prometheanfire 14/07/08 16:09:14 Added: 2014.1.1-CVE-2014-3473.patch Log: fixing xss CVE-2014-3473 not vulnerable now, kthnx (Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Revision Changes Path 1.1 www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch?rev=1.1&content-type=text/plain Index: 2014.1.1-CVE-2014-3473.patch =================================================================== >From 32a7b713468161282f2ea01d5e2faff980d924cd Mon Sep 17 00:00:00 2001 From: Julie Pichon <[email protected]> Date: Thu, 22 May 2014 16:45:03 +0100 Subject: [PATCH] Fix multiple Cross-Site Scripting (XSS) vulnerabilities. * Ensure user emails are properly escaped User emails in the Users and Groups panel are being passed through the urlize filter to transform them into clickable links. However, urlize expects input to be already escaped and safe. We should make sure to escape the strings first as email addresses are not validated and can contain any type of string. Closes-Bug: #1320235 * Ensure network names are properly escaped in the Launch Instance menu Closes-Bug: #1322197 * Escape the URLs generated for the Horizon tables When generating the Horizon tables, there was an assumption that only the anchor text needed to be escaped. However some URLs are generated based on user-provided data and should be escaped as well. Also escape the link attributes for good measure. * Use 'reverse' to generate the Resource URLs in the stacks tables Closes-Bug: #1308727 Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e --- horizon/static/horizon/js/horizon.instances.js | 9 ++++++++- horizon/tables/base.py | 4 +++- openstack_dashboard/dashboards/admin/groups/tables.py | 3 ++- openstack_dashboard/dashboards/admin/users/tables.py | 4 +++- openstack_dashboard/dashboards/project/stacks/tables.py | 9 +++++++-- openstack_dashboard/dashboards/project/stacks/tabs.py | 6 ++++++ 6 files changed, 29 insertions(+), 6 deletions(-) diff --git a/horizon/static/horizon/js/horizon.instances.js b/horizon/static/horizon/js/horizon.instances.js index e8e9353..d4ef8a0 100644 --- a/horizon/static/horizon/js/horizon.instances.js +++ b/horizon/static/horizon/js/horizon.instances.js @@ -51,8 +51,15 @@ horizon.instances = { $(this.get_network_element("")).each(function(){ var $this = $(this); var $input = $this.children("input"); + var name = $this.text().replace(/^\s+/,"") + .replace(/&/g, '&') + .replace(/</g, '<') + .replace(/>/g, '>') + .replace(/"/g, '"') + .replace(/'/g, ''') + .replace(/\//g, '/'); var network_property = { - name:$this.text().replace(/^\s+/,""), + name:name, id:$input.attr("id"), value:$input.attr("value") }; diff --git a/horizon/tables/base.py b/horizon/tables/base.py index 10aaa98..4aceb81 100644 --- a/horizon/tables/base.py +++ b/horizon/tables/base.py @@ -676,7 +676,9 @@ class Cell(html.HTMLElement): link_classes = ' '.join(self.column.link_classes) # Escape the data inside while allowing our HTML to render data = mark_safe('<a href="%s" class="%s">%s</a>' % - (self.url, link_classes, escape(unicode(data)))) + (escape(self.url), + escape(link_classes), + escape(unicode(data)))) return data @property diff --git a/openstack_dashboard/dashboards/admin/groups/tables.py b/openstack_dashboard/dashboards/admin/groups/tables.py index 1f32da2..286c22b 100644 --- a/openstack_dashboard/dashboards/admin/groups/tables.py +++ b/openstack_dashboard/dashboards/admin/groups/tables.py @@ -161,7 +161,8 @@ class AddMembersLink(tables.LinkAction): class UsersTable(tables.DataTable): name = tables.Column('name', verbose_name=_('User Name')) email = tables.Column('email', verbose_name=_('Email'), - filters=[defaultfilters.urlize]) + filters=[defaultfilters.escape, + defaultfilters.urlize]) id = tables.Column('id', verbose_name=_('User ID')) enabled = tables.Column('enabled', verbose_name=_('Enabled'), status=True, diff --git a/openstack_dashboard/dashboards/admin/users/tables.py b/openstack_dashboard/dashboards/admin/users/tables.py index b2032c4..9c6dc04 100644 --- a/openstack_dashboard/dashboards/admin/users/tables.py +++ b/openstack_dashboard/dashboards/admin/users/tables.py @@ -131,7 +131,9 @@ class UsersTable(tables.DataTable): email = tables.Column('email', verbose_name=_('Email'), filters=(lambda v: defaultfilters .default_if_none(v, ""), - defaultfilters.urlize)) + defaultfilters.escape, + defaultfilters.urlize) + ) # Default tenant is not returned from Keystone currently. #default_tenant = tables.Column('default_tenant', # verbose_name=_('Default Project')) diff --git a/openstack_dashboard/dashboards/project/stacks/tables.py b/openstack_dashboard/dashboards/project/stacks/tables.py index e5f829a..1174746 100644 --- a/openstack_dashboard/dashboards/project/stacks/tables.py +++ b/openstack_dashboard/dashboards/project/stacks/tables.py @@ -114,11 +114,16 @@ class StacksTable(tables.DataTable): ChangeStackTemplate) +def get_resource_url(obj): + return urlresolvers.reverse('horizon:project:stacks:resource', + args=(obj.stack_id, obj.resource_name)) + + class EventsTable(tables.DataTable): logical_resource = tables.Column('resource_name', verbose_name=_("Stack Resource"), - link=lambda d: d.resource_name,) + link=get_resource_url) physical_resource = tables.Column('physical_resource_id', verbose_name=_("Resource"), link=mappings.resource_to_url) @@ -163,7 +168,7 @@ class ResourcesTable(tables.DataTable): logical_resource = tables.Column('resource_name', verbose_name=_("Stack Resource"), - link=lambda d: d.resource_name) + link=get_resource_url) physical_resource = tables.Column('physical_resource_id', verbose_name=_("Resource"), link=mappings.resource_to_url) diff --git a/openstack_dashboard/dashboards/project/stacks/tabs.py b/openstack_dashboard/dashboards/project/stacks/tabs.py index c68464a..976541a 100644 --- a/openstack_dashboard/dashboards/project/stacks/tabs.py +++ b/openstack_dashboard/dashboards/project/stacks/tabs.py @@ -79,6 +79,9 @@ class StackEventsTab(tabs.Tab): stack_identifier = '%s/%s' % (stack.stack_name, stack.id) events = api.heat.events_list(self.request, stack_identifier) LOG.debug('got events %s' % events) + # The stack id is needed to generate the resource URL. + for event in events: + event.stack_id = stack.id except Exception: events = [] messages.error(request, _( @@ -99,6 +102,9 @@ class StackResourcesTab(tabs.Tab): stack_identifier = '%s/%s' % (stack.stack_name, stack.id) resources = api.heat.resources_list(self.request, stack_identifier) LOG.debug('got resources %s' % resources) + # The stack id is needed to generate the resource URL. + for r in resources: + r.stack_id = stack.id except Exception: resources = [] messages.error(request, _( -- 1.8.5.5
