Horizon login page contains DOS attack mechanism
the horizon login page (really the middleware) accesses the session too early in the login process, which will create session records in the session backend. This is especially problematic when non-cookie backends are used. Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71 Closes-Bug: 1394370
This commit is contained in:
parent
0e868fae12
commit
e8a66a4d92
|
@ -90,16 +90,18 @@ class HorizonMiddleware(object):
|
|||
request.horizon = {'dashboard': None,
|
||||
'panel': None,
|
||||
'async_messages': []}
|
||||
if not hasattr(request, "user") or not request.user.is_authenticated():
|
||||
# proceed no further if the current request is already known
|
||||
# not to be authenticated
|
||||
# it is CRITICAL to perform this check as early as possible
|
||||
# to avoid creating too many sessions
|
||||
return None
|
||||
|
||||
# Check for session timeout if user is (or was) authenticated.
|
||||
has_timed_out, timestamp = self._check_has_timed_timeout(request)
|
||||
if has_timed_out:
|
||||
return self._logout(request, request.path, _("Session timed out."))
|
||||
|
||||
if not hasattr(request, "user") or not request.user.is_authenticated():
|
||||
# proceed no further if the current request is already known
|
||||
# not to be authenticated
|
||||
return None
|
||||
if request.is_ajax():
|
||||
# if the request is Ajax we do not want to proceed, as clients can
|
||||
# 1) create pages with constant polling, which can create race
|
||||
|
|
|
@ -41,8 +41,7 @@ def splash(request):
|
|||
response = shortcuts.redirect(horizon.get_user_home(request.user))
|
||||
else:
|
||||
form = forms.Login(request)
|
||||
request.session.clear()
|
||||
request.session.set_test_cookie()
|
||||
response = shortcuts.render(request, 'splash.html', {'form': form})
|
||||
if 'logout_reason' in request.COOKIES:
|
||||
response.delete_cookie('logout_reason')
|
||||
return response
|
||||
|
|
Loading…
Reference in New Issue