passlib trunc_password MAX_PASSWORD_LENGTH password truncation
Bug #1175904 reported by
Kurt Seifried
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Li Ma | ||
Bug Description
Grant Murphy originally reported:
* Insecure / bad practice
The trunc_password function attempts to correct and truncate passwords
that are over the MAX_PASSWORD_LENGTH value (default 4096). As the
MAX_
to restrict all passwords to length = 1. This scenario might be unlikely
but generally speaking we should not try to 'fix' invalid input and
continue on processing as if nothing happened.
If this is exploitable it will need a CVE, if not we should still harden it so it can't be monkeyed with in the future.
Revision history for this message
| Thierry Carrez (ttx) wrote | #1 |
Revision history for this message
| Thierry Carrez (ttx) wrote | #2 |
| information type: | Private Security → Public |
| Changed in keystone: | |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
| Changed in keystone: | |
| assignee: | nobody → Li Ma (nick-ma-b) |
| Changed in keystone: | |
| assignee: | Li Ma (nick-ma-b) → nobody |
| Changed in keystone: | |
| assignee: | nobody → Li Ma (nick-ma-z) |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to keystone (master) | #3 |
| Changed in keystone: | |
| status: | Confirmed → In Progress |
Revision history for this message
| Li Ma (nick-ma-z) wrote | #4 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Related fix proposed to keystone (master) | #5 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to keystone (master) | #6 |
| Changed in keystone: | |
| status: | In Progress → Fix Committed |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Related fix merged to keystone (master) | #7 |
| Changed in keystone: | |
| milestone: | none → juno-2 |
| status: | Fix Committed → Fix Released |
| Changed in keystone: | |
| milestone: | juno-2 → 2014.2 |
To post a comment you must log in.
I don't see this as exploitable, as you'd have to run arbitrary Python code within the Keystone server, at which point there are funnier things to do than altering the max password length.
Agree that we could strengthen that part to avoid it being monkeyed with in the future. With your permission, I'd open this bug publicly and let it be strengthened in public patches.