20192118 problem in SERVICE/HORIZON s11u2-sru
authorDrew Fisher <drew.fisher@oracle.com>
Fri, 09 Jan 2015 13:44:40 -0800
branchs11u2-sru
changeset 3612 b2728fae8d90
parent 3611 e09fa6c4472b
child 3613 72fb7b8866fd
20192118 problem in SERVICE/HORIZON 20192127 problem in PYTHON-MOD/OPENSTACK-AUTH
components/openstack/horizon/patches/14-CVE-2014-8124.patch
components/python/django_openstack_auth/patches/CVE-2014-8124.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/horizon/patches/14-CVE-2014-8124.patch	Fri Jan 09 13:44:40 2015 -0800
@@ -0,0 +1,55 @@
+Upstream patch to fix CVE-2014-8124.  This will be fixed in future
+2014.1.3 and 2014.2.1 releases.
+
+From 61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a Mon Sep 17 00:00:00 2001
+From: lin-hua-cheng <[email protected]>
+Date: Mon, 1 Dec 2014 18:16:15 -0800
+Subject: [PATCH] Horizon login page contains DOS attack mechanism
+
+the horizon login page (really the middleware) accesses the session
+too early in the login process, which will create session records
+in the session backend.  This is especially problematic when non-cookie
+backends are used.
+
+Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
+Closes-Bug: 1394370
+
+--- horizon-2013.2.3/horizon/middleware.py.orig	2014-12-10 12:59:24.714541383 -0700
++++ horizon-2013.2.3/horizon/middleware.py	2014-12-10 13:00:30.362642269 -0700
[email protected]@ -49,6 +49,17 @@ class HorizonMiddleware(object):
+ 
+     def process_request(self, request):
+         """ Adds data necessary for Horizon to function to the request. """
++
++        request.horizon = {'dashboard': None,
++                           'panel': None,
++                           'async_messages': []}
++        if not hasattr(request, "user") or not request.user.is_authenticated():
++            # proceed no further if the current request is already known
++            # not to be authenticated
++            # it is CRITICAL to perform this check as early as possible
++            # to avoid creating too many sessions
++            return None
++
+         # Activate timezone handling
+         tz = request.session.get('django_timezone')
+         if tz:
[email protected]@ -62,9 +73,6 @@ class HorizonMiddleware(object):
+ 
+         last_activity = request.session.get('last_activity', None)
+         timestamp = int(time.time())
+-        request.horizon = {'dashboard': None,
+-                           'panel': None,
+-                           'async_messages': []}
+         if (isinstance(last_activity, int)
+                 and (timestamp - last_activity) > timeout):
+             request.session.pop('last_activity')
+--- horizon-2013.2.3/openstack_dashboard/views.py.orig	2014-12-10 13:01:22.648498614 -0700
++++ horizon-2013.2.3/openstack_dashboard/views.py	2014-12-10 13:01:29.987667852 -0700
[email protected]@ -33,6 +33,4 @@ def splash(request):
+     if request.user.is_authenticated():
+         return shortcuts.redirect(get_user_home(request.user))
+     form = views.Login(request)
+-    request.session.clear()
+-    request.session.set_test_cookie()
+     return shortcuts.render(request, 'splash.html', {'form': form})
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/python/django_openstack_auth/patches/CVE-2014-8124.patch	Fri Jan 09 13:44:40 2015 -0800
@@ -0,0 +1,29 @@
+django_openstack_auth patch for CVE-2014-8124.  This will be fixed in
+a future version of django_openstack_auth
+
+From e676c88a329af57d6c4f13df54f6e1e06c1f8360 Mon Sep 17 00:00:00 2001
+From: eric <[email protected]>
+Date: Mon, 8 Dec 2014 16:38:26 -0700
+Subject: [PATCH] Horizon login page contains DOS attack mechanism
+
+the horizon login page (and middleware) accesses the session
+too early in the login process, which will create session records
+in the session backend.  This is especially problematic when non-cookie
+backends are used.
+
+Co-Authored-By: Tihomir Trifonov <[email protected]>
+Co-Authored-By: Eric Peterson <[email protected]>
+
+Change-Id: I9a4999eb5f053515575ef09b8ba9d3bb3f114e5c
+Closes-Bug: 1394370
+
+--- django_openstack_auth-1.1.3/openstack_auth/forms.py.orig
++++ django_openstack_auth-1.1.3/openstack_auth/forms.py
[email protected]@ -96,7 +96,6 @@ class Login(AuthenticationForm):
+             msg = 'Login failed for user "%(username)s".' % \
+                 {'username': username}
+             LOG.warning(msg)
+-            self.request.session.flush()
+             raise forms.ValidationError(exc)
+         if hasattr(self, 'check_for_test_cookie'):  # Dropped in django 1.7
+             self.check_for_test_cookie()