--- /dev/null
+From abc532fa90eac1cc970423339347e318aa8d1b1a Mon Sep 17 00:00:00 2001
+From: Paul McMillan <paul.mcmillan@nebula.com>
+Date: Fri, 4 May 2012 16:30:31 -0700
+Subject: [PATCH] Fixes lp978896 -- Session fixation security fix
+
+Rotates session tokens on logout, and properly clears sessions
+to prevent data leakage.
+
+Change-Id: Id11054e852b8c8a386756e9de980cb5eff64f228
+---
+ horizon/exceptions.py | 2 +-
+ horizon/middleware.py | 9 ++++++++
+ horizon/tests/auth_tests.py | 52 +++++++++++++++++++++++++++++++++++++++++++
+ horizon/users.py | 2 +-
+ horizon/views/auth.py | 2 +-
+ horizon/views/auth_forms.py | 12 +++++++++-
+ 6 files changed, 75 insertions(+), 4 deletions(-)
+
+diff --git a/horizon/exceptions.py b/horizon/exceptions.py
+index c5f2450..cf460e3 100644
+--- a/horizon/exceptions.py
++++ b/horizon/exceptions.py
+@@ -203,7 +203,7 @@ def handle(request, message=None, redirect=None, ignore=False, escalate=False):
+ if issubclass(exc_type, UNAUTHORIZED):
+ if ignore:
+ return NotAuthorized
+- request.session.clear()
++ request.user_logout()
+ if not handled:
+ LOG.debug("Unauthorized: %s" % exc_value)
+ # We get some pretty useless error messages back from
+diff --git a/horizon/middleware.py b/horizon/middleware.py
+index f20c1f0..f141ff3 100644
+--- a/horizon/middleware.py
++++ b/horizon/middleware.py
+@@ -49,6 +49,15 @@ class HorizonMiddleware(object):
+
+ Adds a :class:`~horizon.users.User` object to ``request.user``.
+ """
++ # A quick and dirty way to log users out
++ def user_logout(request):
++ if hasattr(request, '_cached_user'):
++ del request._cached_user
++ # Use flush instead of clear, so we rotate session keys in
++ # addition to clearing all the session data
++ request.session.flush()
++ request.__class__.user_logout = user_logout
++
+ request.__class__.user = users.LazyUser()
+ request.horizon = {'dashboard': None, 'panel': None}
+
+diff --git a/horizon/tests/auth_tests.py b/horizon/tests/auth_tests.py
+index ba16477..9f295d0 100644
+--- a/horizon/tests/auth_tests.py
++++ b/horizon/tests/auth_tests.py
+@@ -18,6 +18,8 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+
++import time
++
+ from django import http
+ from django.core.urlresolvers import reverse
+ from keystoneclient import exceptions as keystone_exceptions
+@@ -220,3 +222,53 @@ class AuthViewTests(test.TestCase):
+
+ self.assertRedirectsNoFollow(res, reverse('splash'))
+ self.assertNotIn(KEY, self.client.session)
++
++ def test_session_fixation(self):
++ session_ids = []
++ form_data = {'method': 'Login',
++ 'region': 'http://localhost:5000/v2.0',
++ 'password': self.user.password,
++ 'username': self.user.name}
++
++ self.mox.StubOutWithMock(api, 'token_create')
++ self.mox.StubOutWithMock(api, 'tenant_list_for_token')
++ self.mox.StubOutWithMock(api, 'token_create_scoped')
++
++ aToken = self.tokens.unscoped_token
++ bToken = self.tokens.scoped_token
++
++ api.token_create(IsA(http.HttpRequest), "", self.user.name,
++ self.user.password).AndReturn(aToken)
++ api.tenant_list_for_token(IsA(http.HttpRequest),
++ aToken.id).AndReturn([self.tenants.first()])
++ api.token_create_scoped(IsA(http.HttpRequest),
++ self.tenant.id,
++ aToken.id).AndReturn(bToken)
++
++ api.token_create(IsA(http.HttpRequest), "", self.user.name,
++ self.user.password).AndReturn(aToken)
++ api.tenant_list_for_token(IsA(http.HttpRequest),
++ aToken.id).AndReturn([self.tenants.first()])
++ api.token_create_scoped(IsA(http.HttpRequest),
++ self.tenant.id,
++ aToken.id).AndReturn(bToken)
++ self.mox.ReplayAll()
++
++ res = self.client.get(reverse('horizon:auth_login'))
++ self.assertEqual(res.cookies.get('sessionid'), None)
++ res = self.client.post(reverse('horizon:auth_login'), form_data)
++ session_ids.append(res.cookies['sessionid'].value)
++
++ self.assertEquals(self.client.session['user_name'],
++ self.user.name)
++ self.client.session['foobar'] = 'MY TEST VALUE'
++ res = self.client.get(reverse('horizon:auth_logout'))
++ session_ids.append(res.cookies['sessionid'].value)
++ self.assertEqual(len(self.client.session.items()), 0)
++ # Sleep for 1 second so the session values are different if
++ # using the signed_cookies backend.
