On 2017-11-17 08:22:31 + (+), TommyLike Hu wrote:
> Recently when we integrating and testing OpenStack services. We
> found there is a potential script injection issue that some of our
> services accept the input with special character [1] [2], for
> instance we can create an instance or a volume with the name of
> 'script inside'. One of the possible solutions is
> add HTML encode/decode support in Horizon, but it's not guaranteed
> every OpenStack user is using Horizon. So should we apply more
> strict restriction on user's input?
Just my opinion, but I think its up to frontends to know what
strings are safe to present. Web-based interfaces are not the only
possible place those strings may end up, and if we consider it the
API's responsibility to strip out every possible sequence that might
cause trouble for every kind of frontend or consuming application
then we'll eventually be left accepting only ASCII alphanumerics.
> Also, I found Google Cloud have a strict and explicit restrction in
> their instance insert API document [3].
[...]
To my knowledge, Google Cloud is proprietary software and can afford
to make decisions tightly coupling the security of their Web
frontend to their APIs. OpenStack can't easily make the same sorts
of assumptions.
--
Jeremy Stanley
signature.asc
Description: Digital signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
