19277967 long delay before floating ip assignment displayed by "nova show" or horizon
19468547 problem in SERVICE/HORIZON
Upstream patch to fix CVE-2014-3594. This will be fixed in future
2013.2.4 and 2014.1.3 releases.
From 96c6cdaa084857b82b9681378d5d3a6a4732015e Mon Sep 17 00:00:00 2001
From: Julie Pichon <[email protected]>
Date: Thu, 7 Aug 2014 12:01:56 +0100
Subject: [PATCH] Fix XSS issue with the unordered_list filter
When using the unordered_list filter in a Horizon table (as opposed to
a template directly), autoescaping is not set by default and the input
wasn't sanitised.
Closes-Bug: #1349491
Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec
---
.../dashboards/admin/info/tables.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/openstack_dashboard/dashboards/admin/info/tables.py b/openstack_dashboard/dashboards/admin/info/tables.py
index d4f3fe7..a123fab 100644
--- a/openstack_dashboard/dashboards/admin/info/tables.py
+++ b/openstack_dashboard/dashboards/admin/info/tables.py
@@ -127,6 +127,10 @@ def get_metadata(aggregate):
in aggregate.metadata.iteritems()]
+def safe_unordered_list(value):
+ return filters.unordered_list(value, autoescape=True)
+
+
class AggregatesTable(tables.DataTable):
name = tables.Column("name",
verbose_name=_("Name"))
@@ -135,11 +139,11 @@ class AggregatesTable(tables.DataTable):
hosts = tables.Column(get_hosts,
verbose_name=_("Hosts"),
wrap_list=True,
- filters=(filters.unordered_list,))
+ filters=(safe_unordered_list,))
metadata = tables.Column(get_metadata,
verbose_name=_("Metadata"),
wrap_list=True,
- filters=(filters.unordered_list,))
+ filters=(safe_unordered_list,))
class Meta:
name = "aggregates"
--
1.7.9.5