← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #81353

[Bug 1860252] [NEW] security problem,one user can change other user's password without admin

  Thread PreviousDate PreviousThread Next 
Public bug reported:

i create user A and B, and do not bind any project or domain,use A to
create a token without scope, then i use this token can change B's
password use B's user_id and origin_password

i notice that this patch https://review.opendev.org/#/c/404022/25 delete
@controller.protected(),code like this

    # NOTE(gagehugo): We do not need this to be @protected.
    # A user is already expected to know their password in order
    # to change it, and can be authenticated as such.
    def change_password(self, request, user_id, user):
        original_password = user.get('original_password')
        if original_password is None:
            raise exception.ValidationError(target='user',
                                            attribute='original_password')

but is this safety? i use m version and merged the pci-dss feature,is
this fixed in other versions?

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1860252

Title:
  security problem,one user can change other user's password without
  admin

Status in OpenStack Identity (keystone):
  New

Bug description:
  i create user A and B, and do not bind any project or domain,use A to
  create a token without scope, then i use this token can change B's
  password use B's user_id and origin_password

  i notice that this patch https://review.opendev.org/#/c/404022/25
  delete @controller.protected(),code like this

      # NOTE(gagehugo): We do not need this to be @protected.
      # A user is already expected to know their password in order
      # to change it, and can be authenticated as such.
      def change_password(self, request, user_id, user):
          original_password = user.get('original_password')
          if original_password is None:
              raise exception.ValidationError(target='user',
                                              attribute='original_password')

  but is this safety? i use m version and merged the pci-dss feature,is
  this fixed in other versions?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1860252/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next