meta-openstack/recipes-devtools/python/python-keystone/CVE-2014-2828-keystone-1300274.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

From e364ba5b12de8e4c11bd80bcca903f9615dcfc2e Mon Sep 17 00:00:00 2001
From: Florent Flament <florent.flament-ext@cloudwatt.com>
Date: Tue, 1 Apr 2014 12:48:22 +0000
Subject: Sanitizes authentication methods received in requests.

When a user authenticates against Identity V3 API, he can specify
multiple authentication methods. This patch removes duplicates, which
could have been used to achieve DoS attacks.

Closes-Bug: 1300274
(cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
Cherry-pick from https://review.openstack.org/#/c/84425/

Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab

diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py
index c3399df..4944316 100644
--- a/keystone/auth/controllers.py
+++ b/keystone/auth/controllers.py
@@ -225,7 +225,13 @@ class AuthInfo(object):
         :returns: list of auth method names
 
         """
-        return self.auth['identity']['methods'] or []
+        # Sanitizes methods received in request's body
+        # Filters out duplicates, while keeping elements' order.
+        method_names = []
+        for method in self.auth['identity']['methods']:
+            if method not in method_names:
+                method_names.append(method)
+        return method_names
 
     def get_method_data(self, method):
         """Get the auth method payload.
diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
index d07e6ae..e89e29f 100644
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@@ -81,6 +81,18 @@ class TestAuthInfo(test_v3.RestfulTestCase):
                           None,
                           auth_data)
 
+    def test_get_method_names_duplicates(self):
+        auth_data = self.build_authentication_request(
+            token='test',
+            user_id='test',
+            password='test')['auth']
+        auth_data['identity']['methods'] = ['password', 'token',
+                                            'password', 'password']
+        context = None
+        auth_info = auth.controllers.AuthInfo(context, auth_data)
+        self.assertEqual(auth_info.get_method_names(),
+                         ['password', 'token'])
+
     def test_get_method_data_invalid_method(self):
         auth_data = self.build_authentication_request(
             user_id='test',
-- 
cgit v0.10.1