OpenStack Security Advisory

  1. Bug #1394370
  2. Comment #27

Comment 27 for bug 1394370

Revision history for this message
Gabriel Hurley (gabriel-hurley) wrote : Re: horizon login page is vulnerable to DOS attack

So here's my take:

1. A session is only saved if session.modified is true: https://github.com/django/django/blob/master/django/contrib/sessions/middleware.py#L18

2. django-openstack-auth is doing the same type of access in get_user as the default django database backend. Compare https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/utils.py#L51 and https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L147

3. I agree that the session clear and set_test_cookie are no longer needed; that's legacy code. I also agree that our call to _check_has_timed_timeout should be after checking if the user is authenticated.

What all this means is that simply *accessing* the session is not enough to write it to the DB; somewhere in these code paths we're triggering the session.modified flag. We should instead focus on finding where that's happening and ensure that we do not do anything to modify the session for anonymous sessions.

That would be a more appropriate fix for this as opposed to mucking with checking for a specific cookie name and/or deleting sessions if they're "unused".