OpenStack Dashboard (Horizon)

secret_key.py doesn't warn when reverting to insecure key generation

Bug #1588064 reported by Matt Borland
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
High
Matt Borland
OpenStack Dashboard (Horizon) newton-2 "n2"

Bug Description

secret_key.py is used to generate a 64-bit key used by Django; however when it cannot find the 'SystemRandom' extension to the 'random' package it reverts to a generator that is, by documentation, not secure cryptographically. Witness:

https://docs.python.org/2/library/random.html

Reverting to the generator without leaving a warning is a hazard from a system security perspective. We should log at WARN that there is a possible security issue in the configuration.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/324104

Changed in horizon:
assignee: nobody → Matt Borland (palecrow)
status: New → In Progress
Revision history for this message
Rob Cresswell (robcresswell-deactivatedaccount) wrote :

Nice catch

Changed in horizon:
importance: Undecided → High
milestone: none → newton-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/324104
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=b2b801b3457f1f9d7625add75f2b52057cbbbb6c
Submitter: Jenkins
Branch: master

commit b2b801b3457f1f9d7625add75f2b52057cbbbb6c
Author: Matt Borland <email address hidden>
Date: Wed Jun 1 15:08:12 2016 -0600

    Add warning when falling back to insecure key generation

    When secret_key.py generates the key, it silently regresses when
    SystemRandom isn't present. We need the reversion for non-production
    environments, but we need to warn in environments when SystemRandom isn't
    being used. See the bug report for more details.

    Change-Id: Ibed0a41d377317db9bdfa1c9a277eb70691172e7
    Closes-Bug: 1588064

Changed in horizon:
status: In Progress → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/horizon 10.0.0.0b2

This issue was fixed in the openstack/horizon 10.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.