+++ /dev/null
-From: eric <eric.peterson1@twcable.com>
-Date: Thu, 20 Nov 2014 15:49:09 +0000 (-0700)
-Subject: Horizon login page contains DOS attack mechanism
-X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=e8a66a4d92ae259a5ef004cafad1809942c66596
-
-Horizon login page contains DOS attack mechanism
-
-the horizon login page (really the middleware) accesses the session
-too early in the login process, which will create session records
-in the session backend. This is especially problematic when non-cookie
-backends are used.
-
-Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
-Closes-Bug: 1394370
----
-
-diff --git a/horizon/middleware.py b/horizon/middleware.py
-index a0d9c3d..885489e 100644
---- a/horizon/middleware.py
-+++ b/horizon/middleware.py
-@@ -90,16 +90,18 @@ class HorizonMiddleware(object):
- request.horizon = {'dashboard': None,
- 'panel': None,
- 'async_messages': []}
-+ if not hasattr(request, "user") or not request.user.is_authenticated():
-+ # proceed no further if the current request is already known
-+ # not to be authenticated
-+ # it is CRITICAL to perform this check as early as possible
-+ # to avoid creating too many sessions
-+ return None
-
- # Check for session timeout if user is (or was) authenticated.
- has_timed_out, timestamp = self._check_has_timed_timeout(request)
- if has_timed_out:
- return self._logout(request, request.path, _("Session timed out."))
-
-- if not hasattr(request, "user") or not request.user.is_authenticated():
-- # proceed no further if the current request is already known
-- # not to be authenticated
-- return None
- if request.is_ajax():
- # if the request is Ajax we do not want to proceed, as clients can
- # 1) create pages with constant polling, which can create race
-diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py
-index 4ce55ff..0473279 100644
---- a/openstack_dashboard/views.py
-+++ b/openstack_dashboard/views.py
-@@ -41,8 +41,7 @@ def splash(request):
- response = shortcuts.redirect(horizon.get_user_home(request.user))
- else:
- form = forms.Login(request)
-- request.session.clear()
-- request.session.set_test_cookie()
- response = shortcuts.render(request, 'splash.html', {'form': form})
-- response.delete_cookie('logout_reason')
-+ if 'logout_reason' in request.COOKIES:
-+ response.delete_cookie('logout_reason')
- return response
+++ /dev/null
-Description: Remove selenium dependency when not using selenium tests
-Author: Gary W. Smith <gary.w.smith@hp.com>
-Date: Wed, 8 Oct 2014 00:24:08 +0000 (-0700)
-X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=83fd6a7631a6a3ea6adbebca725a5f19c2c1796c
-Bug-Ubuntu: https://launchpad.net/bugs/1377372
-Change-Id: I6a493989d7280eaa2a1c999a9d1be4365aa77d52
-Origin: upstream, https://review.openstack.org/#/c/126777/
-Last-Update: 2014-10-08
-
-diff --git a/horizon/test/webdriver.py b/horizon/test/webdriver.py
-index 0974e91..8750c9d 100644
---- a/horizon/test/webdriver.py
-+++ b/horizon/test/webdriver.py
-@@ -17,62 +17,79 @@
- # limitations under the License.
- #
-
-+import logging
-+import os
- import platform
- import shutil
- import subprocess
-
--from selenium.common import exceptions as selenium_exceptions
--from selenium.webdriver import firefox
-+LOG = logging.getLogger(__name__)
-
-+try:
-+ # NOTE: Several distribution can't ship selenium due to its
-+ # non-free license. So they have to patch it out of test-requirements.txt
-+ # Avoid import failure and force not running selenium tests.
-+ # The entire file is encapsulated in the try block because the classes
-+ # inherit from the firefox class contained in selenium.webdriver, and
-+ # python will throw a NameError if the import is skipped.
-+ from selenium.common import exceptions as selenium_exceptions
-+ from selenium.webdriver import firefox
-
--class FirefoxBinary(firefox.firefox_binary.FirefoxBinary):
-- """Workarounds selenium firefox issues.
-+ class FirefoxBinary(firefox.firefox_binary.FirefoxBinary):
-+ """Workarounds selenium firefox issues.
