From 6f4a94a6222db8668ccd0077bf6fcd4e37a59fb4 Mon Sep 17 00:00:00 2001 From: Thomas Goirand Date: Thu, 25 Dec 2014 18:37:02 +0800 Subject: [PATCH] Removed upstream-applied patches. Rewritten-From: a5cd782b3fce7269893c28ece12c5dfa865c6b50 --- trusty/debian/changelog | 1 + ...e_contains_DOS_attack_mechanism_juno.patch | 58 -------- ...ndency_when_not_using_selenium_tests.patch | 136 ------------------ .../disable-failed-django-1.7-test.patch | 8 +- trusty/debian/patches/series | 2 - 5 files changed, 6 insertions(+), 199 deletions(-) delete mode 100644 trusty/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_juno.patch delete mode 100644 trusty/debian/patches/Remove_selenium_dependency_when_not_using_selenium_tests.patch diff --git a/trusty/debian/changelog b/trusty/debian/changelog index 3d0de99..efdde3c 100644 --- a/trusty/debian/changelog +++ b/trusty/debian/changelog @@ -2,6 +2,7 @@ horizon (2015.1~b1-1) UNRELEASED; urgency=medium * New upstream release. * Fixed (build-)depends for this release. + * Removed upstream-applied patches. -- Thomas Goirand Thu, 25 Dec 2014 17:36:23 +0800 diff --git a/trusty/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_juno.patch b/trusty/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_juno.patch deleted file mode 100644 index c5ff691..0000000 --- a/trusty/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_juno.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: eric -Date: Thu, 20 Nov 2014 15:49:09 +0000 (-0700) -Subject: Horizon login page contains DOS attack mechanism -X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=e8a66a4d92ae259a5ef004cafad1809942c66596 - -Horizon login page contains DOS attack mechanism - -the horizon login page (really the middleware) accesses the session -too early in the login process, which will create session records -in the session backend. This is especially problematic when non-cookie -backends are used. - -Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71 -Closes-Bug: 1394370 ---- - -diff --git a/horizon/middleware.py b/horizon/middleware.py -index a0d9c3d..885489e 100644 ---- a/horizon/middleware.py -+++ b/horizon/middleware.py -@@ -90,16 +90,18 @@ class HorizonMiddleware(object): - request.horizon = {'dashboard': None, - 'panel': None, - 'async_messages': []} -+ if not hasattr(request, "user") or not request.user.is_authenticated(): -+ # proceed no further if the current request is already known -+ # not to be authenticated -+ # it is CRITICAL to perform this check as early as possible -+ # to avoid creating too many sessions -+ return None - - # Check for session timeout if user is (or was) authenticated. - has_timed_out, timestamp = self._check_has_timed_timeout(request) - if has_timed_out: - return self._logout(request, request.path, _("Session timed out.")) - -- if not hasattr(request, "user") or not request.user.is_authenticated(): -- # proceed no further if the current request is already known -- # not to be authenticated -- return None - if request.is_ajax(): - # if the request is Ajax we do not want to proceed, as clients can - # 1) create pages with constant polling, which can create race -diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py -index 4ce55ff..0473279 100644 ---- a/openstack_dashboard/views.py -+++ b/openstack_dashboard/views.py -@@ -41,8 +41,7 @@ def splash(request): - response = shortcuts.redirect(horizon.get_user_home(request.user)) - else: - form = forms.Login(request) -- request.session.clear() -- request.session.set_test_cookie() - response = shortcuts.render(request, 'splash.html', {'form': form}) -- response.delete_cookie('logout_reason') -+ if 'logout_reason' in request.COOKIES: -+ response.delete_cookie('logout_reason') - return response diff --git a/trusty/debian/patches/Remove_selenium_dependency_when_not_using_selenium_tests.patch b/trusty/debian/patches/Remove_selenium_dependency_when_not_using_selenium_tests.patch deleted file mode 100644 index e72bf5c..0000000 --- a/trusty/debian/patches/Remove_selenium_dependency_when_not_using_selenium_tests.patch +++ /dev/null @@ -1,136 +0,0 @@ -Description: Remove selenium dependency when not using selenium tests -Author: Gary W. Smith -Date: Wed, 8 Oct 2014 00:24:08 +0000 (-0700) -X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=83fd6a7631a6a3ea6adbebca725a5f19c2c1796c -Bug-Ubuntu: https://launchpad.net/bugs/1377372 -Change-Id: I6a493989d7280eaa2a1c999a9d1be4365aa77d52 -Origin: upstream, https://review.openstack.org/#/c/126777/ -Last-Update: 2014-10-08 - -diff --git a/horizon/test/webdriver.py b/horizon/test/webdriver.py -index 0974e91..8750c9d 100644 ---- a/horizon/test/webdriver.py -+++ b/horizon/test/webdriver.py -@@ -17,62 +17,79 @@ - # limitations under the License. - # - -+import logging -+import os - import platform - import shutil - import subprocess - --from selenium.common import exceptions as selenium_exceptions --from selenium.webdriver import firefox -+LOG = logging.getLogger(__name__) - -+try: -+ # NOTE: Several distribution can't ship selenium due to its -+ # non-free license. So they have to patch it out of test-requirements.txt -+ # Avoid import failure and force not running selenium tests. -+ # The entire file is encapsulated in the try block because the classes -+ # inherit from the firefox class contained in selenium.webdriver, and -+ # python will throw a NameError if the import is skipped. -+ from selenium.common import exceptions as selenium_exceptions -+ from