--- a/components/openstack/horizon/patches/13-CVE-2014-3594.patch Tue Apr 07 15:49:29 2015 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,49 +0,0 @@
-Upstream patch to fix CVE-2014-3594. This will be fixed in future
-2013.2.4 and 2014.1.3 releases.
-
-From 96c6cdaa084857b82b9681378d5d3a6a4732015e Mon Sep 17 00:00:00 2001
-From: Julie Pichon <[email protected]>
-Date: Thu, 7 Aug 2014 12:01:56 +0100
-Subject: [PATCH] Fix XSS issue with the unordered_list filter
-
-When using the unordered_list filter in a Horizon table (as opposed to
-a template directly), autoescaping is not set by default and the input
-wasn't sanitised.
-
-Closes-Bug: #1349491
-Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec
----
- .../dashboards/admin/info/tables.py | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/openstack_dashboard/dashboards/admin/info/tables.py b/openstack_dashboard/dashboards/admin/info/tables.py
-index d4f3fe7..a123fab 100644
---- a/openstack_dashboard/dashboards/admin/info/tables.py
-+++ b/openstack_dashboard/dashboards/admin/info/tables.py
-@@ -127,6 +127,10 @@ def get_metadata(aggregate):
- in aggregate.metadata.iteritems()]
-
-
-+def safe_unordered_list(value):
-+ return filters.unordered_list(value, autoescape=True)
-+
-+
- class AggregatesTable(tables.DataTable):
- name = tables.Column("name",
- verbose_name=_("Name"))
-@@ -135,11 +139,11 @@ class AggregatesTable(tables.DataTable):
- hosts = tables.Column(get_hosts,
- verbose_name=_("Hosts"),
- wrap_list=True,
-- filters=(filters.unordered_list,))
-+ filters=(safe_unordered_list,))
- metadata = tables.Column(get_metadata,
- verbose_name=_("Metadata"),
- wrap_list=True,
-- filters=(filters.unordered_list,))
-+ filters=(safe_unordered_list,))
-
- class Meta:
- name = "aggregates"
---
-1.7.9.5