-
-- There is race condition in the way firefox is spawned. The exact cause
-- hasn't been properly diagnosed yet but it's around:
-+ There is race condition in the way firefox is spawned. The exact cause
-+ hasn't been properly diagnosed yet but it's around:
-
-- - getting a free port from the OS with selenium.webdriver.common.utils
-- free_port(),
-+ - getting a free port from the OS with selenium.webdriver.common.utils
-+ free_port(),
-
-- - release the port immediately but record it in ff prefs so that ff can
-- listen on that port for the internal http server.
-+ - release the port immediately but record it in ff prefs so that ff can
-+ listen on that port for the internal http server.
-
-- It has been observed that this leads to hanging processes for 'firefox
-- -silent'.
-- """
-+ It has been observed that this leads to hanging processes for 'firefox
-+ -silent'.
-+ """
-
-- def _start_from_profile_path(self, path):
-- self._firefox_env["XRE_PROFILE_PATH"] = path
-+ def _start_from_profile_path(self, path):
-+ self._firefox_env["XRE_PROFILE_PATH"] = path
-
-- if platform.system().lower() == 'linux':
-- self._modify_link_library_path()
-- command = [self._start_cmd, "-silent"]
-- if self.command_line is not None:
-- for cli in self.command_line:
-- command.append(cli)
-+ if platform.system().lower() == 'linux':
-+ self._modify_link_library_path()
-+ command = [self._start_cmd, "-silent"]
-+ if self.command_line is not None:
-+ for cli in self.command_line:
-+ command.append(cli)
-
--# The following exists upstream and is known to create hanging firefoxes,
--# leading to zombies.
--# subprocess.Popen(command, stdout=self._log_file,
--# stderr=subprocess.STDOUT,
--# env=self._firefox_env).communicate()
-- command[1] = '-foreground'
-- self.process = subprocess.Popen(
-- command, stdout=self._log_file, stderr=subprocess.STDOUT,
-- env=self._firefox_env)
-+ # The following exists upstream and is known to create hanging firefoxes,
-+ # leading to zombies.
-+ # subprocess.Popen(command, stdout=self._log_file,
-+ # stderr=subprocess.STDOUT,
-+ # env=self._firefox_env).communicate()
-+ command[1] = '-foreground'
-+ self.process = subprocess.Popen(
-+ command, stdout=self._log_file, stderr=subprocess.STDOUT,
-+ env=self._firefox_env)
-
-+ class WebDriver(firefox.webdriver.WebDriver):
-+ """Workarounds selenium firefox issues."""
-
--class WebDriver(firefox.webdriver.WebDriver):
-- """Workarounds selenium firefox issues."""
-+ def __init__(self, firefox_profile=None, firefox_binary=None,
-+ timeout=30, capabilities=None, proxy=None):
-+ try:
-+ super(WebDriver, self).__init__(
-+ firefox_profile, FirefoxBinary(), timeout, capabilities,
-+ proxy)
-+ except selenium_exceptions.WebDriverException:
-+ # If we can't start, cleanup profile
-+ shutil.rmtree(self.profile.path)
-+ if self.profile.tempfolder is not None:
-+ shutil.rmtree(self.profile.tempfolder)
-+ raise
-
-- def __init__(self, firefox_profile=None, firefox_binary=None, timeout=30,
-- capabilities=None, proxy=None):
-- try:
-- super(WebDriver, self).__init__(
-- firefox_profile, FirefoxBinary(), timeout, capabilities, proxy)
-- except selenium_exceptions.WebDriverException:
-- # If we can't start, cleanup profile
-- shutil.rmtree(self.profile.path)
-- if self.profile.tempfolder is not None:
-- shutil.rmtree(self.profile.tempfolder)
-- raise
-+except ImportError as e:
-+ # NOTE(saschpe): Several distribution can't ship selenium due to its
-+ # non-free license. So they have to patch it out of test-requirements.txt
-+ # Avoid import failure and force not running selenium tests.
-+ LOG.warning("{0}, force WITH_SELENIUM=False".format(str(e)))
-+ os.environ['WITH_SELENIUM'] = ''
Code Review / openstack-build / horizon-build.git / commitdiff