions
++ return None
++
+ # Activate timezone handling
+ tz = request.session.get('django_timezone')
+ if tz:
+@@ -62,9 +73,6 @@ class HorizonMiddleware(object):
+
+ last_activity = request.session.get('last_activity', None)
+ timestamp = int(time.time())
+- request.horizon = {'dashboard': None,
+- 'panel': None,
+- 'async_messages': []}
+ if (isinstance(last_activity, int)
+ and (timestamp - last_activity) > timeout):
+ request.session.pop('last_activity')
+--- horizon-2013.2.3/openstack_dashboard/views.py.orig 2014-12-10 13:01:22.648498614 -0700
++++ horizon-2013.2.3/openstack_dashboard/views.py 2014-12-10 13:01:29.987667852 -0700
+@@ -33,6 +33,4 @@ def splash(request):
+ if request.user.is_authenticated():
+ return shortcuts.redirect(get_user_home(request.user))
+ form = views.Login(request)
+- request.session.clear()
+- request.session.set_test_cookie()
+ return shortcuts.render(request, 'splash.html', {'form': form})
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/python/django_openstack_auth/patches/CVE-2014-8124.patch Fri Dec 19 14:29:54 2014 -0800
@@ -0,0 +1,29 @@
+django_openstack_auth patch for CVE-2014-8124. This will be fixed in
+a future version of django_openstack_auth
+
+From e676c88a329af57d6c4f13df54f6e1e06c1f8360 Mon Sep 17 00:00:00 2001
+From: eric <[email protected]>
+Date: Mon, 8 Dec 2014 16:38:26 -0700
+Subject: [PATCH] Horizon login page contains DOS attack mechanism
+
+the horizon login page (and middleware) accesses the session
+too early in the login process, which will create session records
+in the session backend. This is especially problematic when non-cookie
+backends are used.
+
+Co-Authored-By: Tihomir Trifonov <[email protected]>
+Co-Authored-By: Eric Peterson <[email protected]>
+
+Change-Id: I9a4999eb5f053515575ef09b8ba9d3bb3f114e5c
+Closes-Bug: 1394370
+
+--- django_openstack_auth-1.1.3/openstack_auth/forms.py.orig
++++ django_openstack_auth-1.1.3/openstack_auth/forms.py
+@@ -96,7 +96,6 @@ class Login(AuthenticationForm):
+ msg = 'Login failed for user "%(username)s".' % \
+ {'username': username}
+ LOG.warning(msg)
+- self.request.session.flush()
+ raise forms.ValidationError(exc)
+ if hasattr(self, 'check_for_test_cookie'): # Dropped in django 1.7
+ self.check_for_test_cookie()