[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [openstack/swauth] SecurityImpact review request change openstack%2Fswauth~master~I0d01e8e95400c82ef25f98e2d269532e83233c2c

Hi, I'd like you to take a look at this patch for potential

commit 70af7986265a3defea054c46efc82d0698917298
Author: Pavel Kvasnicka <pavel.kvasnicka at firma.seznam.cz>
Date:   Tue Nov 21 09:38:09 2017 +0100

    Hash token before storing it in Swift
    Swauth uses token value as object name. Object names are logged in proxy
    and object servers. Anybody with access to proxy/object server logs can
    see token values. Attacker can use this token to access user's data in
    Swift store. Instead of token, hashed token (with HASH_PATH_PREFIX and
    HASH_PATH_SUFFIX) is used as object name now.
    WARNING: In deployments without memcached this patch logs out all users
    because tokens became invalid.
    Closes-Bug: #1655781
    Change-Id: I0d01e8e95400c82ef25f98e2d269532e83233c2c