OpenStack Dashboard (Horizon)

Merge lp:~corey.bryant/horizon/2014.2.2 into lp:~ubuntu-server-dev/horizon/juno

  1. 2014.2.2
  2. Merge into juno
Proposed by Corey Bryant
Status: Merged
Merge reported by: Chuck Short
Merged at revision: not available
Proposed branch: lp:~corey.bryant/horizon/2014.2.2
Merge into: lp:~ubuntu-server-dev/horizon/juno
Diff against target: 107 lines (+24/-63)
3 files modified
debian/changelog (+24/-0)
debian/patches/prevent_login_page_DOS.patch (+0/-62)
debian/patches/series (+0/-1)
To merge this branch: bzr merge lp:~corey.bryant/horizon/2014.2.2
Reviewer Review Type Date Requested Status
Ubuntu Server Developers Pending
Review via email: mp+248824@code.launchpad.net
To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2014-12-09 20:01:52 +0000
3+++ debian/changelog 2015-02-05 20:50:36 +0000
4@@ -1,3 +1,27 @@
5+horizon (1:2014.2.2-0ubuntu1) UNRELEASED; urgency=medium
6+
7+ * Resynchronize with stable/juno (697888b) (LP: #1418695):
8+ - [889f9d9] Update project limits when using input selector
9+ - [be88d14] Update project limits when flavor changes
10+ - [0723e70] Fix metering daily display
11+ - [5603578] Fix Horizon crash when parsing volume list
12+ - [e100279] Only enable one images filter button
13+ - [60d01cc] add missing icons for Project > Images filter
14+ - [8a717d9] Fix sorting by size for Project->Images table
15+ - [070771b] removing mandatory mark for post_creation tab
16+ - [9120a7f] Removing Moscow's timezone check
17+ - [e8a66a4] Horizon login page contains DOS attack mechanism
18+ - [962a0a7] Fix popup error when volume service disabled
19+ - [bcac1a8] Gracefully handle failures to retrieve a flavor
20+ - [2cd9435] Return eye-icon to its place when validation message is shown
21+ - [9b11e2e] Fix timezones in line chart
22+ - [bca0f47] Disable router HA attribute due to Neutron bug
23+ - [b2dc30d] Remove glyphicon-eye-open icon from Description
24+ - [697888b] Remove selenium dependency when not using selenium tests
25+ * d/p/prevent_login_page_DOS.patch: Dropped. Fix is now upstream.
26+
27+ -- Corey Bryant <corey.bryant@canonical.com> Thu, 05 Feb 2015 15:24:25 -0500
28+
29 horizon (1:2014.2.1-0ubuntu2) utopic; urgency=medium
30
31 [ Corey Bryant ]
32
33=== removed file 'debian/patches/prevent_login_page_DOS.patch'
34--- debian/patches/prevent_login_page_DOS.patch 2014-12-09 18:42:24 +0000
35+++ debian/patches/prevent_login_page_DOS.patch 1970-01-01 00:00:00 +0000
36@@ -1,62 +0,0 @@
37-From 09b8f8f6724dd7eb8b34fd4c2c2e66b0a3d0cab9 Mon Sep 17 00:00:00 2001
38-From: eric <eric.peterson1@twcable.com>
39-Date: Thu, 20 Nov 2014 08:49:09 -0700
40-Subject: [PATCH] Horizon login page contains DOS attack mechanism
41-
42-the horizon login page (really the middleware) accesses the session
43-too early in the login process, which will create session records
44-in the session backend. This is especially problematic when non-cookie
45-backends are used.
46-
47-Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
48-Closes-Bug: 1394370
49----
50- horizon/middleware.py | 10 ++++++----
51- openstack_dashboard/views.py | 5 ++---
52- 2 files changed, 8 insertions(+), 7 deletions(-)
53-
54-diff --git a/horizon/middleware.py b/horizon/middleware.py
55-index a0d9c3d..885489e 100644
56---- a/horizon/middleware.py
57-+++ b/horizon/middleware.py
58-@@ -90,16 +90,18 @@ class HorizonMiddleware(object):
59- request.horizon = {'dashboard': None,
60- 'panel': None,
61- 'async_messages': []}
62-+ if not hasattr(request, "user") or not request.user.is_authenticated():
63-+ # proceed no further if the current request is already known
64-+ # not to be authenticated
65-+ # it is CRITICAL to perform this check as early as possible
66-+ # to avoid creating too many sessions
67-+ return None
68-
69- # Check for session timeout if user is (or was) authenticated.
70- has_timed_out, timestamp = self._check_has_timed_timeout(request)
71- if has_timed_out:
72- return self._logout(request, request.path, _("Session timed out."))
73-
74-- if not hasattr(request, "user") or not request.user.is_authenticated():
75-- # proceed no further if the current request is already known
76-- # not to be authenticated
77-- return None
78- if request.is_ajax():
79- # if the request is Ajax we do not want to proceed, as clients can
80- # 1) create pages with constant polling, which can create race
81-diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py
82-index 4ce55ff..0473279 100644
83---- a/openstack_dashboard/views.py
84-+++ b/openstack_dashboard/views.py
85-@@ -41,8 +41,7 @@ def splash(request):
86- response = shortcuts.redirect(horizon.get_user_home(request.user))
87- else:
88- form = forms.Login(request)
89-- request.session.clear()
90-- request.session.set_test_cookie()
91- response = shortcuts.render(request, 'splash.html', {'form': form})
92-- response.delete_cookie('logout_reason')
93-+ if 'logout_reason' in request.COOKIES:
94-+ response.delete_cookie('logout_reason')
95- return response
96---
97-2.1.0
98-
99
100=== modified file 'debian/patches/series'
101--- debian/patches/series 2014-12-09 18:42:24 +0000
102+++ debian/patches/series 2015-02-05 20:50:36 +0000
103@@ -1,4 +1,3 @@
104-prevent_login_page_DOS.patch
105 fix-dashboard-django-wsgi.patch
106 fix-dashboard-manage.patch
107 ubuntu_settings.patch

Subscribers

People subscribed via source and target branches