OpenStack Dashboard (Horizon)

Overview
Code
Bugs
Blueprints
Translations
Answers

Merge lp:~corey.bryant/horizon/2014.2.1-2 into lp:~ubuntu-server-dev/horizon/juno

2014.2.1-2
Merge into juno

Proposed by Corey Bryant on 2014-12-09

Status:	Merged
Merged at revision:	214
Proposed branch:	lp:~corey.bryant/horizon/2014.2.1-2
Merge into:	lp:~ubuntu-server-dev/horizon/juno
Diff against target:	90 lines (+70/-0) 3 files modified debian/changelog (+7/-0) debian/patches/prevent_login_page_DOS.patch (+62/-0) debian/patches/series (+1/-0)
To merge this branch:	bzr merge lp:~corey.bryant/horizon/2014.2.1-2
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Ubuntu Server Developers		2014-12-09	Pending
Review via email: mp+244199@code.launchpad.net

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Download diff
Side-by-side diff

Subscribers

People subscribed via source and target branches

to all changes:

Corey Bryant

Ubuntu Server Developers

 === modified file 'debian/changelog'
 --- debian/changelog	2014-12-08 18:22:58 +0000
 +++ debian/changelog	2014-12-09 18:52:08 +0000
@@ -1,3 +1,10 @@
++horizon (1:2014.2.1-0ubuntu2) UNRELEASED; urgency=medium
++
++  * d/p/prevent_login_page_DOS.patch: Cherry picked from
++    https://review.openstack.org/#/c/140358/.
++
++ -- Corey Bryant <corey.bryant@canonical.com>  Tue, 09 Dec 2014 13:34:26 -0500
++
  horizon (1:2014.2.1-0ubuntu1) utopic; urgency=medium
    [ Corey Bryant ]
 === added file 'debian/patches/prevent_login_page_DOS.patch'
 --- debian/patches/prevent_login_page_DOS.patch	1970-01-01 00:00:00 +0000
 +++ debian/patches/prevent_login_page_DOS.patch	2014-12-09 18:52:08 +0000
@@ -0,0 +1,62 @@
++From 09b8f8f6724dd7eb8b34fd4c2c2e66b0a3d0cab9 Mon Sep 17 00:00:00 2001
++From: eric <eric.peterson1@twcable.com>
++Date: Thu, 20 Nov 2014 08:49:09 -0700
++Subject: [PATCH] Horizon login page contains DOS attack mechanism
++
++the horizon login page (really the middleware) accesses the session
++too early in the login process, which will create session records
++in the session backend.  This is especially problematic when non-cookie
++backends are used.
++
++Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
++Closes-Bug: 1394370
++---
++ horizon/middleware.py        | 10 ++++++----
++ openstack_dashboard/views.py |  5 ++---
++ 2 files changed, 8 insertions(+), 7 deletions(-)
++
++diff --git a/horizon/middleware.py b/horizon/middleware.py
++index a0d9c3d..885489e 100644
++--- a/horizon/middleware.py
+++++ b/horizon/middleware.py
++@@ -90,16 +90,18 @@ class HorizonMiddleware(object):
++         request.horizon = {'dashboard': None,
++                            'panel': None,
++                            'async_messages': []}
+++        if not hasattr(request, "user") or not request.user.is_authenticated():
+++            # proceed no further if the current request is already known
+++            # not to be authenticated
+++            # it is CRITICAL to perform this check as early as possible
+++            # to avoid creating too many sessions
+++            return None
++
++         # Check for session timeout if user is (or was) authenticated.
++         has_timed_out, timestamp = self._check_has_timed_timeout(request)
++         if has_timed_out:
++             return self._logout(request, request.path, _("Session timed out."))
++
++-        if not hasattr(request, "user") or not request.user.is_authenticated():
++-            # proceed no further if the current request is already known
++-            # not to be authenticated
++-            return None
++         if request.is_ajax():
++             # if the request is Ajax we do not want to proceed, as clients can
++             #  1) create pages with constant polling, which can create race
++diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py
++index 4ce55ff..0473279 100644
++--- a/openstack_dashboard/views.py
+++++ b/openstack_dashboard/views.py
++@@ -41,8 +41,7 @@ def splash(request):
++         response = shortcuts.redirect(horizon.get_user_home(request.user))
++     else:
++         form = forms.Login(request)
++-        request.session.clear()
++-        request.session.set_test_cookie()
++         response = shortcuts.render(request, 'splash.html', {'form': form})
++-    response.delete_cookie('logout_reason')
+++    if 'logout_reason' in request.COOKIES:
+++        response.delete_cookie('logout_reason')
++     return response
++--
++2.1.0
++
 === modified file 'debian/patches/series'
 --- debian/patches/series	2014-10-07 16:59:32 +0000
 +++ debian/patches/series	2014-12-09 18:52:08 +0000
@@ -1,3 +1,4 @@
++prevent_login_page_DOS.patch
  fix-dashboard-django-wsgi.patch
  fix-dashboard-manage.patch
  ubuntu_settings.patch

OpenStack Dashboard (Horizon)

Merge lp:~corey.bryant/horizon/2014.2.1-2 into lp:~ubuntu-server-dev/horizon/juno

Commit message

Description of the change

Preview Diff

Subscribers