selenium.webdriver import firefox - --class FirefoxBinary(firefox.firefox_binary.FirefoxBinary): -- """Workarounds selenium firefox issues. -+ class FirefoxBinary(firefox.firefox_binary.FirefoxBinary): -+ """Workarounds selenium firefox issues. - -- There is race condition in the way firefox is spawned. The exact cause -- hasn't been properly diagnosed yet but it's around: -+ There is race condition in the way firefox is spawned. The exact cause -+ hasn't been properly diagnosed yet but it's around: - -- - getting a free port from the OS with selenium.webdriver.common.utils -- free_port(), -+ - getting a free port from the OS with selenium.webdriver.common.utils -+ free_port(), - -- - release the port immediately but record it in ff prefs so that ff can -- listen on that port for the internal http server. -+ - release the port immediately but record it in ff prefs so that ff can -+ listen on that port for the internal http server. - -- It has been observed that this leads to hanging processes for 'firefox -- -silent'. -- """ -+ It has been observed that this leads to hanging processes for 'firefox -+ -silent'. -+ """ - -- def _start_from_profile_path(self, path): -- self._firefox_env["XRE_PROFILE_PATH"] = path -+ def _start_from_profile_path(self, path): -+ self._firefox_env["XRE_PROFILE_PATH"] = path - -- if platform.system().lower() == 'linux': -- self._modify_link_library_path() -- command = [self._start_cmd, "-silent"] -- if self.command_line is not None: -- for cli in self.command_line: -- command.append(cli) -+ if platform.system().lower() == 'linux': -+ self._modify_link_library_path() -+ command = [self._start_cmd, "-silent"] -+ if self.command_line is not None: -+ for cli in self.command_line: -+ command.append(cli) - --# The following exists upstream and is known to create hanging firefoxes, --# leading to zombies. --# subprocess.Popen(command, stdout=self._log_file, --# stderr=subprocess.STDOUT, --# env=self._firefox_env).communicate() -- command[1] = '-foreground' -- self.process = subprocess.Popen( -- command, stdout=self._log_file, stderr=subprocess.STDOUT, -- env=self._firefox_env) -+ # The following exists upstream and is known to create hanging firefoxes, -+ # leading to zombies. -+ # subprocess.Popen(command, stdout=self._log_file, -+ # stderr=subprocess.STDOUT, -+ # env=self._firefox_env).communicate() -+ command[1] = '-foreground' -+ self.process = subprocess.Popen( -+ command, stdout=self._log_file, stderr=subprocess.STDOUT, -+ env=self._firefox_env) - -+ class WebDriver(firefox.webdriver.WebDriver): -+ """Workarounds selenium firefox issues.""" - --class WebDriver(firefox.webdriver.WebDriver): -- """Workarounds selenium firefox issues.""" -+ def __init__(self, firefox_profile=None, firefox_binary=None, -+ timeout=30, capabilities=None, proxy=None): -+ try: -+ super(WebDriver, self).__init__( -+ firefox_profile, FirefoxBinary(), timeout, capabilities, -+ proxy) -+ except selenium_exceptions.WebDriverException: -+ # If we can't start, cleanup profile -+ shutil.rmtree(self.profile.path) -+ if self.profile.tempfolder is not None: -+ shutil.rmtree(self.profile.tempfolder) -+ raise - -- def __init__(self, firefox_profile=None, firefox_binary=None, timeout=30, -- capabilities=None, proxy=None): -- try: -- super(WebDriver, self).__init__( -- firefox_profile, FirefoxBinary(), timeout, capabilities, proxy) -- except selenium_exceptions.WebDriverException: -- # If we can't start, cleanup profile -- shutil.rmtree(self.profile.path) -- if self.profile.tempfolder is not None: -- shutil.rmtree(self.profile.tempfolder) -- raise -+except ImportError as e: -+ # NOTE(saschpe): Several distribution can't ship selenium due to its -+ # non-free license. So they have to patch it out of test-requirements.txt -+ # Avoid import failure and force not running selenium tests. -+ LOG.warning("{0}, force WITH_SELENIUM=False".format(str(e))) -+ os.environ['WITH_SELENIUM'] = '' diff --git a/trusty/debian/patches/disable-failed-django-1.7-test.patch b/trusty/debian/patches/disable-failed-django-1.7-test.patch index f082df7..ab8c42b 100644 --- a/trusty/debian/patches/disable-failed-django-1.7-test.patch +++ b/trusty/debian/patches/disable-failed-django-1.7-test.patch @@ -6,9 +6,11 @@ Author: Thomas Goirand Forwarded: no Last-Update: 2014-09-21 ---- horizon-2014.2~b3.orig/openstack_dashboard/dashboards/identity/projects/tests.py -+++ horizon-2014.2~b3/openstack_dashboard/dashboards/identity/projects/tests.py -@@ -1608,43 +1608,6 @@ class UpdateProjectWorkflowTests(test.Ba +Index: horizon/openstack_dashboard/dashboards/identity/projects/tests.py +=================================================================== +--- horizon.orig/openstack_dashboard/dashboards/identity/projects/tests.py 2014-12-25 17:37:13.000000000 +0800 ++++ horizon/openstack_dashboard/dashboards/identity/projects/tests.py 2014-12-25 18:35:42.000000000 +0800 +@@ -1535,43 +1535,6 @@ self.assertMessageCount(error=2, warning=0) self.assertRedirectsNoFollow(res, INDEX_URL) diff --git a/trusty/debian/patches/series b/trusty/debian/patches/series index 45624e2..15031e2 100644 --- a/trusty/debian/patches/series +++ b/trusty/debian/patches/series @@ -2,5 +2,3 @@ fix-dashboard-django-wsgi.patch fix-dashboard-manage.patch fixed-horizon-MANIFEST.in.patch disable-failed-django-1.7-test.patch -Remove_selenium_dependency_when_not_using_selenium_tests.patch -CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_juno.patch -- 2.45.2