yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #02508
[Bug 1179615] Re: [OSSA 2013-014] auth_token middleware neglects to check expiry of signed token
OSSA 2013-014
** Changed in: ossa
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1179615
Title:
[OSSA 2013-014] auth_token middleware neglects to check expiry of
signed token
Status in OpenStack Identity (Keystone):
Invalid
Status in Keystone folsom series:
Fix Committed
Status in OpenStack Security Advisories:
Fix Released
Status in Python client library for Keystone:
Fix Committed
Bug description:
Unless I'm mistaken the keystoneclient auth_token middleware seems to
be neglecting to check the expiry of signed tokens.
Instead, it only checks if the proposed token has been explicitly
revoked:
https://github.com/openstack/python-
keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1047
Surely the expiration timestamp needs to be checked also and the token
rejected if expired.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1179615/+subscriptions