[openstack-ceilometer/f20] remove token from notifier middleware, bz#1112949

Wed Jun 25 18:42:05 UTC 2014

commit d504fcda0bf29f2dc802ff88e26bd246661ddd27
Author: Steve Linabery <slinaber at redhat.com>
Date:   Wed Jun 25 13:19:11 2014 -0500

    remove token from notifier middleware, bz#1112949

 ...e-don-t-access-the-net-when-building-docs.patch |    4 +-
 0002-remove-token-from-notifier-middleware.patch   |   43 ++++++++++++++++++++
 openstack-ceilometer.spec                          |    7 +++-
 3 files changed, 51 insertions(+), 3 deletions(-)
---

diff --git a/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch b/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
index d11031c..20e7dbd 100644
--- a/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
+++ b/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
@@ -7,8 +7,8 @@ Subject: [PATCH] Ensure we don't access the net when building docs
 
 Change-Id: I9d02fb4053a8106672aded1614a2850e21603eb2
 ---
- doc/source/conf.py |    2 --
- 1 files changed, 0 insertions(+), 2 deletions(-)
+ doc/source/conf.py | 2 --
+ 1 file changed, 2 deletions(-)
 
 diff --git a/doc/source/conf.py b/doc/source/conf.py
 index 98646df..c561497 100644
diff --git a/0002-remove-token-from-notifier-middleware.patch b/0002-remove-token-from-notifier-middleware.patch
new file mode 100644
index 0000000..2c1e066
--- /dev/null
+++ b/0002-remove-token-from-notifier-middleware.patch
@@ -0,0 +1,43 @@
+From bd47e75b61db1d762f75c8e433c51553c7b37ca3 Mon Sep 17 00:00:00 2001
+From: Grant Murphy <gmurphy at redhat.com>
+Date: Mon, 23 Jun 2014 05:07:54 +0000
+Subject: [PATCH] remove token from notifier middleware
+
+oslo-incubator sync to address the security bug
+in middleware (as below).
+
+notifier middleware is capturing token and sending it to MQ. this
+is not advisable so we should filter it out.
+
+Change-Id: Ia1bfa1bd24989681db1d2f385defc12e69a01f8d
+Closes-Bug: #1321080
+---
+ ceilometer/openstack/common/middleware/audit.py    | 2 +-
+ ceilometer/openstack/common/middleware/notifier.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ceilometer/openstack/common/middleware/audit.py b/ceilometer/openstack/common/middleware/audit.py
+index 1bda8d1..bb69e31 100644
+--- a/ceilometer/openstack/common/middleware/audit.py
++++ b/ceilometer/openstack/common/middleware/audit.py
+@@ -1,6 +1,6 @@
+ # vim: tabstop=4 shiftwidth=4 softtabstop=4
+ 
+-# Copyright (c) 2013 OpenStack LLC.
++# Copyright (c) 2013 OpenStack Foundation
+ # All Rights Reserved.
+ #
+ #    Licensed under the Apache License, Version 2.0 (the "License"); you may
+diff --git a/ceilometer/openstack/common/middleware/notifier.py b/ceilometer/openstack/common/middleware/notifier.py
+index ab744ff..8006fe7 100644
+--- a/ceilometer/openstack/common/middleware/notifier.py
++++ b/ceilometer/openstack/common/middleware/notifier.py
+@@ -66,7 +66,7 @@ class RequestNotifier(base.Middleware):
+ 
+         """
+         return dict((k, v) for k, v in environ.iteritems()
+-                    if k.isupper())
++                    if k.isupper() and k != 'HTTP_X_AUTH_TOKEN')
+ 
+     @log_and_ignore_error
+     def process_request(self, request):
diff --git a/openstack-ceilometer.spec b/openstack-ceilometer.spec
index 65dc5a7..0661919 100644
--- a/openstack-ceilometer.spec
+++ b/openstack-ceilometer.spec
@@ -4,7 +4,7 @@
 
 Name:             openstack-ceilometer
 Version:          2013.2.3
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          OpenStack measurement collection service
 
 Group:            Applications/System
@@ -25,6 +25,7 @@ Source15:         %{name}-alarm-evaluator.service
 # patches_base=2013.2.3
 #
 Patch0001: 0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
+Patch0002: 0002-remove-token-from-notifier-middleware.patch
 
 BuildArch:        noarch
 BuildRequires:    intltool
@@ -205,6 +206,7 @@ This package contains documentation files for ceilometer.
 %setup -q -n ceilometer-%{version}
 
 %patch0001 -p1
+%patch0002 -p1
 
 find . \( -name .gitignore -o -name .placeholder \) -delete
 
@@ -463,6 +465,9 @@ fi
 
 
 %changelog
+* Wed Jun 25 2014 Steve Linabery <slinaber at redhat.com> - 2013.2.3-2
+- remove token from notifier middleware, bz#1112949
+
 * Thu Apr 10 2014 Pádraig Brady <pbrady at redhat.com> - 2013.2.3-1
 - Update to Havana stable release 2013.2.3
 
