OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [openstack/swauth] SecurityImpact review request change openstack%2Fswauth~master~I0d01e8e95400c82ef25f98e2d269532e83233c2c


Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/521808

Log:
commit f38fc679eef7a46c53bcf907975dd1e4511b94eb
Author: Pavel Kvasnicka <pavel.kvasnicka at firma.seznam.cz>
Date:   Tue Nov 21 09:38:09 2017 +0100

    Hash token before storing it in Swift
    
    Swauth uses token value as object name. Object names are logged in proxy and
    object servers. Anybody with access to proxy/object server logs can see token
    values. Attacker can use this token to access user's data in Swift store.
    Instead of token, hashed token (with HASH_PATH_PREFIX and HASH_PATH_SUFFIX) is
    used as object name now.
    
    WARNING: In deployments without memcached this patch logs out all users because
    tokens became invalid.
    
    CVE-2017-16613
    
    SecurityImpact
    Closes-Bug: #1655781
    
    Change-Id: I0d01e8e95400c82ef25f98e2d269532e83233c2c