[Openstack-security] [Bug 1240382] Re: python-oauth2 dependency is unmaintained and has security issues

Matthieu Huin mhu at enovance.com
Tue Dec 10 17:00:57 UTC 2013 

Some notes Steve Martinelli sent me to help:

1. The following are spots where we currently use the old library:
https://github.com/openstack/keystone/blob/master/keystone/contrib/oauth1/core.py#L33 (to 40 - plug points for the library)
https://github.com/openstack/keystone/blob/master/keystone/contrib/oauth1/core.py#L123 (splitting headers)
https://github.com/openstack/keystone/blob/master/keystone/contrib/oauth1/controllers.py#L181 (to 192 - verifying request for request token call)
https://github.com/openstack/keystone/blob/master/keystone/contrib/oauth1/controllers.py#L251 (to 267 - verifying request for access token call)
https://github.com/openstack/keystone/blob/master/keystone/auth/plugins/oauth1.py#L57 (to 72 - verifying request for authenticate call)
https://github.com/openstack/keystone/blob/master/keystone/tests/test_v3_oauth1.py (a bunch of places)

2a. The part that bugs me about oauthlib is the fact that you have to implement an interface (RequestValidator), https://oauthlib.readthedocs.org/en/latest/oauth1/server.html#implement-a-validator . At least this is my impression upon reading the docs.
2b. Actual RequestValidator class: https://github.com/idan/oauthlib/blob/master/oauthlib/oauth1/rfc5849/request_validator.py , raises a lot of not implemented exceptions.

3. I did find one instance of a coder that had to switch from using
python-oauth2 to oauthlib, for a client application he was writing,
it'll be handy for migrating the tests:
https://github.com/gfairchild/yelpapi/commit/71b0a947d56445fe71750255827a07c56ce3f1e5

Indeed, the RequestValidator might be the tricky part.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1240382

Title:
  python-oauth2 dependency is unmaintained and has security issues

Status in OpenStack Identity (Keystone):
  Confirmed

Bug description:
  oauth2 is not maintained and have 2 CVE issues CVE-2013-4346 and CVE-2013-4347 and is not Python3 compatible
  can you remove this dependency (maybe switching to requests ? )

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1240382/+subscriptions

More information about the Openstack-security mailing list