|
1 Upstream patch to fix CVE-2014-3594. This will be fixed in future |
|
2 2013.2.4 and 2014.1.3 releases. |
|
3 |
|
4 From 96c6cdaa084857b82b9681378d5d3a6a4732015e Mon Sep 17 00:00:00 2001 |
|
5 From: Julie Pichon <[email protected]> |
|
6 Date: Thu, 7 Aug 2014 12:01:56 +0100 |
|
7 Subject: [PATCH] Fix XSS issue with the unordered_list filter |
|
8 |
|
9 When using the unordered_list filter in a Horizon table (as opposed to |
|
10 a template directly), autoescaping is not set by default and the input |
|
11 wasn't sanitised. |
|
12 |
|
13 Closes-Bug: #1349491 |
|
14 Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec |
|
15 --- |
|
16 .../dashboards/admin/info/tables.py | 8 ++++++-- |
|
17 1 file changed, 6 insertions(+), 2 deletions(-) |
|
18 |
|
19 diff --git a/openstack_dashboard/dashboards/admin/info/tables.py b/openstack_dashboard/dashboards/admin/info/tables.py |
|
20 index d4f3fe7..a123fab 100644 |
|
21 --- a/openstack_dashboard/dashboards/admin/info/tables.py |
|
22 +++ b/openstack_dashboard/dashboards/admin/info/tables.py |
|
23 @@ -127,6 +127,10 @@ def get_metadata(aggregate): |
|
24 in aggregate.metadata.iteritems()] |
|
25 |
|
26 |
|
27 +def safe_unordered_list(value): |
|
28 + return filters.unordered_list(value, autoescape=True) |
|
29 + |
|
30 + |
|
31 class AggregatesTable(tables.DataTable): |
|
32 name = tables.Column("name", |
|
33 verbose_name=_("Name")) |
|
34 @@ -135,11 +139,11 @@ class AggregatesTable(tables.DataTable): |
|
35 hosts = tables.Column(get_hosts, |
|
36 verbose_name=_("Hosts"), |
|
37 wrap_list=True, |
|
38 - filters=(filters.unordered_list,)) |
|
39 + filters=(safe_unordered_list,)) |
|
40 metadata = tables.Column(get_metadata, |
|
41 verbose_name=_("Metadata"), |
|
42 wrap_list=True, |
|
43 - filters=(filters.unordered_list,)) |
|
44 + filters=(safe_unordered_list,)) |
|
45 |
|
46 class Meta: |
|
47 name = "aggregates" |
|
48 -- |
|
49 1.7.9.5 |