--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/horizon/patches/01-CVE-2014-0157.patch Wed Jun 11 17:13:12 2014 -0700
@@ -0,0 +1,145 @@
+Upstream patch for CVE-2014-0157. This issue is fixed in Icehouse
+2014.1 and Havana 2013.2.4.
+
+From 54ec015f720a4379e8ffc34345b3a7bf36b6f15b Mon Sep 17 00:00:00 2001
+From: CristianFiorentino <[email protected]>
+Date: Mon, 10 Mar 2014 17:36:31 -0300
+Subject: [PATCH] Introduces escaping in Horizon/Orchestration
+
+1) Escape help_text a second time to avoid bootstrap tooltip XSS issue
+
+The "Description" parameter in a Heat template is used to populate
+a help_text tooltip in the dynamically generated Heat form. Bootstrap
+inserts this tooltip into the DOM using .html() which undoes any
+escaping we do in Django (it should be using .text()).
+
+This was fixed by forcing the help_text content to be escaped a second
+time. The issue itself is mitigated in bootstrap.js release 2.0.3
+(ours is currently 2.0.1).
+
+2) Properly escape untrusted Heat template 'outputs'
+
+The 'outputs' parameter in a Heat template was included in a Django
+template with HTML autoescaping turned off. Malicious HTML content
+could be included in a Heat template and would be rendered by Horizon
+when details about a created stack were displayed.
+
+This was fixed by not disabling autoescaping and explicitly escaping
+untrusted values in any strings that are later marked "safe" to render
+without further escaping.
+
+Conflicts:
+ openstack_dashboard/dashboards/project/stacks/mappings.py
+
+Change-Id: Icd9f9d9ca77068b12227d77469773a325c840001
+Closes-Bug: #1289033
+Co-Authored-By: Kieran Spear <[email protected]>
+---
+ horizon/templates/horizon/common/_form_fields.html | 7 ++++++-
+ .../dashboards/project/stacks/mappings.py | 10 ++++++++--
+ .../stacks/templates/stacks/_detail_overview.html | 3 +--
+ .../dashboards/project/stacks/tests.py | 17 +++++++++++------
+ 4 files changed, 26 insertions(+), 11 deletions(-)
+
+diff --git a/horizon/templates/horizon/common/_form_fields.html b/horizon/templates/horizon/common/_form_fields.html
+index 3567614..f6fb98f 100644
+--- a/horizon/templates/horizon/common/_form_fields.html
++++ b/horizon/templates/horizon/common/_form_fields.html
+@@ -14,7 +14,12 @@
+ <span class="help-inline">{{ error }}</span>
+ {% endfor %}
+ {% endif %}
+- <span class="help-block">{{ field.help_text }}</span>
++ {% comment %}
++ Escape help_text a second time here, to avoid an XSS issue in bootstrap.js.
++ This can most likely be removed once we upgrade bootstrap.js past 2.0.2.
++ Note: the spaces are necessary here.
++ {% endcomment %}
++ <span class="help-block">{% filter force_escape %} {{ field.help_text }} {% endfilter %} </span>
+ <div class="input">
+ {{ field }}
+ </div>
+diff --git a/openstack_dashboard/dashboards/project/stacks/mappings.py b/openstack_dashboard/dashboards/project/stacks/mappings.py
+index 0353291..f1389c5 100644
+--- a/openstack_dashboard/dashboards/project/stacks/mappings.py
++++ b/openstack_dashboard/dashboards/project/stacks/mappings.py
+@@ -19,6 +19,8 @@ import urlparse
+
+ from django.core.urlresolvers import reverse # noqa
+ from django.template.defaultfilters import register # noqa
++from django.utils import html
++from django.utils import safestring
+
+ from openstack_dashboard.api import swift
+
+@@ -76,11 +78,15 @@ def stack_output(output):
+ if not output:
+ return u''
+ if isinstance(output, dict) or isinstance(output, list):
+- return u'<pre>%s</pre>' % json.dumps(output, indent=2)
++ json_string = json.dumps(output, indent=2)
++ safe_output = u'<pre>%s</pre>' % html.escape(json_string)
++ return safestring.mark_safe(safe_output)
+ if isinstance(output, basestring):
+ parts = urlparse.urlsplit(output)
+ if parts.netloc and parts.scheme in ('http', 'https'):
+- return u'<a href="%s" target="_blank">%s</a>' % (output, output)
++ url = html.escape(output)
++ safe_link = u'<a href="%s" target="_blank">%s</a>' % (url, url)
++ return safestring.mark_safe(safe_link)
+ return unicode(output)
+
+
+diff --git a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html b/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html
+index f4756e0..33fe783 100644
+--- a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html
++++ b/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html
+@@ -36,9 +36,8 @@
+ <dt>{{ output.output_key }}</dt>
+ <dd>{{ output.description }}</dd>
+ <dd>
+- {% autoescape off %}
+ {{ output.output_value|stack_output }}
+- {% endautoescape %}</dd>
++ </dd>
+ {% endfor %}
+ </dl>
+ </div>
+diff --git a/openstack_dashboard/dashboards/project/stacks/tests.py b/openstack_dashboard/dashboards/project/stacks/tests.py
+index 408d86f..986e3e0 100644
+--- a/openstack_dashboard/dashboards/project/stacks/tests.py
++++ b/openstack_dashboard/dashboards/project/stacks/tests.py
+@@ -16,6 +16,7 @@ import json
+
+ from django.core.urlresolvers import reverse # noqa
+ from django import http
++from django.utils import html
+
+ from mox import IsA # noqa
+
+@@ -77,12 +78,16 @@ class MappingsTests(test.TestCase):
+ self.assertEqual(u'foo', mappings.stack_output('foo'))
+ self.assertEqual(u'', mappings.stack_output(None))
+
+- self.assertEqual(
+- u'<pre>[\n "one", \n "two", \n "three"\n]</pre>',
+- mappings.stack_output(['one', 'two', 'three']))
+- self.assertEqual(
+- u'<pre>{\n "foo": "bar"\n}</pre>',
+- mappings.stack_output({'foo': 'bar'}))
++ outputs = ['one', 'two', 'three']
++ expected_text = """[\n "one", \n "two", \n "three"\n]"""
++
++ self.assertEqual(u'<pre>%s</pre>' % html.escape(expected_text),
++ mappings.stack_output(outputs))
++
++ outputs = {'foo': 'bar'}
++ expected_text = """{\n "foo": "bar"\n}"""
++ self.assertEqual(u'<pre>%s</pre>' % html.escape(expected_text),
++ mappings.stack_output(outputs))
+
+ self.assertEqual(
+ u'<a href="http://www.example.com/foo" target="_blank">'
+--
+1.7.9.5
+