Get rid of eval() in authentication code

This was not secure. Pass the auth data in JSON format rather than as a serialised Python object. Fixes #124 Change-Id: I8e1e9aef790b0af026da2a2d6194da19345be8b0 Signed-off-by: Zane Bitter <zbitter@redhat.com>
2012-07-16 16:59:41 -04:00 · 2012-07-16 16:59:41 -04:00 · 9d88e8d303
parent d06c4ce416
commit 9d88e8d303
2 changed files with 3 additions and 7 deletions
--- a/heat/client.py
+++ b/heat/client.py
@ -19,6 +19,7 @@ Client classes for callers of a heat system

 from lxml import etree
 import os
+import json
 from heat.common import client as base_client
 from heat.common import exception
 from heat.cloudformations import *
@ -38,7 +39,7 @@ class V1Client(base_client.BaseClient):
        params['Version'] = '2010-05-15'
        params['SignatureVersion'] = '2'
        params['SignatureMethod'] = 'HmacSHA256'
-        params['KeyStoneCreds'] = self.creds
+        params['KeyStoneCreds'] = json.dumps(self.creds)

    def stack_request(self, action, method, **kwargs):
        params = self._extract_params(kwargs, SUPPORTED_PARAMS)
--- a/heat/common/context.py
+++ b/heat/common/context.py
@ -168,13 +168,8 @@ class ContextMiddleware(wsgi.Middleware):
                aws_creds = headers.get('X-Auth-EC2-Creds')
                aws_auth_uri = headers.get('X-Auth-EC2-Url')
            else:
-                # XXX: The eval here is a bit scary, it's possible someone
-                # could put something malicious in here I would think.
-                # I Haven't tested to see if WSGI stuff would escape
-                # everything to make this safe.  However, I haven't found
-                # a better way to do this either.
                if 'KeyStoneCreds' in req.params:
-                    creds = eval(req.params['KeyStoneCreds'])
+                    creds = json.loads(req.params['KeyStoneCreds'])
                    username = creds['username']
                    password = creds['password']