1 |
prometheanfire 14/07/08 16:09:14 |
2 |
|
3 |
Added: 2014.1.1-CVE-2014-3473.patch |
4 |
Log: |
5 |
fixing xss CVE-2014-3473 not vulnerable now, kthnx |
6 |
|
7 |
(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: 2014.1.1-CVE-2014-3473.patch |
16 |
=================================================================== |
17 |
From 32a7b713468161282f2ea01d5e2faff980d924cd Mon Sep 17 00:00:00 2001 |
18 |
From: Julie Pichon <jpichon@××××××.com> |
19 |
Date: Thu, 22 May 2014 16:45:03 +0100 |
20 |
Subject: [PATCH] Fix multiple Cross-Site Scripting (XSS) vulnerabilities. |
21 |
|
22 |
* Ensure user emails are properly escaped |
23 |
|
24 |
User emails in the Users and Groups panel are being passed through the |
25 |
urlize filter to transform them into clickable links. However, urlize |
26 |
expects input to be already escaped and safe. We should make sure to |
27 |
escape the strings first as email addresses are not validated and can |
28 |
contain any type of string. |
29 |
|
30 |
Closes-Bug: #1320235 |
31 |
|
32 |
* Ensure network names are properly escaped in the Launch Instance menu |
33 |
|
34 |
Closes-Bug: #1322197 |
35 |
|
36 |
* Escape the URLs generated for the Horizon tables |
37 |
|
38 |
When generating the Horizon tables, there was an assumption that only |
39 |
the anchor text needed to be escaped. However some URLs are generated |
40 |
based on user-provided data and should be escaped as well. Also escape |
41 |
the link attributes for good measure. |
42 |
|
43 |
* Use 'reverse' to generate the Resource URLs in the stacks tables |
44 |
|
45 |
Closes-Bug: #1308727 |
46 |
|
47 |
Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e |
48 |
--- |
49 |
horizon/static/horizon/js/horizon.instances.js | 9 ++++++++- |
50 |
horizon/tables/base.py | 4 +++- |
51 |
openstack_dashboard/dashboards/admin/groups/tables.py | 3 ++- |
52 |
openstack_dashboard/dashboards/admin/users/tables.py | 4 +++- |
53 |
openstack_dashboard/dashboards/project/stacks/tables.py | 9 +++++++-- |
54 |
openstack_dashboard/dashboards/project/stacks/tabs.py | 6 ++++++ |
55 |
6 files changed, 29 insertions(+), 6 deletions(-) |
56 |
|
57 |
diff --git a/horizon/static/horizon/js/horizon.instances.js b/horizon/static/horizon/js/horizon.instances.js |
58 |
index e8e9353..d4ef8a0 100644 |
59 |
--- a/horizon/static/horizon/js/horizon.instances.js |
60 |
+++ b/horizon/static/horizon/js/horizon.instances.js |
61 |
@@ -51,8 +51,15 @@ horizon.instances = { |
62 |
$(this.get_network_element("")).each(function(){ |
63 |
var $this = $(this); |
64 |
var $input = $this.children("input"); |
65 |
+ var name = $this.text().replace(/^\s+/,"") |
66 |
+ .replace(/&/g, '&') |
67 |
+ .replace(/</g, '<') |
68 |
+ .replace(/>/g, '>') |
69 |
+ .replace(/"/g, '"') |
70 |
+ .replace(/'/g, ''') |
71 |
+ .replace(/\//g, '/'); |
72 |
var network_property = { |
73 |
- name:$this.text().replace(/^\s+/,""), |
74 |
+ name:name, |
75 |
id:$input.attr("id"), |
76 |
value:$input.attr("value") |
77 |
}; |
78 |
diff --git a/horizon/tables/base.py b/horizon/tables/base.py |
79 |
index 10aaa98..4aceb81 100644 |
80 |
--- a/horizon/tables/base.py |
81 |
+++ b/horizon/tables/base.py |
82 |
@@ -676,7 +676,9 @@ class Cell(html.HTMLElement): |
83 |
link_classes = ' '.join(self.column.link_classes) |
84 |
# Escape the data inside while allowing our HTML to render |
85 |
data = mark_safe('<a href="%s" class="%s">%s</a>' % |
86 |
- (self.url, link_classes, escape(unicode(data)))) |
87 |
+ (escape(self.url), |
88 |
+ escape(link_classes), |
89 |
+ escape(unicode(data)))) |
90 |
return data |
91 |
|
92 |
@property |
93 |
diff --git a/openstack_dashboard/dashboards/admin/groups/tables.py b/openstack_dashboard/dashboards/admin/groups/tables.py |
94 |
index 1f32da2..286c22b 100644 |
95 |
--- a/openstack_dashboard/dashboards/admin/groups/tables.py |
96 |
+++ b/openstack_dashboard/dashboards/admin/groups/tables.py |
