yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1179615] Re: [OSSA 2013-014] auth_token middleware neglects to check expiry of signed token

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Wed, 04 Jun 2014 23:27:20 -0000
Reply-to: Bug 1179615 <1179615@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone/folsom
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1179615

Title:
  [OSSA 2013-014] auth_token middleware neglects to check expiry of
  signed token

Status in OpenStack Identity (Keystone):
  Invalid
Status in Keystone folsom series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released
Status in Python client library for Keystone:
  Fix Released

Bug description:
  Unless I'm mistaken the keystoneclient auth_token middleware seems to
  be neglecting to check the expiry of signed tokens.

  Instead, it only checks if the proposed token has been explicitly
  revoked:

    https://github.com/openstack/python-
  keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L1047

  Surely the expiration timestamp needs to be checked also and the token
  rejected if expired.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1179615/+subscriptions