Go to file

Grzegorz Grasza e15e33fe9b Fix privilege escalation via spoofed identity headers

The external_oauth2_token middleware did not sanitize incoming
authentication headers before processing OAuth 2.0 tokens. This
allowed an attacker to send forged identity headers (e.g.,
X-Is-Admin-Project, X-Roles, X-User-Id) that would not be cleared
by the middleware, potentially enabling privilege escalation.

This fix adds a call to remove_auth_headers() at the start of
request processing to sanitize all incoming identity headers,
matching the secure behavior of the main auth_token middleware.

Closes-Bug: #2129018
Change-Id: Idd4fe1d17a25b3064b31f454d9830242f345e018
Signed-off-by: Jeremy Stanley <fungi@yuggoth.org>
Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>

2026-01-15 18:31:49 +01:00

config-generator

generate sample config automatically

2016-05-12 06:38:40 +00:00

doc

Merge "Add cryptography package as an optional dependency"

2025-12-16 13:45:26 +00:00

keystonemiddleware

Fix privilege escalation via spoofed identity headers

2026-01-15 18:31:49 +01:00

releasenotes

Merge "s3token: Stop loading deprecated options"

2025-12-16 13:45:27 +00:00

.coveragerc

Update .coveragerc after the removal of respective directory

2016-10-24 18:03:12 +05:30

.gitignore

Updates for stestr

2017-10-02 21:57:27 -05:00

.gitreview

OpenDev Migration Patch

2019-04-19 19:35:58 +00:00

.stestr.conf

Updates for stestr

2017-10-02 21:57:27 -05:00

.zuul.yaml

Switch to 2023.1 Python3 unit tests and generic template name

2023-06-02 14:23:21 +00:00

CONTRIBUTING.rst

Use https for *.openstack.org references

2017-02-05 20:36:42 -08:00

HACKING.rst

Update URLs in documentation

2017-07-20 16:38:16 +08:00

LICENSE

Initial commit

2014-06-19 15:45:29 -07:00

pyproject.toml

add pyproject.toml to support pip 23.1

2025-06-11 20:59:55 +09:00

README.rst

Update invalid link for README

2019-09-18 14:47:21 +08:00

requirements.txt

Add TLS support to MemcacheClientPool

2025-06-24 08:37:03 +02:00

setup.cfg

Merge "Add cryptography package as an optional dependency"

2025-12-16 13:45:26 +00:00

setup.py

Updated from global requirements

2017-04-06 22:03:25 +00:00

test-requirements.txt

Drop flake8-docstrings

2025-10-02 16:56:59 +00:00

tox.ini

Remove unused bandit target

2025-10-03 01:02:47 +09:00

README.rst

Team and repository tags

Middleware for the OpenStack Identity API (Keystone)

This package contains middleware modules designed to provide authentication and authorization features to web services other than Keystone <https://github.com/openstack/keystone>. The most prominent module is keystonemiddleware.auth_token. This package does not expose any CLI or Python API features.

For information on contributing, see CONTRIBUTING.rst.

License: Apache License, Version 2.0
Documentation: https://docs.openstack.org/keystonemiddleware/latest/
Source: https://opendev.org/openstack/keystonemiddleware
Bugs: https://bugs.launchpad.net/keystonemiddleware
Release notes: https://docs.openstack.org/releasenotes/keystonemiddleware/

For any other information, refer to the parent project, Keystone:

https://github.com/openstack/keystone