[gentoo-commits] gentoo-x86 commit in www-apps/horizon/files: 2014.1.1-CVE-2014-3473.patch - gentoo-commits

From:	"Matt Thode (prometheanfire)" <prometheanfire@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in www-apps/horizon/files: 2014.1.1-CVE-2014-3473.patch
Date:	Tue, 08 Jul 2014 16:09:17
Message-Id:	`20140708160914.80EF72004E@flycatcher.gentoo.org`

1

prometheanfire    14/07/08 16:09:14

2

3

  Added:                2014.1.1-CVE-2014-3473.patch

4

  Log:

5

  fixing xss CVE-2014-3473 not vulnerable now, kthnx

6

7

  (Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

8

9

Revision  Changes    Path

10

1.1                  www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch

11

12

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch?rev=1.1&view=markup

13

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch?rev=1.1&content-type=text/plain

14

15

Index: 2014.1.1-CVE-2014-3473.patch

16

===================================================================

17

From 32a7b713468161282f2ea01d5e2faff980d924cd Mon Sep 17 00:00:00 2001

18

From: Julie Pichon <jpichon@××××××.com>

19

Date: Thu, 22 May 2014 16:45:03 +0100

20

Subject: [PATCH] Fix multiple Cross-Site Scripting (XSS) vulnerabilities.

21

22

 * Ensure user emails are properly escaped

23

24

User emails in the Users and Groups panel are being passed through the

25

urlize filter to transform them into clickable links. However, urlize

26

expects input to be already escaped and safe. We should make sure to

27

escape the strings first as email addresses are not validated and can

28

contain any type of string.

29

30

Closes-Bug: #1320235

31

32

 * Ensure network names are properly escaped in the Launch Instance menu

33

34

Closes-Bug: #1322197

35

36

 * Escape the URLs generated for the Horizon tables

37

38

When generating the Horizon tables, there was an assumption that only

39

the anchor text needed to be escaped. However some URLs are generated

40

based on user-provided data and should be escaped as well. Also escape

41

the link attributes for good measure.

42

43

 * Use 'reverse' to generate the Resource URLs in the stacks tables

44

45

Closes-Bug: #1308727

46

47

Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e

48

---

49

 horizon/static/horizon/js/horizon.instances.js          | 9 ++++++++-

50

 horizon/tables/base.py                                  | 4 +++-

51

 openstack_dashboard/dashboards/admin/groups/tables.py   | 3 ++-

52

 openstack_dashboard/dashboards/admin/users/tables.py    | 4 +++-

53

 openstack_dashboard/dashboards/project/stacks/tables.py | 9 +++++++--

54

 openstack_dashboard/dashboards/project/stacks/tabs.py   | 6 ++++++

55

 6 files changed, 29 insertions(+), 6 deletions(-)

56

57

diff --git a/horizon/static/horizon/js/horizon.instances.js b/horizon/static/horizon/js/horizon.instances.js

58

index e8e9353..d4ef8a0 100644

59

--- a/horizon/static/horizon/js/horizon.instances.js

60

+++ b/horizon/static/horizon/js/horizon.instances.js

61

@@ -51,8 +51,15 @@ horizon.instances = {

62

     $(this.get_network_element("")).each(function(){

63

       var $this = $(this);

64

       var $input = $this.children("input");

65

+      var name = $this.text().replace(/^\s+/,"")

66

+                             .replace(/&/g, '&amp;')

67

+                             .replace(/</g, '&lt;')

68

+                             .replace(/>/g, '&gt;')

69

+                             .replace(/"/g, '&quot;')

70

+                             .replace(/'/g, '&#x27;')

71

+                             .replace(/\//g, '&#x2F;');

72

       var network_property = {

73

-        name:$this.text().replace(/^\s+/,""),

74

+        name:name,

75

         id:$input.attr("id"),

76

         value:$input.attr("value")

77

};

78

diff --git a/horizon/tables/base.py b/horizon/tables/base.py

79

index 10aaa98..4aceb81 100644

80

--- a/horizon/tables/base.py

81

+++ b/horizon/tables/base.py

82

@@ -676,7 +676,9 @@ class Cell(html.HTMLElement):

83

             link_classes = ' '.join(self.column.link_classes)

84

             # Escape the data inside while allowing our HTML to render

85

             data = mark_safe('<a href="%s" class="%s">%s</a>' %

86

-                             (self.url, link_classes, escape(unicode(data))))

