Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1139601,
regarding trixie-pu: package horizon/3:25.3.0-3 OSSN-0097 (Horizon RC file
generation does not escape special characters in project names)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139601: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139601
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:horizon
User: [email protected]
Usertags: pu
Hi,
[ Reason ]
I'd like to fix what's been disclosed as:
https://wiki.openstack.org/wiki/OSSN/OSSN-0097
[ Impact ]
Script injection in openrc file served by Horizon.
[ Tests ]
Extensive unit tests suite from upstream are run when building package.
[ Risks ]
Not much, patch is simple.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Change in the list of escaped chars.
Please allow me to upload Horizon 3:25.3.0-3+deb13u1 to Trixie.
Cheers,
Thomas Goirand (zigo)
diff -Nru horizon-25.3.0/debian/changelog horizon-25.3.0/debian/changelog
--- horizon-25.3.0/debian/changelog 2025-07-10 11:09:04.000000000 +0200
+++ horizon-25.3.0/debian/changelog 2026-06-09 10:20:14.000000000 +0200
@@ -1,3 +1,11 @@
+horizon (3:25.3.0-3+deb13u1) trixie; urgency=medium
+
+ * OSSN-0097: Horizon RC file generation does not escape special characters in
+ project. Applied upstream patch: "Escape $ character in shellfilter, and
+ use it consistently" (Closes: #1138845).
+
+ -- Thomas Goirand <[email protected]> Tue, 09 Jun 2026 10:20:14 +0200
+
horizon (3:25.3.0-3) unstable; urgency=medium
* Refreshed:
diff -Nru
horizon-25.3.0/debian/patches/OSSN-0097_Escape_dollar_character_in_shellfilter_and_use_it_consistently.patch
horizon-25.3.0/debian/patches/OSSN-0097_Escape_dollar_character_in_shellfilter_and_use_it_consistently.patch
---
horizon-25.3.0/debian/patches/OSSN-0097_Escape_dollar_character_in_shellfilter_and_use_it_consistently.patch
1970-01-01 01:00:00.000000000 +0100
+++
horizon-25.3.0/debian/patches/OSSN-0097_Escape_dollar_character_in_shellfilter_and_use_it_consistently.patch
2026-06-09 10:20:14.000000000 +0200
@@ -0,0 +1,133 @@
+From 933adb45c43ac5571f1f8d00526a673016f9b0a8 Mon Sep 17 00:00:00 2001
+From: Radomir Dopieralski <[email protected]>
+Date: Tue, 12 May 2026 19:18:50 +0200
+Subject: [PATCH] Escape $ character in shellfilter, and use it consistently
+
+Make sure the special characters included in user-provided values
+don't break the shell scripts generated by Horizon.
+
+Fixes-bug: 2152240
+
+Change-Id: Iec01e820a7ff0d4d3bed7f8929cb9c3229deb502
+Signed-off-by: Radomir Dopieralski <[email protected]>
+---
+
+diff --git a/horizon/templatetags/shellfilter.py
b/horizon/templatetags/shellfilter.py
+index 167a222..a3c83a5 100644
+--- a/horizon/templatetags/shellfilter.py
++++ b/horizon/templatetags/shellfilter.py
+@@ -23,6 +23,8 @@
+ """Replace HTML chars for shell usage."""
+ replacements = {'\\': '\\\\',
+ '`': '\\`',
++ '$': '\\$',
++ '!': '\\!',
+ "'": "\\'",
+ '"': '\\"'}
+ for search, repl in replacements.items():
+diff --git
a/openstack_dashboard/dashboards/identity/application_credentials/templates/application_credentials/openrc.sh.template
b/openstack_dashboard/dashboards/identity/application_credentials/templates/application_credentials/openrc.sh.template
+index 670cc33..d04d26f 100644
+---
a/openstack_dashboard/dashboards/identity/application_credentials/templates/application_credentials/openrc.sh.template
++++
b/openstack_dashboard/dashboards/identity/application_credentials/templates/application_credentials/openrc.sh.template
+@@ -1,9 +1,9 @@
+ {% load shellfilter %}#!/usr/bin/env bash
+
+ export OS_AUTH_TYPE=v3applicationcredential
+-export OS_AUTH_URL={{ auth_url }}
++export OS_AUTH_URL="{{ auth_url|shellfilter }}"
+ export OS_IDENTITY_API_VERSION=3
+ export OS_REGION_NAME="{{ region|shellfilter }}"
+-export OS_INTERFACE={{ interface }}
+-export OS_APPLICATION_CREDENTIAL_ID={{ application_credential_id }}
+-export OS_APPLICATION_CREDENTIAL_SECRET={{ application_credential_secret }}
++export OS_INTERFACE="{{ interface|shellfilter }}"
++export OS_APPLICATION_CREDENTIAL_ID="{{ application_credential_id|shellfilter
}}"
++export OS_APPLICATION_CREDENTIAL_SECRET="{{
application_credential_secret|shellfilter }}"
+diff --git
a/openstack_dashboard/dashboards/project/api_access/templates/api_access/openrc.sh.template
b/openstack_dashboard/dashboards/project/api_access/templates/api_access/openrc.sh.template
+index ff576a0..a3bd3df 100644
+---
a/openstack_dashboard/dashboards/project/api_access/templates/api_access/openrc.sh.template
++++
b/openstack_dashboard/dashboards/project/api_access/templates/api_access/openrc.sh.template
+@@ -11,11 +11,11 @@
+ # OpenStack API is version 3. For example, your cloud provider may implement
+ # Image API v1.1, Block Storage API v2, and Compute API v2.0. OS_AUTH_URL is
+ # only for the Identity API served through keystone.
