Package: horizon / 2014.1.3-7+deb8u2

CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Description: Horizon login page contains DOS attack mechanism
 The horizon login page (really the middleware) accesses the session too early
 in the login process, which will create session records in the session
 backend. This is especially problematic when non-cookie backends are used.
Author: lin-hua-cheng <os.lcheng@gmail.com>
Date: Tue, 2 Dec 2014 02:16:15 +0000 (-0800)
X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a
Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
Bug-Ubuntu: https://launchpad.net/bugs/1394370
Bug-Debian: https://bugs.debian.org/772710
Origin: upstream, https://review.openstack.org/#/c/140356/
Last-Update: 2014-12-10

diff --git a/horizon/middleware.py b/horizon/middleware.py
index e4b72b2..3cdb36e 100644
--- a/horizon/middleware.py
+++ b/horizon/middleware.py
@@ -49,6 +49,17 @@ class HorizonMiddleware(object):
 
     def process_request(self, request):
         """Adds data necessary for Horizon to function to the request."""
+
+        request.horizon = {'dashboard': None,
+                           'panel': None,
+                           'async_messages': []}
+        if not hasattr(request, "user") or not request.user.is_authenticated():
+            # proceed no further if the current request is already known
+            # not to be authenticated
+            # it is CRITICAL to perform this check as early as possible
+            # to avoid creating too many sessions
+            return None
+
         # Activate timezone handling
         tz = request.session.get('django_timezone')
         if tz:
@@ -62,14 +73,6 @@ class HorizonMiddleware(object):
 
         last_activity = request.session.get('last_activity', None)
         timestamp = int(time.time())
-        request.horizon = {'dashboard': None,
-                           'panel': None,
-                           'async_messages': []}
-
-        if not hasattr(request, "user") or not request.user.is_authenticated():
-            # proceed no further if the current request is already known
-            # not to be authenticated
-            return None
 
         # If we use cookie-based sessions, check that the cookie size does not
         # reach the max size accepted by common web browsers.
diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py
index 8a630e9..5ff1fd5 100644
--- a/openstack_dashboard/views.py
+++ b/openstack_dashboard/views.py
@@ -33,6 +33,4 @@ def splash(request):
     if request.user.is_authenticated():
         return shortcuts.redirect(horizon.get_user_home(request.user))
     form = forms.Login(request)
-    request.session.clear()
-    request.session.set_test_cookie()
     return shortcuts.render(request, 'splash.html', {'form': form})