x/swauth
Code Issues Proposed changes
swauth/test
History
Pavel Kvasnicka 70af798626 Hash token before storing it in Swift 
Swauth uses token value as object name. Object names are logged in proxy
and object servers. Anybody with access to proxy/object server logs can
see token values. Attacker can use this token to access user's data in
Swift store. Instead of token, hashed token (with HASH_PATH_PREFIX and
HASH_PATH_SUFFIX) is used as object name now.

WARNING: In deployments without memcached this patch logs out all users
because tokens became invalid.

CVE-2017-16613

SecurityImpact
Closes-Bug: #1655781
Change-Id: I0d01e8e95400c82ef25f98e2d269532e83233c2c
2017-11-21 12:01:22 +01:00
..
unit
Hash token before storing it in Swift
2017-11-21 12:01:22 +01:00
__init__.py
Do not use __builtin__ in python3
2016-01-06 01:55:04 +00:00