20885269 problem in PYTHON-MOD/KEYSTONEMIDDLE s11u2-sru
authorDevjani Ray <devjani.ray@oracle.com>
Wed, 29 Apr 2015 10:29:10 -0400
branchs11u2-sru
changeset 4214 b5b4764c82a4
parent 4204 04c06044ed82
child 4215 c0c7615b4511
20885269 problem in PYTHON-MOD/KEYSTONEMIDDLE 20885288 problem in SERVICE/KEYSTONE
components/python/keystoneclient/patches/CVE-2015-1852.patch
components/python/keystonemiddleware/patches/CVE-2015-1852.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/python/keystoneclient/patches/CVE-2015-1852.patch	Wed Apr 29 10:29:10 2015 -0400
@@ -0,0 +1,76 @@
+This upstream patch addresses CVE-2015-1852 in keystoneclient. It
+should be able to be removed when keystoneclient 1.4.0 or later is
+integrated.
+
+From 710402426c6bda2fe9d9b4fde2f5b54f1790a60e Mon Sep 17 00:00:00 2001
+From: Brant Knudson <[email protected]>
+Date: Tue, 7 Apr 2015 19:38:29 +0000
+Subject: [PATCH] Fix s3_token middleware parsing insecure option
+
+The "insecure" option was being treated as a bool when it was
+actually provided as a string. The fix is to parse the string to
+a bool.
+
+Closes-Bug: 1411063
+Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3
+---
+
+--- python-keystoneclient-1.0.0/keystoneclient/middleware/s3_token.py.~1~	2014-12-18 09:37:35.000000000 -0800
++++ python-keystoneclient-1.0.0/keystoneclient/middleware/s3_token.py	2015-04-14 14:23:08.294228633 -0700
[email protected]@ -34,6 +34,7 @@ This WSGI component:
+ import logging
+ 
+ from oslo.serialization import jsonutils
++from oslo.utils import strutils
+ import requests
+ import six
+ from six.moves import urllib
[email protected]@ -116,7 +117,7 @@ class S3Token(object):
+         self.request_uri = '%s://%s:%s' % (auth_protocol, auth_host, auth_port)
+ 
+         # SSL
+-        insecure = conf.get('insecure', False)
++        insecure = strutils.bool_from_string(conf.get('insecure', False))
+         cert_file = conf.get('certfile')
+         key_file = conf.get('keyfile')
+ 
+--- python-keystoneclient-1.0.0/keystoneclient/tests/test_s3_token_middleware.py.~1~	2014-12-18 09:37:35.000000000 -0800
++++ python-keystoneclient-1.0.0/keystoneclient/tests/test_s3_token_middleware.py	2015-04-14 14:23:09.919217052 -0700
[email protected]@ -124,7 +124,7 @@ class S3TokenMiddlewareTestGood(S3TokenM
+     @mock.patch.object(requests, 'post')
+     def test_insecure(self, MOCK_REQUEST):
+         self.middleware = (
+-            s3_token.filter_factory({'insecure': True})(FakeApp()))
++            s3_token.filter_factory({'insecure': 'True'})(FakeApp()))
+ 
+         text_return_value = jsonutils.dumps(GOOD_RESPONSE)
+         if six.PY3:
[email protected]@ -142,6 +142,28 @@ class S3TokenMiddlewareTestGood(S3TokenM
+         mock_args, mock_kwargs = MOCK_REQUEST.call_args
+         self.assertIs(mock_kwargs['verify'], False)
+ 
++    def test_insecure_option(self):
++        # insecure is passed as a string.
++
++        # Some non-secure values.
++        true_values = ['true', 'True', '1', 'yes']
++        for val in true_values:
++            config = {'insecure': val, 'certfile': 'false_ind'}
++            middleware = s3_token.filter_factory(config)(FakeApp())
++            self.assertIs(False, middleware.verify)
++
++        # Some "secure" values, including unexpected value.
++        false_values = ['false', 'False', '0', 'no', 'someweirdvalue']
++        for val in false_values:
++            config = {'insecure': val, 'certfile': 'false_ind'}
++            middleware = s3_token.filter_factory(config)(FakeApp())
++            self.assertEqual('false_ind', middleware.verify)
++
++        # Default is secure.