++ time.sleep(1)
++ res = self.client.post(reverse('horizon:auth_login'), form_data)
++ session_ids.append(res.cookies['sessionid'].value)
++ # Make sure all 3 session id values are different
++ self.assertEqual(len(session_ids), len(set(session_ids)))
+diff --git a/horizon/users.py b/horizon/users.py
+index f5dcde8..6e6be8e 100644
+--- a/horizon/users.py
++++ b/horizon/users.py
+@@ -59,7 +59,7 @@ def get_user_from_request(request):
+ # If any of those keys are missing from the session it is
+ # overwhelmingly likely that we're dealing with an outdated session.
+ LOG.exception("Error while creating User from session.")
+- request.session.clear()
++ request.user_logout()
+ raise exceptions.NotAuthorized(_("Your session has expired. "
+ "Please log in again."))
+
+diff --git a/horizon/views/auth.py b/horizon/views/auth.py
+index b48f24a..5120eed 100644
+--- a/horizon/views/auth.py
++++ b/horizon/views/auth.py
+@@ -96,6 +96,6 @@ def switch_tenants(request, tenant_id):
+
+ def logout(request):
+ """ Clears the session and logs the current user out. """
+- request.session.clear()
++ request.user_logout()
+ # FIXME(gabriel): we don't ship a view named splash
+ return shortcuts.redirect('splash')
+diff --git a/horizon/views/auth_forms.py b/horizon/views/auth_forms.py
+index 2874486..2ebecfc 100644
+--- a/horizon/views/auth_forms.py
++++ b/horizon/views/auth_forms.py
+@@ -77,6 +77,16 @@ class Login(forms.SelfHandlingForm):
+ self.fields['region'].widget = forms.widgets.HiddenInput()
+
+ def handle(self, request, data):
++ if 'user_name' in request.session:
++ if request.session['user_name'] != data['username']:
++ # To avoid reusing another user's session, create a
++ # new, empty session if the existing session
++ # corresponds to a different authenticated user.
++ request.session.flush()
++ # Always cycle the session key when viewing the login form to
++ # prevent session fixation
++ request.session.cycle_key()
++
+ # For now we'll allow fallback to OPENSTACK_KEYSTONE_URL if the
+ # form post doesn't include a region.
+ endpoint = data.get('region', None) or settings.OPENSTACK_KEYSTONE_URL
+@@ -116,7 +126,7 @@ class Login(forms.SelfHandlingForm):
+ # If we get here we don't want to show a stack trace to the
+ # user. However, if we fail here, there may be bad session
+ # data that's been cached already.
+- request.session.clear()
++ request.user_logout()
+ exceptions.handle(request,
+ message=_("An error occurred authenticating."
+ " Please try again later."),
+--
+1.7.10
+
Code Review / openstack-build / horizon-build.git / commitdiff