[Openstack-security] [openstack/nova] SecurityImpact review request change I399b812f6d452226fd306c423de8dcea8520d2aa
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Tue Feb 10 10:41:39 UTC 2015
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/138811
Log:
commit a657582c5cd8a39580c44ad401fd3e69870068b1
Author: abhishekkekane <abhishek.kekane at nttdata.com>
Date: Tue Oct 21 01:37:42 2014 -0700
Eventlet green threads not released back to pool
Presently, the wsgi server allows persist connections hence even after
the response is sent to the client, it doesn't close the client socket
connection.
Because of this problem, the green thread is not released back to the pool.
In order to close the client socket connection explicitly after the
response is sent and read successfully by the client, you simply have to
set keepalive to False when you create a wsgi server.
Add a parameter to take advantage of the new(ish) eventlet socket timeout
behaviour. Allows closing idle client connections after a period of
time, eg:
$ time nc localhost 8776
real 1m0.063s
Setting 'client_socket_timeout = 0' means do not timeout.
DocImpact:
Added wsgi_keep_alive option (default=True).
Added client_socket_timeout option (default=0).
Conflicts:
nova/tests/unit/test_wsgi.py
Note: The required unit-tests are manually added to the below path,
as new path for unit-tests is not present in stable/icehouse release.
nova/tests/compute/test_host_api.py
This patch is not 1:1 cherry-pick, I have changed the default value
of client_socket_timeout to 0, as per the policy for changes to
stable branches.
(https://wiki.openstack.org/wiki/StableBranch#Appropriate_Fixes)
SecurityImpact
Closes-Bug: #1361360
Change-Id: I399b812f6d452226fd306c423de8dcea8520d2aa
(cherry picked from commit 04d7a724fdf80db51e73f12c5b8c982db9310742)
More information about the Openstack-security
mailing list