97 |
@@ -161,7 +161,8 @@ class AddMembersLink(tables.LinkAction): |
98 |
class UsersTable(tables.DataTable): |
99 |
name = tables.Column('name', verbose_name=_('User Name')) |
100 |
email = tables.Column('email', verbose_name=_('Email'), |
101 |
- filters=[defaultfilters.urlize]) |
102 |
+ filters=[defaultfilters.escape, |
103 |
+ defaultfilters.urlize]) |
104 |
id = tables.Column('id', verbose_name=_('User ID')) |
105 |
enabled = tables.Column('enabled', verbose_name=_('Enabled'), |
106 |
status=True, |
107 |
diff --git a/openstack_dashboard/dashboards/admin/users/tables.py b/openstack_dashboard/dashboards/admin/users/tables.py |
108 |
index b2032c4..9c6dc04 100644 |
109 |
--- a/openstack_dashboard/dashboards/admin/users/tables.py |
110 |
+++ b/openstack_dashboard/dashboards/admin/users/tables.py |
111 |
@@ -131,7 +131,9 @@ class UsersTable(tables.DataTable): |
112 |
email = tables.Column('email', verbose_name=_('Email'), |
113 |
filters=(lambda v: defaultfilters |
114 |
.default_if_none(v, ""), |
115 |
- defaultfilters.urlize)) |
116 |
+ defaultfilters.escape, |
117 |
+ defaultfilters.urlize) |
118 |
+ ) |
119 |
# Default tenant is not returned from Keystone currently. |
120 |
#default_tenant = tables.Column('default_tenant', |
121 |
# verbose_name=_('Default Project')) |
122 |
diff --git a/openstack_dashboard/dashboards/project/stacks/tables.py b/openstack_dashboard/dashboards/project/stacks/tables.py |
123 |
index e5f829a..1174746 100644 |
124 |
--- a/openstack_dashboard/dashboards/project/stacks/tables.py |
125 |
+++ b/openstack_dashboard/dashboards/project/stacks/tables.py |
126 |
@@ -114,11 +114,16 @@ class StacksTable(tables.DataTable): |
127 |
ChangeStackTemplate) |
128 |
|
129 |
|
130 |
+def get_resource_url(obj): |
131 |
+ return urlresolvers.reverse('horizon:project:stacks:resource', |
132 |
+ args=(obj.stack_id, obj.resource_name)) |
133 |
+ |
134 |
+ |
135 |
class EventsTable(tables.DataTable): |
136 |
|
137 |
logical_resource = tables.Column('resource_name', |
138 |
verbose_name=_("Stack Resource"), |
139 |
- link=lambda d: d.resource_name,) |
140 |
+ link=get_resource_url) |
141 |
physical_resource = tables.Column('physical_resource_id', |
142 |
verbose_name=_("Resource"), |
143 |
link=mappings.resource_to_url) |
144 |
@@ -163,7 +168,7 @@ class ResourcesTable(tables.DataTable): |
145 |
|
146 |
logical_resource = tables.Column('resource_name', |
147 |
verbose_name=_("Stack Resource"), |
148 |
- link=lambda d: d.resource_name) |
149 |
+ link=get_resource_url) |
150 |
physical_resource = tables.Column('physical_resource_id', |
151 |
verbose_name=_("Resource"), |
152 |
link=mappings.resource_to_url) |
153 |
diff --git a/openstack_dashboard/dashboards/project/stacks/tabs.py b/openstack_dashboard/dashboards/project/stacks/tabs.py |
154 |
index c68464a..976541a 100644 |
155 |
--- a/openstack_dashboard/dashboards/project/stacks/tabs.py |
156 |
+++ b/openstack_dashboard/dashboards/project/stacks/tabs.py |
157 |
@@ -79,6 +79,9 @@ class StackEventsTab(tabs.Tab): |
158 |
stack_identifier = '%s/%s' % (stack.stack_name, stack.id) |
159 |
events = api.heat.events_list(self.request, stack_identifier) |
160 |
LOG.debug('got events %s' % events) |
161 |
+ # The stack id is needed to generate the resource URL. |
162 |
+ for event in events: |
163 |
+ event.stack_id = stack.id |
164 |
except Exception: |
165 |
events = [] |
166 |
messages.error(request, _( |
167 |
@@ -99,6 +102,9 @@ class StackResourcesTab(tabs.Tab): |
168 |
stack_identifier = '%s/%s' % (stack.stack_name, stack.id) |
169 |
resources = api.heat.resources_list(self.request, stack_identifier) |
170 |
LOG.debug('got resources %s' % resources) |
171 |
+ # The stack id is needed to generate the resource URL. |
172 |
+ for r in resources: |
173 |
+ r.stack_id = stack.id |
174 |
except Exception: |
175 |
resources = [] |
176 |
messages.error(request, _( |
177 |
-- |
178 |
1.8.5.5 |