87

+                             (escape(self.url),

88

+                              escape(link_classes),

89

+                              escape(unicode(data))))

90

         return data

91

92

     @property

93

diff --git a/openstack_dashboard/dashboards/admin/groups/tables.py b/openstack_dashboard/dashboards/admin/groups/tables.py

94

index 1f32da2..286c22b 100644

95

--- a/openstack_dashboard/dashboards/admin/groups/tables.py

96

+++ b/openstack_dashboard/dashboards/admin/groups/tables.py

97

@@ -161,7 +161,8 @@ class AddMembersLink(tables.LinkAction):

98

 class UsersTable(tables.DataTable):

99

     name = tables.Column('name', verbose_name=_('User Name'))

100

     email = tables.Column('email', verbose_name=_('Email'),

101

-                          filters=[defaultfilters.urlize])

102

+                          filters=[defaultfilters.escape,

103

+                                   defaultfilters.urlize])

104

     id = tables.Column('id', verbose_name=_('User ID'))

105

     enabled = tables.Column('enabled', verbose_name=_('Enabled'),

106

                             status=True,

107

diff --git a/openstack_dashboard/dashboards/admin/users/tables.py b/openstack_dashboard/dashboards/admin/users/tables.py

108

index b2032c4..9c6dc04 100644

109

--- a/openstack_dashboard/dashboards/admin/users/tables.py

110

+++ b/openstack_dashboard/dashboards/admin/users/tables.py

111

@@ -131,7 +131,9 @@ class UsersTable(tables.DataTable):

112

     email = tables.Column('email', verbose_name=_('Email'),

113

                           filters=(lambda v: defaultfilters

114

                                    .default_if_none(v, ""),

115

-                                   defaultfilters.urlize))

116

+                                   defaultfilters.escape,

117

+                                   defaultfilters.urlize)

118

+                          )

119

     # Default tenant is not returned from Keystone currently.

120

     #default_tenant = tables.Column('default_tenant',

121

     #                               verbose_name=_('Default Project'))

122

diff --git a/openstack_dashboard/dashboards/project/stacks/tables.py b/openstack_dashboard/dashboards/project/stacks/tables.py

123

index e5f829a..1174746 100644

124

--- a/openstack_dashboard/dashboards/project/stacks/tables.py

125

+++ b/openstack_dashboard/dashboards/project/stacks/tables.py

126

@@ -114,11 +114,16 @@ class StacksTable(tables.DataTable):

127

                        ChangeStackTemplate)

128

129

130

+def get_resource_url(obj):

131

+    return urlresolvers.reverse('horizon:project:stacks:resource',

132

+                                args=(obj.stack_id, obj.resource_name))

133

+

134

+

135

 class EventsTable(tables.DataTable):

136

137

     logical_resource = tables.Column('resource_name',

138

                                      verbose_name=_("Stack Resource"),

139

-                                     link=lambda d: d.resource_name,)

140

+                                     link=get_resource_url)

141

     physical_resource = tables.Column('physical_resource_id',

142

                                       verbose_name=_("Resource"),

143

                                       link=mappings.resource_to_url)

144

@@ -163,7 +168,7 @@ class ResourcesTable(tables.DataTable):

145

146

     logical_resource = tables.Column('resource_name',

147

                                      verbose_name=_("Stack Resource"),

148

-                                     link=lambda d: d.resource_name)

149

+                                     link=get_resource_url)

150

     physical_resource = tables.Column('physical_resource_id',

151

                                      verbose_name=_("Resource"),

152

                                      link=mappings.resource_to_url)

153

diff --git a/openstack_dashboard/dashboards/project/stacks/tabs.py b/openstack_dashboard/dashboards/project/stacks/tabs.py

154

index c68464a..976541a 100644

155

--- a/openstack_dashboard/dashboards/project/stacks/tabs.py

156

+++ b/openstack_dashboard/dashboards/project/stacks/tabs.py

157

@@ -79,6 +79,9 @@ class StackEventsTab(tabs.Tab):

158

             stack_identifier = '%s/%s' % (stack.stack_name, stack.id)

159

             events = api.heat.events_list(self.request, stack_identifier)

160

             LOG.debug('got events %s' % events)

161

+            # The stack id is needed to generate the resource URL.

