[openstack-ceilometer/el6-havana] remove token from notifier middleware, bz#1112949
Pádraig Brady
pbrady at fedoraproject.org
Thu Jun 26 17:00:13 UTC 2014
commit 2276f77b446d5bb89f5c7034499f8111c981d560
Author: Steve Linabery <slinaber at redhat.com>
Date: Wed Jun 25 13:19:11 2014 -0500
remove token from notifier middleware, bz#1112949
0002-remove-token-from-notifier-middleware.patch | 43 ++++++++++++++++++++++
openstack-ceilometer.spec | 7 +++-
2 files changed, 49 insertions(+), 1 deletions(-)
---
diff --git a/0002-remove-token-from-notifier-middleware.patch b/0002-remove-token-from-notifier-middleware.patch
new file mode 100644
index 0000000..2c1e066
--- /dev/null
+++ b/0002-remove-token-from-notifier-middleware.patch
@@ -0,0 +1,43 @@
+From bd47e75b61db1d762f75c8e433c51553c7b37ca3 Mon Sep 17 00:00:00 2001
+From: Grant Murphy <gmurphy at redhat.com>
+Date: Mon, 23 Jun 2014 05:07:54 +0000
+Subject: [PATCH] remove token from notifier middleware
+
+oslo-incubator sync to address the security bug
+in middleware (as below).
+
+notifier middleware is capturing token and sending it to MQ. this
+is not advisable so we should filter it out.
+
+Change-Id: Ia1bfa1bd24989681db1d2f385defc12e69a01f8d
+Closes-Bug: #1321080
+---
+ ceilometer/openstack/common/middleware/audit.py | 2 +-
+ ceilometer/openstack/common/middleware/notifier.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ceilometer/openstack/common/middleware/audit.py b/ceilometer/openstack/common/middleware/audit.py
+index 1bda8d1..bb69e31 100644
+--- a/ceilometer/openstack/common/middleware/audit.py
++++ b/ceilometer/openstack/common/middleware/audit.py
+@@ -1,6 +1,6 @@
+ # vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+-# Copyright (c) 2013 OpenStack LLC.
++# Copyright (c) 2013 OpenStack Foundation
+ # All Rights Reserved.
+ #
+ # Licensed under the Apache License, Version 2.0 (the "License"); you may
+diff --git a/ceilometer/openstack/common/middleware/notifier.py b/ceilometer/openstack/common/middleware/notifier.py
+index ab744ff..8006fe7 100644
+--- a/ceilometer/openstack/common/middleware/notifier.py
++++ b/ceilometer/openstack/common/middleware/notifier.py
+@@ -66,7 +66,7 @@ class RequestNotifier(base.Middleware):
+
+ """
+ return dict((k, v) for k, v in environ.iteritems()
+- if k.isupper())
++ if k.isupper() and k != 'HTTP_X_AUTH_TOKEN')
+
+ @log_and_ignore_error
+ def process_request(self, request):
diff --git a/openstack-ceilometer.spec b/openstack-ceilometer.spec
index 5fab7ec..13256f0 100644
--- a/openstack-ceilometer.spec
+++ b/openstack-ceilometer.spec
@@ -4,7 +4,7 @@
Name: openstack-ceilometer
Version: 2013.2.3
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: OpenStack measurement collection service
Group: Applications/System
@@ -31,6 +31,7 @@ Source150: %{name}-alarm-evaluator.upstart
# patches_base=2013.2.3
#
Patch0001: 0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
+Patch0002: 0002-remove-token-from-notifier-middleware.patch
# This is EL6 specific and not upstream
Patch100: openstack-ceilometer-newdeps.patch
@@ -219,6 +220,7 @@ This package contains documentation files for ceilometer.
%setup -q -n ceilometer-%{version}
%patch0001 -p1
+%patch0002 -p1
# Apply EL6 patch
%patch100 -p1
@@ -497,6 +499,9 @@ fi
%changelog
+* Wed Jun 25 2014 Steve Linabery <slinaber at redhat.com> - 2013.2.3-2
+- remove token from notifier middleware, bz#1112949
+
* Thu Apr 10 2014 Pádraig Brady <pbrady at redhat.com> - 2013.2.3-1
- Update to Havana stable release 2013.2.3
More information about the scm-commits
mailing list