[Openstack-security] [Bug 1175905] Re: passlib failure to sanitize env variables PASSLIB_MAX_PASSWORD_SIZE
OpenStack Infra
1175905 at bugs.launchpad.net
Fri Aug 28 13:05:33 UTC 2015
Reviewed: https://review.openstack.org/217449
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a7235fc0511c643a8441efd3d21fc334535066e2
Submitter: Jenkins
Branch: master
commit a7235fc0511c643a8441efd3d21fc334535066e2
Author: Eric Brown <browne at vmware.com>
Date: Wed Aug 26 17:38:04 2015 -0700
Set max on max_password_length to passlib max
With this patch if someone overrides the PASSLIB_MAX_PASSWORD_SIZE
environment variable, keystone will fail to start with a config
error instead of a passlib.exc.PasswordSizeError when creating
a user.
Change-Id: Ic59a7964d8044ba3ab7cb6539fecca1d190dbbcc
Closes-Bug: #1175905
** Changed in: keystone
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1175905
Title:
passlib failure to sanitize env variables PASSLIB_MAX_PASSWORD_SIZE
Status in Keystone:
Fix Committed
Bug description:
Grant Murphy originally reported:
* Usage of passlib
The keystone server does not appear to sanitize the environment when
starting. This means that an unintended value can be set for
PASSLIB_MAX_PASSWORD_SIZE. Which will overwrite the default value of
4096 and potentially cause an unhandled passlib.exc.PasswordSizeError.
We should ensure sensible defaults are applied here prior to loading passlib.
If this is exploitable it will need a CVE, if not we should still
harden it so it can't be monkeyed with in the future.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1175905/+subscriptions
More information about the Openstack-security
mailing list