yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #20059
[Bug 1348820] Re: [OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET requests (CVE-2014-5252)
** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1348820
Title:
[OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET
requests (CVE-2014-5252)
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone icehouse series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
Steps to recreate
1.) Generate a v2.0
token http://pasteraw.com/37q9v3y80tlydltujo7vwfk7gcabggf
2.) Pull token from the body of the response and use the /v3/auth/tokens/ GET api call to verify the token
http://pasteraw.com/3oycofc541dil3d7hkzhihlcxlthqg4
Notice that the 'issued_at' time of the token has changed.
3.) Repeat step 2 and notice that the 'issued_at' time of the same token changes again.
http://pasteraw.com/9wgyrmawewer1ptv5ct58w7pcrfb7zt
The 'issued_at' time of a token should not change when validating the
token using /v3/auth/token GET api call.
This is because the issued_at time is being overwritten on GET here:
https://github.com/openstack/keystone/blob/83c7805ed3787303f8497bc479469d9071783107/keystone/token/providers/common.py#L319
This seems like it has been written strictly for POSTs? In the case of
POST, the issued_at time needs to be generated, in the case of HEAD or
GET, the issued_at time should already exist.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1348820/+subscriptions
References