162

+            for event in events:

163

+                event.stack_id = stack.id

164

         except Exception:

165

             events = []

166

             messages.error(request, _(

167

@@ -99,6 +102,9 @@ class StackResourcesTab(tabs.Tab):

168

             stack_identifier = '%s/%s' % (stack.stack_name, stack.id)

169

             resources = api.heat.resources_list(self.request, stack_identifier)

170

             LOG.debug('got resources %s' % resources)

171

+            # The stack id is needed to generate the resource URL.

172

+            for r in resources:

173

+                r.stack_id = stack.id

174

         except Exception:

175

             resources = []

176

             messages.error(request, _(

177

--

178

1.8.5.5

1	prometheanfire 14/07/08 16:09:14
2
3	Added: 2014.1.1-CVE-2014-3473.patch
4	Log:
5	fixing xss CVE-2014-3473 not vulnerable now, kthnx
6
7	(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
8
9	Revision Changes Path
10	1.1 www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch
11
12	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch?rev=1.1&view=markup
13	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch?rev=1.1&content-type=text/plain
14
15	Index: 2014.1.1-CVE-2014-3473.patch
16	===================================================================
17	From 32a7b713468161282f2ea01d5e2faff980d924cd Mon Sep 17 00:00:00 2001
18	From: Julie Pichon <jpichon@××××××.com>
19	Date: Thu, 22 May 2014 16:45:03 +0100
20	Subject: [PATCH] Fix multiple Cross-Site Scripting (XSS) vulnerabilities.
21
22	* Ensure user emails are properly escaped
23
24	User emails in the Users and Groups panel are being passed through the
25	urlize filter to transform them into clickable links. However, urlize
26	expects input to be already escaped and safe. We should make sure to
27	escape the strings first as email addresses are not validated and can
28	contain any type of string.
29
30	Closes-Bug: #1320235
31
32	* Ensure network names are properly escaped in the Launch Instance menu
33
34	Closes-Bug: #1322197
35
36	* Escape the URLs generated for the Horizon tables
37
38	When generating the Horizon tables, there was an assumption that only
39	the anchor text needed to be escaped. However some URLs are generated
40	based on user-provided data and should be escaped as well. Also escape
41	the link attributes for good measure.
42
43	* Use 'reverse' to generate the Resource URLs in the stacks tables
44
45	Closes-Bug: #1308727
46
47	Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e
48	---
49	horizon/static/horizon/js/horizon.instances.js \| 9 ++++++++-
50	horizon/tables/base.py \| 4 +++-
51	openstack_dashboard/dashboards/admin/groups/tables.py \| 3 ++-
52	openstack_dashboard/dashboards/admin/users/tables.py \| 4 +++-
53	openstack_dashboard/dashboards/project/stacks/tables.py \| 9 +++++++--
54	openstack_dashboard/dashboards/project/stacks/tabs.py \| 6 ++++++
55	6 files changed, 29 insertions(+), 6 deletions(-)
56
57	diff --git a/horizon/static/horizon/js/horizon.instances.js b/horizon/static/horizon/js/horizon.instances.js
58	index e8e9353..d4ef8a0 100644
59	--- a/horizon/static/horizon/js/horizon.instances.js
60	+++ b/horizon/static/horizon/js/horizon.instances.js
61	@@ -51,8 +51,15 @@ horizon.instances = {
62	$(this.get_network_element("")).each(function(){
63	var $this = $(this);
64	var $input = $this.children("input");
65	+ var name = $this.text().replace(/^\s+/,"")
66	+ .replace(/&/g, '&')
67	+ .replace(/</g, '<')
68	+ .replace(/>/g, '>')
69	+ .replace(/"/g, '"')
70	+ .replace(/'/g, ''')
71	+ .replace(/\//g, '/');
72	var network_property = {
73	- name:$this.text().replace(/^\s+/,""),
74	+ name:name,
75	id:$input.attr("id"),
76	value:$input.attr("value")
77	};
78	diff --git a/horizon/tables/base.py b/horizon/tables/base.py
79	index 10aaa98..4aceb81 100644
80	--- a/horizon/tables/base.py
81	+++ b/horizon/tables/base.py
82	@@ -676,7 +676,9 @@ class Cell(html.HTMLElement):
83	link_classes = ' '.join(self.column.link_classes)
84	# Escape the data inside while allowing our HTML to render
