Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/horizon/patches/03-CVE-2013-6858.patch
changeset 1760 353323c7bdc1 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/horizon/patches/03-CVE-2013-6858.patch	Mon Mar 17 09:51:44 2014 -0600
@@ -0,0 +1,73 @@
+Upstream patch fixed in Havana 2013.2.1
+
+commit b14debc73132d1253220192e110f00f62ddb8bbc
+Author: Rob Raymond <[email protected]>
+Date:   Mon Nov 4 12:12:40 2013 -0700
+
+    Fix bug by escaping strings from Nova before displaying them
+    
+    Fixes bug #1247675
+    
+    (cherry-picked from commit b8ff480)
+    Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101
+
+diff --git a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+index 2311e5c..17a4fb5 100644
+--- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
++++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+@@ -17,6 +17,7 @@
+ import logging
+ 
+ from django.core.urlresolvers import reverse
++from django.utils import html
+ from django.utils import safestring
+ from django.utils.http import urlencode
+ from django.utils.translation import ugettext_lazy as _
+@@ -68,6 +69,7 @@ class SnapshotVolumeNameColumn(tables.Column):
+         request = self.table.request
+         volume_name = api.cinder.volume_get(request,
+                                             snapshot.volume_id).display_name
++        volume_name = html.escape(volume_name)
+         return safestring.mark_safe(volume_name)
+ 
+     def get_link_url(self, snapshot):
+diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py
+index b14145b..e5426c1 100644
+--- a/openstack_dashboard/dashboards/project/volumes/tables.py
++++ b/openstack_dashboard/dashboards/project/volumes/tables.py
+@@ -19,7 +19,7 @@ import logging
+ from django.core.urlresolvers import reverse, NoReverseMatch
+ from django.template.defaultfilters import title
+ from django.utils import safestring
+-from django.utils.html import strip_tags
++from django.utils import html
+ from django.utils.translation import ugettext_lazy as _
+ 
+ from horizon import exceptions
+@@ -111,7 +111,7 @@ def get_attachment_name(request, attachment):
+                                          "attachment information."))
+     try:
+         url = reverse("horizon:project:instances:detail", args=(server_id,))
+-        instance = '<a href="%s">%s</a>' % (url, name)
++        instance = '<a href="%s">%s</a>' % (url, html.escape(name))
+     except NoReverseMatch:
+         instance = name
+     return instance
+@@ -132,7 +132,7 @@ class AttachmentColumn(tables.Column):
+             # without the server name...
+             instance = get_attachment_name(request, attachment)
+             vals = {"instance": instance,
+-                    "dev": attachment["device"]}
++                    "dev": html.escape(attachment["device"])}
+             attachments.append(link % vals)
+         return safestring.mark_safe(", ".join(attachments))
+ 
+@@ -225,7 +225,7 @@ class AttachmentsTable(tables.DataTable):
+     def get_object_display(self, attachment):
+         instance_name = get_attachment_name(self.request, attachment)
+         vals = {"dev": attachment['device'],
+-                "instance_name": strip_tags(instance_name)}
++                "instance_name": html.escape(instance_name)}
+         return _("%(dev)s on instance %(instance_name)s") % vals
+ 
+     def get_object_by_id(self, obj_id):
upstream/oracle/userland-gate