Get rid of eval() in authentication code
This was not secure. Pass the auth data in JSON format rather than as a serialised Python object. Fixes #124 Change-Id: I8e1e9aef790b0af026da2a2d6194da19345be8b0 Signed-off-by: Zane Bitter <zbitter@redhat.com>
This commit is contained in:
parent
d06c4ce416
commit
9d88e8d303
|
@ -19,6 +19,7 @@ Client classes for callers of a heat system
|
|||
|
||||
from lxml import etree
|
||||
import os
|
||||
import json
|
||||
from heat.common import client as base_client
|
||||
from heat.common import exception
|
||||
from heat.cloudformations import *
|
||||
|
@ -38,7 +39,7 @@ class V1Client(base_client.BaseClient):
|
|||
params['Version'] = '2010-05-15'
|
||||
params['SignatureVersion'] = '2'
|
||||
params['SignatureMethod'] = 'HmacSHA256'
|
||||
params['KeyStoneCreds'] = self.creds
|
||||
params['KeyStoneCreds'] = json.dumps(self.creds)
|
||||
|
||||
def stack_request(self, action, method, **kwargs):
|
||||
params = self._extract_params(kwargs, SUPPORTED_PARAMS)
|
||||
|
|
|
@ -168,13 +168,8 @@ class ContextMiddleware(wsgi.Middleware):
|
|||
aws_creds = headers.get('X-Auth-EC2-Creds')
|
||||
aws_auth_uri = headers.get('X-Auth-EC2-Url')
|
||||
else:
|
||||
# XXX: The eval here is a bit scary, it's possible someone
|
||||
# could put something malicious in here I would think.
|
||||
# I Haven't tested to see if WSGI stuff would escape
|
||||
# everything to make this safe. However, I haven't found
|
||||
# a better way to do this either.
|
||||
if 'KeyStoneCreds' in req.params:
|
||||
creds = eval(req.params['KeyStoneCreds'])
|
||||
creds = json.loads(req.params['KeyStoneCreds'])
|
||||
username = creds['username']
|
||||
password = creds['password']
|
||||
|
||||
|
|
Loading…
Reference in New Issue