Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch
diff options
context:
space:
mode:
Diffstat (limited to 'sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch')
-rw-r--r--sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch78
1 files changed, 78 insertions, 0 deletions
diff --git a/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch
new file mode 100644
index 000000000000..e2a172b5dafb
--- /dev/null
+++ b/sys-auth/keystone/files/keystone-folsom-4-CVE-2013-2157.patch
@@ -0,0 +1,78 @@
+From 953fd4a2ac43ffcdf7edb4a35e0ca6a1c573092d Mon Sep 17 00:00:00 2001
+From: Jose Castro Leon <jose.castro.leon@cern.ch>
+Date: Thu, 6 Jun 2013 10:57:09 -0500
+Subject: [PATCH] Force simple Bind for authentication
+
+The authentication code was using a common code path with
+other LDAP code that got an LDAP connection. If the system
+was configured to do Anonymous binding, users could by pass
+the authentication check.
+
+This patch forces the authentication code to do a simple_bind.
+
+Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
+---
+ keystone/identity/backends/ldap/core.py | 14 ++------------
+ tests/test_backend_ldap.py | 16 ++++++++++++++++
+ 2 files changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
+index 03d3ab6..e5bfcf6 100644
+--- a/keystone/identity/backends/ldap/core.py
++++ b/keystone/identity/backends/ldap/core.py
+@@ -58,18 +58,6 @@ class Identity(identity.Driver):
+ self.tenant = TenantApi(CONF)
+ self.role = RoleApi(CONF)
+
+- def get_connection(self, user=None, password=None):
+- if self.LDAP_URL.startswith('fake://'):
+- conn = fakeldap.FakeLdap(self.LDAP_URL)
+- else:
+- conn = common_ldap.LdapWrapper(self.LDAP_URL)
+- if user is None:
+- user = self.LDAP_USER
+- if password is None:
+- password = self.LDAP_PASSWORD
+- conn.simple_bind_s(user, password)
+- return conn
+-
+ # Identity interface
+ def authenticate(self, user_id=None, tenant_id=None, password=None):
+ """Authenticate based on a user, tenant and password.
+@@ -85,6 +73,8 @@ class Identity(identity.Driver):
+ except exception.UserNotFound:
+ raise AssertionError('Invalid user / password')
+
++ if not user_id or not password:
++ raise AssertionError('Invalid user / password')
+ try:
+ conn = self.user.get_connection(self.user._id_to_dn(user_id),
+ password)
+diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
+index 5f0137c..88e48c5 100644
+--- a/tests/test_backend_ldap.py
++++ b/tests/test_backend_ldap.py
+@@ -65,3 +65,19 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
+ user_api = identity_ldap.UserApi(CONF)
+ self.assertTrue(user_api)
+ self.assertEquals(user_api.tree_dn, "ou=Users,%s" % CONF.ldap.suffix)
++
++ def test_authenticate_requires_simple_bind(self):
++ user = {
++ 'id': uuid.uuid4().hex,
++ 'name': uuid.uuid4().hex,
++ 'password': uuid.uuid4().hex,
++ 'enabled': True,
++ }
++ self.identity_api.create_user(user['id'], user)
++ self.identity_api.user.LDAP_USER = None
++ self.identity_api.user.LDAP_PASSWORD = None
++
++ self.assertRaises(AssertionError,
++ self.identity_api.authenticate,
++ user_id=user['id'],
++ password=None)
+--
+1.8.2.3
+
+