+-export OS_AUTH_URL={{ auth_url }}
++export OS_AUTH_URL="{{ auth_url|shellfilter }}"
+
+ # With the addition of Keystone we have standardized on the term **project**
+ # as the entity that owns the resources.
+-export OS_PROJECT_ID={{ tenant_id }}
++export OS_PROJECT_ID="{{ tenant_id|shellfilter }}"
+ export OS_PROJECT_NAME="{{ tenant_name|shellfilter }}"
+ export OS_USER_DOMAIN_NAME="{{ user_domain_name|shellfilter }}"
+ if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
+@@ -33,7 +33,7 @@
+ # With Keystone you pass the keystone password.
+ echo "Please enter your OpenStack Password for project $OS_PROJECT_NAME as
user $OS_USERNAME: "
+ read -sr OS_PASSWORD_INPUT
+-export OS_PASSWORD=$OS_PASSWORD_INPUT
++export OS_PASSWORD="$OS_PASSWORD_INPUT"
+
+ # If your configuration has multiple regions, we set that information here.
+ # OS_REGION_NAME is optional and only valid in certain environments.
+@@ -41,5 +41,5 @@
+ # Don't leave a blank variable, unset it if it was empty
+ if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
+
+-export OS_INTERFACE={{ interface }}
+-export OS_IDENTITY_API_VERSION={{ os_identity_api_version }}
++export OS_INTERFACE="{{ interface|shellfilter }}"
++export OS_IDENTITY_API_VERSION="{{ os_identity_api_version|shellfilter }}"
+diff --git a/openstack_dashboard/dashboards/project/api_access/tests.py
b/openstack_dashboard/dashboards/project/api_access/tests.py
+index 66d5709..044a3e7 100644
+--- a/openstack_dashboard/dashboards/project/api_access/tests.py
++++ b/openstack_dashboard/dashboards/project/api_access/tests.py
+@@ -55,7 +55,7 @@
+ openrc = 'project/api_access/openrc.sh.template'
+ self.assertTemplateUsed(res, openrc)
+ name = 'export OS_USERNAME="{}"'.format(self.request.user.username)
+- p_id = 'export OS_PROJECT_ID={}'.format(self.request.user.tenant_id)
++ p_id = 'export OS_PROJECT_ID="{}"'.format(self.request.user.tenant_id)
+ domain = 'export OS_USER_DOMAIN_NAME="{}"'.format(
+ self.request.user.user_domain_name)
+ self.assertIn(name.encode('utf-8'), res.content)
+@@ -215,7 +215,7 @@
+ context,
+ template.Context(context))
+
+- self.assertIn("OS_REGION_NAME=\"Colorado\"", out)
++ self.assertIn('OS_REGION_NAME="Colorado"', out)
+
+ def test_openrc_region_not_set(self):
+ context = {
+@@ -228,7 +228,7 @@
+ context,
+ template.Context(context))
+
+- self.assertIn("OS_REGION_NAME=\"\"", out)
++ self.assertIn('OS_REGION_NAME=""', out)
+
+ def test_clouds_yaml_set_region(self):
+ context = {
+diff --git a/openstack_dashboard/test/selenium/integration/test_credentials.py
b/openstack_dashboard/test/selenium/integration/test_credentials.py
+index 1ba18af..fde0e91 100644
+--- a/openstack_dashboard/test/selenium/integration/test_credentials.py
++++ b/openstack_dashboard/test/selenium/integration/test_credentials.py
+@@ -54,7 +54,7 @@
+ project_name = re.search(
+ r'export OS_PROJECT_NAME="([^"]+)"', content).group(1)
+ project_id = re.search(
+- r'export OS_PROJECT_ID=(.+)', content).group(1)
++ r'export OS_PROJECT_ID="([^"]+)"', content).group(1)
+
+ assert(config.identity.admin_username == username and
+ config.identity.admin_home_project == project_name and
+@@ -86,7 +86,7 @@
+ project_name = re.search(
+ r'export OS_PROJECT_NAME="([^"]+)"', content).group(1)
+ project_id = re.search(
+- r'export OS_PROJECT_ID=(.+)', content).group(1)
++ r'export OS_PROJECT_ID="([^"]+)"', content).group(1)
+
+ assert(config.identity.username == username and
+ config.identity.home_project == project_name and
diff -Nru horizon-25.3.0/debian/patches/series
horizon-25.3.0/debian/patches/series
--- horizon-25.3.0/debian/patches/series 2025-07-10 11:09:04.000000000
+0200
+++ horizon-25.3.0/debian/patches/series 2026-06-09 10:20:14.000000000
+0200
@@ -6,3 +6,4 @@
remove-broken-test-in-bookworm-backports.patch
fix-serial_console.scss.patch
do-not-import-enabled-if-no-plugins.patch
+OSSN-0097_Escape_dollar_character_in_shellfilter_and_use_it_consistently.patch
--- End Message ---
--- Begin Message ---
Version: 13.6
This update was released as part of 13.6.
--- End Message ---