From: Thomas Goirand <thomas@goirand.fr>
Date: Wed, 10 Dec 2014 11:57:36 +0000 (+0800)
Subject:   * CVE-2014-8124: Horizon denial of service attack through login page. Applied
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=156c6e87b683eb3f1cb87c8894380d300d430fc9;p=openstack-build%2Fhorizon-build.git

  * CVE-2014-8124: Horizon denial of service attack through login page. Applied
    upstream patch (Closes: #772710).

Rewritten-From: 2013f19d1cc920fdfe9f88b962acbac2c2846df1
---

diff --git a/trusty/debian/changelog b/trusty/debian/changelog
index 936166c..d0d9b2f 100644
--- a/trusty/debian/changelog
+++ b/trusty/debian/changelog
@@ -1,3 +1,10 @@
+horizon (2014.2-3) experimental; urgency=medium
+
+  * CVE-2014-8124: Horizon denial of service attack through login page. Applied
+    upstream patch (Closes: #772710).
+
+ -- Thomas Goirand <zigo@debian.org>  Wed, 10 Dec 2014 19:53:49 +0800
+
 horizon (2014.2-2) experimental; urgency=medium
 
   * Added a trigger thing when a javascript lib is updated.
diff --git a/trusty/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_juno.patch b/trusty/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_juno.patch
new file mode 100644
index 0000000..c5ff691
--- /dev/null
+++ b/trusty/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_juno.patch
@@ -0,0 +1,58 @@
+From: eric <eric.peterson1@twcable.com>
+Date: Thu, 20 Nov 2014 15:49:09 +0000 (-0700)
+Subject: Horizon login page contains DOS attack mechanism
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=e8a66a4d92ae259a5ef004cafad1809942c66596
+
+Horizon login page contains DOS attack mechanism
+
+the horizon login page (really the middleware) accesses the session
+too early in the login process, which will create session records
+in the session backend.  This is especially problematic when non-cookie
+backends are used.
+
+Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
+Closes-Bug: 1394370
+---
+
+diff --git a/horizon/middleware.py b/horizon/middleware.py
+index a0d9c3d..885489e 100644
+--- a/horizon/middleware.py
++++ b/horizon/middleware.py
+@@ -90,16 +90,18 @@ class HorizonMiddleware(object):
+         request.horizon = {'dashboard': None,
+                            'panel': None,
+                            'async_messages': []}
++        if not hasattr(request, "user") or not request.user.is_authenticated():
++            # proceed no further if the current request is already known
++            # not to be authenticated
++            # it is CRITICAL to perform this check as early as possible
++            # to avoid creating too many sessions
++            return None
+ 
+         # Check for session timeout if user is (or was) authenticated.
+         has_timed_out, timestamp = self._check_has_timed_timeout(request)
+         if has_timed_out:
+             return self._logout(request, request.path, _("Session timed out."))
+ 
+-        if not hasattr(request, "user") or not request.user.is_authenticated():
+-            # proceed no further if the current request is already known
+-            # not to be authenticated
+-            return None
+         if request.is_ajax():
+             # if the request is Ajax we do not want to proceed, as clients can
+             #  1) create pages with constant polling, which can create race
+diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py
+index 4ce55ff..0473279 100644
+--- a/openstack_dashboard/views.py
++++ b/openstack_dashboard/views.py
+@@ -41,8 +41,7 @@ def splash(request):
+         response = shortcuts.redirect(horizon.get_user_home(request.user))
+     else:
+         form = forms.Login(request)
+-        request.session.clear()
+-        request.session.set_test_cookie()
+         response = shortcuts.render(request, 'splash.html', {'form': form})
+-    response.delete_cookie('logout_reason')
++    if 'logout_reason' in request.COOKIES:
++        response.delete_cookie('logout_reason')
+     return response
diff --git a/trusty/debian/patches/series b/trusty/debian/patches/series
index 3bc0b2b..97a3997 100644
--- a/trusty/debian/patches/series
+++ b/trusty/debian/patches/series
@@ -4,3 +4,4 @@ fixed-horizon-MANIFEST.in.patch
 disable-failed-django-1.7-test.patch
 Remove_selenium_dependency_when_not_using_selenium_tests.patch
 Update_WSGI_app_creation_to_be_compatible_with_Django_1.7.patch
+CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_juno.patch