85	data = mark_safe('<a href="%s" class="%s">%s</a>' %
86	- (self.url, link_classes, escape(unicode(data))))
87	+ (escape(self.url),
88	+ escape(link_classes),
89	+ escape(unicode(data))))
90	return data
91
92	@property
93	diff --git a/openstack_dashboard/dashboards/admin/groups/tables.py b/openstack_dashboard/dashboards/admin/groups/tables.py
94	index 1f32da2..286c22b 100644
95	--- a/openstack_dashboard/dashboards/admin/groups/tables.py
96	+++ b/openstack_dashboard/dashboards/admin/groups/tables.py
97	@@ -161,7 +161,8 @@ class AddMembersLink(tables.LinkAction):
98	class UsersTable(tables.DataTable):
99	name = tables.Column('name', verbose_name=_('User Name'))
100	email = tables.Column('email', verbose_name=_('Email'),
101	- filters=[defaultfilters.urlize])
102	+ filters=[defaultfilters.escape,
103	+ defaultfilters.urlize])
104	id = tables.Column('id', verbose_name=_('User ID'))
105	enabled = tables.Column('enabled', verbose_name=_('Enabled'),
106	status=True,
107	diff --git a/openstack_dashboard/dashboards/admin/users/tables.py b/openstack_dashboard/dashboards/admin/users/tables.py
108	index b2032c4..9c6dc04 100644
109	--- a/openstack_dashboard/dashboards/admin/users/tables.py
110	+++ b/openstack_dashboard/dashboards/admin/users/tables.py
111	@@ -131,7 +131,9 @@ class UsersTable(tables.DataTable):
112	email = tables.Column('email', verbose_name=_('Email'),
113	filters=(lambda v: defaultfilters
114	.default_if_none(v, ""),
115	- defaultfilters.urlize))
116	+ defaultfilters.escape,
117	+ defaultfilters.urlize)
118	+ )
119	# Default tenant is not returned from Keystone currently.
120	#default_tenant = tables.Column('default_tenant',
121	# verbose_name=_('Default Project'))
122	diff --git a/openstack_dashboard/dashboards/project/stacks/tables.py b/openstack_dashboard/dashboards/project/stacks/tables.py
123	index e5f829a..1174746 100644
124	--- a/openstack_dashboard/dashboards/project/stacks/tables.py
125	+++ b/openstack_dashboard/dashboards/project/stacks/tables.py
126	@@ -114,11 +114,16 @@ class StacksTable(tables.DataTable):
127	ChangeStackTemplate)
128
129
130	+def get_resource_url(obj):
131	+ return urlresolvers.reverse('horizon:project:stacks:resource',
132	+ args=(obj.stack_id, obj.resource_name))
133	+
134	+
135	class EventsTable(tables.DataTable):
136
137	logical_resource = tables.Column('resource_name',
138	verbose_name=_("Stack Resource"),
139	- link=lambda d: d.resource_name,)
140	+ link=get_resource_url)
141	physical_resource = tables.Column('physical_resource_id',
142	verbose_name=_("Resource"),
143	link=mappings.resource_to_url)
144	@@ -163,7 +168,7 @@ class ResourcesTable(tables.DataTable):
145
146	logical_resource = tables.Column('resource_name',
147	verbose_name=_("Stack Resource"),
148	- link=lambda d: d.resource_name)
149	+ link=get_resource_url)
150	physical_resource = tables.Column('physical_resource_id',
151	verbose_name=_("Resource"),
152	link=mappings.resource_to_url)
153	diff --git a/openstack_dashboard/dashboards/project/stacks/tabs.py b/openstack_dashboard/dashboards/project/stacks/tabs.py
154	index c68464a..976541a 100644
155	--- a/openstack_dashboard/dashboards/project/stacks/tabs.py
156	+++ b/openstack_dashboard/dashboards/project/stacks/tabs.py
157	@@ -79,6 +79,9 @@ class StackEventsTab(tabs.Tab):
158	stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
159	events = api.heat.events_list(self.request, stack_identifier)
160	LOG.debug('got events %s' % events)
161	+ # The stack id is needed to generate the resource URL.
162	+ for event in events:
163	+ event.stack_id = stack.id
164	except Exception:
165	events = []
166	messages.error(request, _(
167	@@ -99,6 +102,9 @@ class StackResourcesTab(tabs.Tab):
168	stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
169	resources = api.heat.resources_list(self.request, stack_identifier)
170	LOG.debug('got resources %s' % resources)
171	+ # The stack id is needed to generate the resource URL.
172	+ for r in resources:
173	+ r.stack_id = stack.id
174	except Exception:
175	resources = []
176	messages.error(request, _(
177	--
178	1.8.5.5

Gentoo Archives: gentoo-commits