[python-django-horizon] Fix CVE-2014-8124

Matthias Runge mrunge at fedoraproject.org
Mon Dec 15 12:15:58 UTC 2014 

commit 8d623768e61dda0c37c46b1c10940d1ffe97a03f
Author: Matthias Runge <mrunge at redhat.com>
Date:   Mon Dec 15 13:06:11 2014 +0100

    Fix CVE-2014-8124
    
    Change-Id: I7faf7198aed34d98f93bf0ac784c2b55f9f41bdf
    Resolves: rhbz#1174066

 ...-login-page-contains-DOS-attack-mechanism.patch |   60 ++++++++++++++++++++
 python-django-horizon.spec                         |    6 ++-
 2 files changed, 65 insertions(+), 1 deletions(-)
---
diff --git a/0023-Horizon-login-page-contains-DOS-attack-mechanism.patch b/0023-Horizon-login-page-contains-DOS-attack-mechanism.patch
new file mode 100644
index 0000000..21a4718
--- /dev/null
+++ b/0023-Horizon-login-page-contains-DOS-attack-mechanism.patch
@@ -0,0 +1,60 @@
+From 7ed08dc9f55e68be7338a2d0fba4d78098173db4 Mon Sep 17 00:00:00 2001
+From: eric <eric.peterson1 at twcable.com>
+Date: Thu, 20 Nov 2014 08:49:09 -0700
+Subject: [PATCH] Horizon login page contains DOS attack mechanism
+
+the horizon login page (really the middleware) accesses the session
+too early in the login process, which will create session records
+in the session backend.  This is especially problematic when non-cookie
+backends are used.
+
+Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
+Closes-Bug: 1394370
+(cherry picked from commit e8a66a4d92ae259a5ef004cafad1809942c66596)
+---
+ horizon/middleware.py        | 10 ++++++----
+ openstack_dashboard/views.py |  5 ++---
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/horizon/middleware.py b/horizon/middleware.py
+index a0d9c3d..885489e 100644
+--- a/horizon/middleware.py
++++ b/horizon/middleware.py
+@@ -90,16 +90,18 @@ class HorizonMiddleware(object):
+         request.horizon = {'dashboard': None,
+                            'panel': None,
+                            'async_messages': []}
++        if not hasattr(request, "user") or not request.user.is_authenticated():
++            # proceed no further if the current request is already known
++            # not to be authenticated
++            # it is CRITICAL to perform this check as early as possible
++            # to avoid creating too many sessions
++            return None
+ 
+         # Check for session timeout if user is (or was) authenticated.
+         has_timed_out, timestamp = self._check_has_timed_timeout(request)
+         if has_timed_out:
+             return self._logout(request, request.path, _("Session timed out."))
+ 
+-        if not hasattr(request, "user") or not request.user.is_authenticated():
+-            # proceed no further if the current request is already known
+-            # not to be authenticated
+-            return None
+         if request.is_ajax():
+             # if the request is Ajax we do not want to proceed, as clients can
+             #  1) create pages with constant polling, which can create race
+diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py
+index 4ce55ff..0473279 100644
+--- a/openstack_dashboard/views.py
++++ b/openstack_dashboard/views.py
+@@ -41,8 +41,7 @@ def splash(request):
+         response = shortcuts.redirect(horizon.get_user_home(request.user))
+     else:
+         form = forms.Login(request)
+-        request.session.clear()
+-        request.session.set_test_cookie()
+         response = shortcuts.render(request, 'splash.html', {'form': form})
+-    response.delete_cookie('logout_reason')
++    if 'logout_reason' in request.COOKIES:
++        response.delete_cookie('logout_reason')
+     return response
diff --git a/python-django-horizon.spec b/python-django-horizon.spec
index 6e695c1..3fafc11 100644
--- a/python-django-horizon.spec
+++ b/python-django-horizon.spec
@@ -4,7 +4,7 @@
 
 Name:       python-django-horizon
 Version:    2014.2.1
-Release:    1%{?dist}
+Release:    2%{?dist}
 Summary:    Django application for talking to Openstack
 
 Group:      Development/Libraries
@@ -46,6 +46,7 @@ Patch0019: 0019-Restore-missing-translation-for-the-downstream-theme.patch
 Patch0020: 0020-IE-bug-fixes-https-bugzilla.redhat.com-show_bug.cgi-.patch
 Patch0021: 0021-Change-branding.patch
 Patch0022: 0022-Add-missing-translation-for-the-downstream-theme-zh_.patch
+Patch0023: 0023-Horizon-login-page-contains-DOS-attack-mechanism.patch
 
 #
 # BuildArch needs to be located below patches in the spec file. Don't ask!
@@ -442,6 +443,9 @@ cp -a %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/openstack-dashboard
 %{_datadir}/openstack-dashboard/openstack_dashboard/enabled/_99_customization.*
 
 %changelog
+* Mon Dec 15 2014 Matthias Runge <mrunge at redhat.com> - 2014.2.1-2
+- Fix CVE-2014-8124 (rhbz#1174066)
+
 * Mon Dec 08 2014 Matthias Runge <mrunge at redhat.com> - 2014.2.1-1
 - rebase to 2014.2.1
 - drop earlier patch for rhbz#1163206

More information about the scm-commits mailing list