Reviewed: https://review.openstack.org/84735 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ce6cedb30c5c4b4cf4db9380f09443de22414b39 Submitter: Jenkins Branch: milestone-proposed
commit ce6cedb30c5c4b4cf4db9380f09443de22414b39 Author: Florent Flament <florent.flament-...@cloudwatt.com> Date: Tue Apr 1 12:48:22 2014 +0000 Sanitizes authentication methods received in requests. When a user authenticates against Identity V3 API, he can specify multiple authentication methods. This patch removes duplicates, which could have been used to achieve DoS attacks. Change-Id: Iec9a1875a4ff6e2fac0fb2c3db6f3ce34a5dfd1d Closes-Bug: 1300274 ** Changed in: keystone Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1300274 Title: V3 Authentication Chaining - uniqueness of auth method names Status in OpenStack Identity (Keystone): Fix Released Status in OpenStack Security Advisories: Incomplete Bug description: In V3.0 API, we can chain authentication methods. An attacker can place the same authentication method multiple times in the methods filed. This will result in the same authentication method checking over and over (for loop in code). Using this, an attacker can achieve some sorts of Denial of Service. The methods field is not properly sanitized. { "auth":{ "identity":{ "methods":[ "password", "password", "password", "password", "password" ], "password":{ "user":{ "domain":{ "id":"default" }, "name":"demo", "password":"stack" } } } } } To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1300274/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp