Horizon login page contains DOS attack mechanism

the horizon login page (really the middleware) accesses the session
too early in the login process, which will create session records
in the session backend.  This is especially problematic when non-cookie
backends are used.

Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
Closes-Bug: 1394370
This commit is contained in:
eric 2014-11-20 08:49:09 -07:00 committed by Tristan Cacqueray
parent 0e868fae12
commit e8a66a4d92
2 changed files with 8 additions and 7 deletions

View File

@ -90,16 +90,18 @@ class HorizonMiddleware(object):
request.horizon = {'dashboard': None,
'panel': None,
'async_messages': []}
if not hasattr(request, "user") or not request.user.is_authenticated():
# proceed no further if the current request is already known
# not to be authenticated
# it is CRITICAL to perform this check as early as possible
# to avoid creating too many sessions
return None
# Check for session timeout if user is (or was) authenticated.
has_timed_out, timestamp = self._check_has_timed_timeout(request)
if has_timed_out:
return self._logout(request, request.path, _("Session timed out."))
if not hasattr(request, "user") or not request.user.is_authenticated():
# proceed no further if the current request is already known
# not to be authenticated
return None
if request.is_ajax():
# if the request is Ajax we do not want to proceed, as clients can
# 1) create pages with constant polling, which can create race

View File

@ -41,8 +41,7 @@ def splash(request):
response = shortcuts.redirect(horizon.get_user_home(request.user))
else:
form = forms.Login(request)
request.session.clear()
request.session.set_test_cookie()
response = shortcuts.render(request, 'splash.html', {'form': form})
response.delete_cookie('logout_reason')
if 'logout_reason' in request.COOKIES:
response.delete_cookie('logout_reason')
return response