[Openstack-security] [Bug 1381405] Re: user token is not checked for UUID type before sending request for token validation

Dolph Mathews 1381405 at bugs.launchpad.net
Wed Oct 15 16:22:05 UTC 2014 

What is the misbehavior?

** Changed in: keystonemiddleware
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1381405

Title:
  user token is not checked for UUID type before sending request for
  token validation

Status in OpenStack Identity  (Keystone) Middleware:
  Incomplete

Bug description:
  user token is not checked for UUID type before sending token
  validation request.

  def _validate_token(self, token, env, retry=True):
                    ...
                  if cms.is_pkiz(token):
                      verified = self._verify_pkiz_token(token, token_ids)
                      data = jsonutils.loads(verified)
                      expires = _confirm_token_not_expired(data)
                  elif cms.is_asn1_token(token):
                      verified = self._verify_signed_token(token, token_ids)
                      data = jsonutils.loads(verified)
                      expires = _confirm_token_not_expired(data)
                  else:
                      data = self._identity_server.verify_token(token,
                                                                retry)

  The 'else' allows any value in token which is not in PKI format be sent to the Identity API for token
  validation.  A sanitation check here for UUID type can reduce the load for token validation 
  towards Identity API

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystonemiddleware/+bug/1381405/+subscriptions

More information about the Openstack-security mailing list