Horizon login page contains DOS attack mechanism
the horizon login page (really the middleware) accesses the session too early in the login process, which will create session records in the session backend. This is especially problematic when non-cookie backends are used. Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71 Closes-Bug: 1394370
This commit is contained in:
parent
2369822d34
commit
61d09f6f96
|
@ -49,6 +49,17 @@ class HorizonMiddleware(object):
|
|||
|
||||
def process_request(self, request):
|
||||
"""Adds data necessary for Horizon to function to the request."""
|
||||
|
||||
request.horizon = {'dashboard': None,
|
||||
'panel': None,
|
||||
'async_messages': []}
|
||||
if not hasattr(request, "user") or not request.user.is_authenticated():
|
||||
# proceed no further if the current request is already known
|
||||
# not to be authenticated
|
||||
# it is CRITICAL to perform this check as early as possible
|
||||
# to avoid creating too many sessions
|
||||
return None
|
||||
|
||||
# Activate timezone handling
|
||||
tz = request.session.get('django_timezone')
|
||||
if tz:
|
||||
|
@ -62,14 +73,6 @@ class HorizonMiddleware(object):
|
|||
|
||||
last_activity = request.session.get('last_activity', None)
|
||||
timestamp = int(time.time())
|
||||
request.horizon = {'dashboard': None,
|
||||
'panel': None,
|
||||
'async_messages': []}
|
||||
|
||||
if not hasattr(request, "user") or not request.user.is_authenticated():
|
||||
# proceed no further if the current request is already known
|
||||
# not to be authenticated
|
||||
return None
|
||||
|
||||
# If we use cookie-based sessions, check that the cookie size does not
|
||||
# reach the max size accepted by common web browsers.
|
||||
|
|
|
@ -33,6 +33,4 @@ def splash(request):
|
|||
if request.user.is_authenticated():
|
||||
return shortcuts.redirect(horizon.get_user_home(request.user))
|
||||
form = forms.Login(request)
|
||||
request.session.clear()
|
||||
request.session.set_test_cookie()
|
||||
return shortcuts.render(request, 'splash.html', {'form': form})
|
||||
|
|
Loading…
Reference in New Issue