passlib trunc_password MAX_PASSWORD_LENGTH password truncation

Bug #1175904 reported by Kurt Seifried
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Li Ma

Bug Description

Grant Murphy originally reported:

* Insecure / bad practice

   The trunc_password function attempts to correct and truncate passwords
   that are over the MAX_PASSWORD_LENGTH value (default 4096). As the
   MAX_PASSWORD_LENGTH field is globally mutable it could be modified
   to restrict all passwords to length = 1. This scenario might be unlikely
   but generally speaking we should not try to 'fix' invalid input and
   continue on processing as if nothing happened.

If this is exploitable it will need a CVE, if not we should still harden it so it can't be monkeyed with in the future.

Tags: security
Revision history for this message
Thierry Carrez (ttx) wrote :

I don't see this as exploitable, as you'd have to run arbitrary Python code within the Keystone server, at which point there are funnier things to do than altering the max password length.

Agree that we could strengthen that part to avoid it being monkeyed with in the future. With your permission, I'd open this bug publicly and let it be strengthened in public patches.

Revision history for this message
Thierry Carrez (ttx) wrote :

Will open tomorrow unless someone raises a flag.

Thierry Carrez (ttx)
information type: Private Security → Public
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
status: New → Confirmed
Li Ma (nick-ma-z)
Changed in keystone:
assignee: nobody → Li Ma (nick-ma-b)
Li Ma (nick-ma-z)
Changed in keystone:
assignee: Li Ma (nick-ma-b) → nobody
Li Ma (nick-ma-z)
Changed in keystone:
assignee: nobody → Li Ma (nick-ma-z)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/77325

Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
Li Ma (nick-ma-z) wrote :

According to the discussion in review, I'll submit a new patch for Juno. Just leave a message here.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/98942

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/77325
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=94a2053cd05cabee2e4233ef33e1f116201d9368
Submitter: Jenkins
Branch: master

commit 94a2053cd05cabee2e4233ef33e1f116201d9368
Author: Li Ma <email address hidden>
Date: Fri Feb 28 18:54:35 2014 -0800

    Password trunction makes password insecure

    The trunc_password function attempts to correct and truncate
    password. It is not recommended to 'fix' invalid input and
    continue on processing and logging it. Instead, strict check
    is introduced to validate password. If a password exceeds the
    maximum length, an HTTP 403 Forbidden error is thrown.

    In order to keep compatibility, an option 'strict_password_check'
    is also introduced to let operator decide which method to use.

    DocImpact
    Change-Id: I560daa843b94a05412af59a059de5a98bad2925e
    Closes-Bug: #1175904

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/98942
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b3f4e299e8c47ede4e39744fa8c46f66fb1f4173
Submitter: Jenkins
Branch: master

commit b3f4e299e8c47ede4e39744fa8c46f66fb1f4173
Author: Li Ma <email address hidden>
Date: Wed Jun 18 19:16:52 2014 -0700

    Fix the typo and reformat the comments for the added option

    Change-Id: I01c471976f2c6d80bfe629b61ab75b81d6cabb1a
    Related-Bug: #1175904

Changed in keystone:
milestone: none → juno-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-2 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.