** Changed in: horizon Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1454074
Title: denial of service via large number of logout page requests Status in OpenStack Dashboard (Horizon): Won't Fix Status in OpenStack Security Advisory: Won't Fix Bug description: While investigating CVE-2014-8124 (https://bugs.launchpad.net/horizon/+bug/1394370) I think I found another instance of the underlying issue, but with the logout form. I'm on Ubuntu 14.04 LTS, with distro-packaged openstack-dashboard 1:2014.1.4-0ubuntu2. I verified the patch from https://review.openstack.org/140356 is applied to the installed files. I configured horizon to use mysql datastore, and ran the following command: while true ; do wget http://localhost/horizon/auth/logout/ ; done While this command was running I checked the mysql dash database table django_sessions and found it growing without apparent bound: select * from django_session; ... 231 rows in set (0.00 sec) Is this an issue? Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1454074/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp