diff -r 535eb53d63d5 -r fa4a58170e16 components/openstack/horizon/patches/19-CVE-2016-4428.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openstack/horizon/patches/19-CVE-2016-4428.patch Fri Jul 15 08:40:02 2016 -0700 @@ -0,0 +1,94 @@ +Patch taken from https://review.openstack.org/329997 (Liberty) and +slightly modified to adjust for gpatch fuzz for application to Kilo. + +From d585e5eb9acf92d10d39b6c2038917a7e8ac71bb Mon Sep 17 00:00:00 2001 +From: Richard Jones +Date: Tue, 3 May 2016 15:51:49 +1000 +Subject: [PATCH] Escape angularjs templating in unsafe HTML + +This code extends the unsafe (typically user-supplied) HTML escape +built into Django to also escape angularjs templating markers. Safe +HTML will be unaffected. + +Closes-bug: 1567673 +Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7 +(cherry picked from commit 4bc01cedf39cdeff2553d01cdace707a1ecf6620) +--- + horizon/utils/escape.py | 31 +++++++++++++++++++++++++++++++ + openstack_dashboard/settings.py | 3 +++ + openstack_dashboard/test/settings.py | 6 ++++++ + 3 files changed, 40 insertions(+) + create mode 100644 horizon/utils/escape.py + +diff --git a/horizon/utils/escape.py b/horizon/utils/escape.py +new file mode 100644 +index 0000000..471a90f +--- /dev/null ++++ b/horizon/utils/escape.py +@@ -0,0 +1,31 @@ ++# Copyright 2016, Rackspace, US, Inc. ++# ++# Licensed under the Apache License, Version 2.0 (the "License"); ++# you may not use this file except in compliance with the License. ++# You may obtain a copy of the License at ++# ++# http://www.apache.org/licenses/LICENSE-2.0 ++# ++# Unless required by applicable law or agreed to in writing, software ++# distributed under the License is distributed on an "AS IS" BASIS, ++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++# See the License for the specific language governing permissions and ++# limitations under the License. ++ ++import django.utils.html ++ ++ ++def escape(text, existing=django.utils.html.escape): ++ # Replace our angular markup string with a different string ++ # (which just happens to be the Django comment string) ++ # this prevents user-supplied data from being intepreted in ++ # our pages by angularjs, thus preventing it from being used ++ # for XSS attacks. Note that we use {$ $} instead of the ++ # standard {{ }} - this is configured in horizon.framework ++ # angularjs module through $interpolateProvider ++ return existing(text).replace('{$', '{%').replace('$}', '%}') ++ ++ ++# this will be invoked as early as possible in settings.py ++def monkeypatch_escape(): ++ django.utils.html.escape = escape +diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py +index 5761a91..803b079 100644 +--- a/openstack_dashboard/settings.py ++++ b/openstack_dashboard/settings.py +@@ -27,6 +27,9 @@ from openstack_dashboard import exceptions + from openstack_dashboard import exceptions + from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa + ++from horizon.utils.escape import monkeypatch_escape ++ ++monkeypatch_escape() + + warnings.formatwarning = lambda message, category, *args, **kwargs: \ + '%s: %s' % (category.__name__, message) +diff --git a/openstack_dashboard/test/settings.py b/openstack_dashboard/test/settings.py +index 1926644..45f1d06 100644 +--- a/openstack_dashboard/test/settings.py ++++ b/openstack_dashboard/test/settings.py +@@ -17,6 +17,12 @@ from openstack_dashboard import exceptions + from openstack_dashboard import exceptions + from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa + ++from horizon.utils.escape import monkeypatch_escape ++ ++# this is used to protect from client XSS attacks, but it's worth ++# enabling in our test setup to find any issues it might cause ++monkeypatch_escape() ++ + STATICFILES_DIRS = get_staticfiles_dirs() + + TEST_DIR = os.path.dirname(os.path.abspath(__file__)) +-- +1.9.1 + +