Overview

File 0001-Sanitizes-authentication-methods-received-in-request.patch of Package openstack-keystone

From 8ba1ec87f567ee6f190b12b08ed095e9e3d35e31 Mon Sep 17 00:00:00 2001
From: Florent Flament <florent.flament-ext@cloudwatt.com>
Date: Tue, 1 Apr 2014 12:48:22 +0000
Subject: [PATCH] Sanitizes authentication methods received in requests.
 (bnc#873127, CVE-2014-2828)

When a user authenticates against Identity V3 API, he can specify
multiple authentication methods. This patch removes duplicates, which
could have been used to achieve DoS attacks.

Closes-Bug: 1300274
(cherry picked from commit e364ba5b12de8e4c11bd80bcca903f9615dcfc2e)
Cherry-pick from https://review.openstack.org/#/c/84425/

Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab

Conflicts:
	keystone/auth/controllers.py
	tests/test_v3_auth.py
---
 keystone/auth/controllers.py |  8 +++++++-
 tests/test_v3_auth.py        | 11 +++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py
index 67a8644..3d135f0 100644
--- a/keystone/auth/controllers.py
+++ b/keystone/auth/controllers.py
@@ -228,7 +228,13 @@ class AuthInfo(object):
         :returns: list of auth method names
 
         """
-        return self.auth['identity']['methods']
+        # Sanitizes methods received in request's body
+        # Filters out duplicates, while keeping elements' order.
+        method_names = []
+        for method in self.auth['identity']['methods']:
+            if method not in method_names:
+                method_names.append(method)
+        return method_names
 
     def get_method_data(self, method):
         """ Get the auth method payload.
diff --git a/tests/test_v3_auth.py b/tests/test_v3_auth.py
index c2cd867..e419f5f 100644
--- a/tests/test_v3_auth.py
+++ b/tests/test_v3_auth.py
@@ -83,6 +83,17 @@ class TestAuthInfo(test_v3.RestfulTestCase):
                           None,
                           auth_data)
 
+    def test_get_method_names_duplicates(self):
+        auth_data = self.build_authentication_request(
+            token='test',
+            user_id='test',
+            password='test')['auth']
+        auth_data['identity']['methods'] = ['password', 'token',
+                                            'password', 'password']
+        context = None
+        auth_info = auth.controllers.AuthInfo(context, auth_data)
+        self.assertEqual(auth_info.get_method_names(),
+                         ['password', 'token'])
 
 class TestTokenAPIs(test_v3.RestfulTestCase):
     def setUp(self):
-- 
1.8.1.4
openSUSE Build Service is sponsored by
Places