[Openstack-security] [openstack/swauth] SecurityImpact review request change openstack%2Fswauth~master~I0d01e8e95400c82ef25f98e2d269532e83233c2c
Hi, I'd like you to take a look at this patch for potential
Author: Pavel Kvasnicka <pavel.kvasnicka at firma.seznam.cz>
Date: Tue Nov 21 09:38:09 2017 +0100
Hash token before storing it in Swift
Swauth uses token value as object name. Object names are logged in proxy and
object servers. Anybody with access to proxy/object server logs can see token
values. Attacker can use this token to access user's data in Swift store.
Instead of token, hashed token (with HASH_PATH_PREFIX and HASH_PATH_SUFFIX) is
used as object name now.
WARNING: In deployments without memcached this patch logs out all users because
tokens became invalid.