[Openstack-security] [Bug 1381405] [NEW] user token is not checked for UUID type before sending request for token validation

Abu Shohel Ahmed 1381405 at bugs.launchpad.net
Wed Oct 15 08:41:22 UTC 2014 

Public bug reported:

user token is not checked for UUID type before sending token validation
request.

def _validate_token(self, token, env, retry=True):
                  ...
                if cms.is_pkiz(token):
                    verified = self._verify_pkiz_token(token, token_ids)
                    data = jsonutils.loads(verified)
                    expires = _confirm_token_not_expired(data)
                elif cms.is_asn1_token(token):
                    verified = self._verify_signed_token(token, token_ids)
                    data = jsonutils.loads(verified)
                    expires = _confirm_token_not_expired(data)
                else:
                    data = self._identity_server.verify_token(token,
                                                              retry)

The 'else' allows any value in token which is not in PKI format be sent to the Identity API for token
validation.  A sanitation check here for UUID type can reduce the load for token validation 
towards Identity API

** Affects: keystonemiddleware
     Importance: Undecided
         Status: New


** Tags: security

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1381405

Title:
  user token is not checked for UUID type before sending request for
  token validation

Status in OpenStack Identity  (Keystone) Middleware:
  New

Bug description:
  user token is not checked for UUID type before sending token
  validation request.

  def _validate_token(self, token, env, retry=True):
                    ...
                  if cms.is_pkiz(token):
                      verified = self._verify_pkiz_token(token, token_ids)
                      data = jsonutils.loads(verified)
                      expires = _confirm_token_not_expired(data)
                  elif cms.is_asn1_token(token):
                      verified = self._verify_signed_token(token, token_ids)
                      data = jsonutils.loads(verified)
                      expires = _confirm_token_not_expired(data)
                  else:
                      data = self._identity_server.verify_token(token,
                                                                retry)

  The 'else' allows any value in token which is not in PKI format be sent to the Identity API for token
  validation.  A sanitation check here for UUID type can reduce the load for token validation 
  towards Identity API

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystonemiddleware/+bug/1381405/+subscriptions

More information about the Openstack-security mailing list