Horizon login page contains DOS attack mechanism

the horizon login page (really the middleware) accesses the session too early in the login process, which will create session records in the session backend. This is especially problematic when non-cookie backends are used. Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71 Closes-Bug: 1394370
2014-12-01 18:16:15 -08:00 · 2014-12-01 18:16:15 -08:00 · 61d09f6f96
parent 2369822d34
commit 61d09f6f96
2 changed files with 11 additions and 10 deletions
--- a/horizon/middleware.py
+++ b/horizon/middleware.py
@ -49,6 +49,17 @@ class HorizonMiddleware(object):

    def process_request(self, request):
        """Adds data necessary for Horizon to function to the request."""
+
+        request.horizon = {'dashboard': None,
+                           'panel': None,
+                           'async_messages': []}
+        if not hasattr(request, "user") or not request.user.is_authenticated():
+            # proceed no further if the current request is already known
+            # not to be authenticated
+            # it is CRITICAL to perform this check as early as possible
+            # to avoid creating too many sessions
+            return None
+
        # Activate timezone handling
        tz = request.session.get('django_timezone')
        if tz:
@ -62,14 +73,6 @@ class HorizonMiddleware(object):

        last_activity = request.session.get('last_activity', None)
        timestamp = int(time.time())
-        request.horizon = {'dashboard': None,
-                           'panel': None,
-                           'async_messages': []}
-
-        if not hasattr(request, "user") or not request.user.is_authenticated():
-            # proceed no further if the current request is already known
-            # not to be authenticated
-            return None

        # If we use cookie-based sessions, check that the cookie size does not
        # reach the max size accepted by common web browsers.
--- a/openstack_dashboard/views.py
+++ b/openstack_dashboard/views.py
@ -33,6 +33,4 @@ def splash(request):
    if request.user.is_authenticated():
        return shortcuts.redirect(horizon.get_user_home(request.user))
    form = forms.Login(request)
-    request.session.clear()
-    request.session.set_test_cookie()
    return shortcuts.render(request, 'splash.html', {'form': form})