Horizon login page contains DOS attack mechanism
the horizon login page (really the middleware) accesses the session too early in the login process, which will create session records in the session backend. This is especially problematic when non-cookie backends are used. Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71 Closes-Bug: 1394370
This commit is contained in:
eric
parent
f128c896e7
commit
43ba4fe19a
|
|
@ -90,16 +90,18 @@ class HorizonMiddleware(object):
|
|||
request.horizon = {'dashboard': None,
|
||||
'panel': None,
|
||||
'async_messages': []}
|
||||
if not hasattr(request, "user") or not request.user.is_authenticated():
|
||||
# proceed no further if the current request is already known
|
||||
# not to be authenticated
|
||||
# it is CRITICAL to perform this check as early as possible
|
||||
# to avoid creating too many sessions
|
||||
return None
|
||||
|
||||
# Check for session timeout if user is (or was) authenticated.
|
||||
has_timed_out, timestamp = self._check_has_timed_timeout(request)
|
||||
if has_timed_out:
|
||||
return self._logout(request, request.path, _("Session timed out."))
|
||||
|
||||
if not hasattr(request, "user") or not request.user.is_authenticated():
|
||||
# proceed no further if the current request is already known
|
||||
# not to be authenticated
|
||||
return None
|
||||
if request.is_ajax():
|
||||
# if the request is Ajax we do not want to proceed, as clients can
|
||||
# 1) create pages with constant polling, which can create race
|
||||
|
|
|
|||
|
|
@ -41,8 +41,7 @@ def splash(request):
|
|||
response = shortcuts.redirect(horizon.get_user_home(request.user))
|
||||
else:
|
||||
form = forms.Login(request)
|
||||
request.session.clear()
|
||||
request.session.set_test_cookie()
|
||||
response = shortcuts.render(request, 'splash.html', {'form': form})
|
||||
response.delete_cookie('logout_reason')
|
||||
if 'logout_reason' in request.COOKIES:
|
||||
response.delete_cookie('logout_reason')
|
||||
return response
|
||||
|
|
|
|||
Loading…
Reference in New Issue