yahoo-eng-team team mailing list archive

[Tristan Cacqueray <tristan.cacqueray@xxxxxxxxxxxx>]

** Changed in: ossa
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1394370

Title:
  [OSSA 2014-040] horizon login page is vulnerable to DOS attack
  (CVE-2014-8124)

Status in OpenStack Dashboard (Horizon):
  Fix Committed
Status in OpenStack Dashboard (Horizon) icehouse series:
  Fix Committed
Status in OpenStack Dashboard (Horizon) juno series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  We have horizon deployed with mysql sessions.   I believe this issue
  exists with all db backed sessions, and likely memchached too (but I
  am not sure).

  Every request to the login page is generating a new session record in the db.  This is based upon this line of code:
  https://github.com/django/django/blob/master/django/contrib/sessions/backends/db.py#L41
  What happens is as soon as you access request.session['foo'] then you are going to get an entry in the db.

  I have placed some debugging code in a variety of locations where we
  are accessing the session store before we should be, which creates
  these records:

  https://github.com/openstack/horizon/blob/master/horizon/middleware.py#L94
  The check for the timeout should never occur if there is no authenticated user.   So the check a few lines below needs to be moved higher.

  https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/utils.py#L50
  This check I am not sure how to work around.  We are accessing the session, which creates records, just trying to keep track if a user is logged in or not.   It seems like we are not using the django auth mechanisms correctly here, and I can't see if there is a workaround.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1394370/+subscriptions