[Openstack-security] [openstack/swauth] SecurityImpact review request change openstack%2Fswauth~master~I0d01e8e95400c82ef25f98e2d269532e83233c2c
Hi, I'd like you to take a look at this patch for potential
Author: Pavel Kvasnicka <pavel.kvasnicka at firma.seznam.cz>
Date: Tue Nov 21 09:38:09 2017 +0100
Hash token before storing it in Swift
Swauth uses token value as object name. Object names are logged in proxy
and object servers. Anybody with access to proxy/object server logs can
see token values. Attacker can use this token to access user's data in
Swift store. Instead of token, hashed token (with HASH_PATH_PREFIX and
HASH_PATH_SUFFIX) is used as object name now.
WARNING: In deployments without memcached this patch logs out all users
because tokens became invalid.