--- /dev/null
+From: eric <eric.peterson1@twcable.com>
+Date: Thu, 20 Nov 2014 15:49:09 +0000 (-0700)
+Subject: Horizon login page contains DOS attack mechanism
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=e8a66a4d92ae259a5ef004cafad1809942c66596
+
+Horizon login page contains DOS attack mechanism
+
+the horizon login page (really the middleware) accesses the session
+too early in the login process, which will create session records
+in the session backend. This is especially problematic when non-cookie
+backends are used.
+
+Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
+Closes-Bug: 1394370
+---
+
+diff --git a/horizon/middleware.py b/horizon/middleware.py
+index a0d9c3d..885489e 100644
+--- a/horizon/middleware.py
++++ b/horizon/middleware.py
+@@ -90,16 +90,18 @@ class HorizonMiddleware(object):
+ request.horizon = {'dashboard': None,
+ 'panel': None,
+ 'async_messages': []}
++ if not hasattr(request, "user") or not request.user.is_authenticated():
++ # proceed no further if the current request is already known
++ # not to be authenticated
++ # it is CRITICAL to perform this check as early as possible
++ # to avoid creating too many sessions
++ return None
+
+ # Check for session timeout if user is (or was) authenticated.
+ has_timed_out, timestamp = self._check_has_timed_timeout(request)
+ if has_timed_out:
+ return self._logout(request, request.path, _("Session timed out."))
+
+- if not hasattr(request, "user") or not request.user.is_authenticated():
+- # proceed no further if the current request is already known
+- # not to be authenticated
+- return None
+ if request.is_ajax():
+ # if the request is Ajax we do not want to proceed, as clients can
+ # 1) create pages with constant polling, which can create race
+diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py
+index 4ce55ff..0473279 100644
+--- a/openstack_dashboard/views.py
++++ b/openstack_dashboard/views.py
+@@ -41,8 +41,7 @@ def splash(request):
+ response = shortcuts.redirect(horizon.get_user_home(request.user))
+ else:
+ form = forms.Login(request)
+- request.session.clear()
+- request.session.set_test_cookie()
+ response = shortcuts.render(request, 'splash.html', {'form': form})
+- response.delete_cookie('logout_reason')
++ if 'logout_reason' in request.COOKIES:
++ response.delete_cookie('logout_reason')
+ return response
Code Review / openstack-build / horizon-build.git / commitdiff