++        config = {'certfile': 'false_ind'}
++        middleware = s3_token.filter_factory(config)(FakeApp())
++        self.assertIs('false_ind', middleware.verify)
++
+ 
+ class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):
+     def setUp(self):
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/python/keystonemiddleware/patches/CVE-2015-1852.patch	Wed Apr 29 10:29:10 2015 -0400
@@ -0,0 +1,86 @@
+This upstream patch addresses CVE-2015-1852 in keystonemiddleware. It
+should be able to be removed when keystoneclient 1.6.0 or later is
+integrated.
+
+From 59f720ccc9a92da025baf7dc692e8e582ebfae0a Mon Sep 17 00:00:00 2001
+From: Brant Knudson <[email protected]>
+Date: Mon, 23 Mar 2015 18:19:18 -0500
+Subject: [PATCH] Fix s3_token middleware parsing insecure option
+
+The "insecure" option was being treated as a bool when it was
+actually provided as a string. The fix is to parse the string to
+a bool.
+
+Closes-Bug: 1411063
+Change-Id: Id674f40532215788675c97a8fdfa91d4420347b3
+---
+ keystonemiddleware/s3_token.py                     |    3 ++-
+ .../tests/test_s3_token_middleware.py              |   24 +++++++++++++++++++-
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/keystonemiddleware/s3_token.py b/keystonemiddleware/s3_token.py
+index 37bcf4c..6c716c3 100644
+--- a/keystonemiddleware/s3_token.py
++++ b/keystonemiddleware/s3_token.py
[email protected]@ -35,6 +35,7 @@ import logging
+ import webob
+ 
+ from oslo.serialization import jsonutils
++from oslo.utils import strutils
+ import requests
+ import six
+ from six.moves import urllib
[email protected]@ -116,7 +117,7 @@ class S3Token(object):
+                                             auth_port)
+ 
+         # SSL
+-        insecure = conf.get('insecure', False)
++        insecure = strutils.bool_from_string(conf.get('insecure', False))
+         cert_file = conf.get('certfile')
+         key_file = conf.get('keyfile')
+ 
+diff --git a/keystonemiddleware/tests/test_s3_token_middleware.py b/keystonemiddleware/tests/test_s3_token_middleware.py
+index bf94391..6545fa3 100644
+--- a/keystonemiddleware/tests/test_s3_token_middleware.py
++++ b/keystonemiddleware/tests/test_s3_token_middleware.py
[email protected]@ -124,7 +124,7 @@ class S3TokenMiddlewareTestGood(S3TokenMiddlewareTestBase):
+     @mock.patch.object(requests, 'post')
+     def test_insecure(self, MOCK_REQUEST):
+         self.middleware = (
+-            s3_token.filter_factory({'insecure': True})(FakeApp()))
++            s3_token.filter_factory({'insecure': 'True'})(FakeApp()))
+ 
+         text_return_value = jsonutils.dumps(GOOD_RESPONSE)
+         if six.PY3:
[email protected]@ -142,6 +142,28 @@ class S3TokenMiddlewareTestGood(S3TokenMiddlewareTestBase):
+         mock_args, mock_kwargs = MOCK_REQUEST.call_args
+         self.assertIs(mock_kwargs['verify'], False)
+ 
++    def test_insecure_option(self):
++        # insecure is passed as a string.
++
++        # Some non-secure values.
++        true_values = ['true', 'True', '1', 'yes']
++        for val in true_values:
++            config = {'insecure': val, 'certfile': 'false_ind'}
++            middleware = s3_token.filter_factory(config)(FakeApp())
++            self.assertIs(False, middleware._verify)
++
++        # Some "secure" values, including unexpected value.
++        false_values = ['false', 'False', '0', 'no', 'someweirdvalue']
++        for val in false_values:
++            config = {'insecure': val, 'certfile': 'false_ind'}
++            middleware = s3_token.filter_factory(config)(FakeApp())
++            self.assertEqual('false_ind', middleware._verify)
++
++        # Default is secure.
++        config = {'certfile': 'false_ind'}
++        middleware = s3_token.filter_factory(config)(FakeApp())
++        self.assertIs('false_ind', middleware._verify)
++
+ 
+ class S3TokenMiddlewareTestBad(S3TokenMiddlewareTestBase):
+     def setUp(self):
+-- 
+1.7.9.2
+