# HG changeset patch # User saurabh.vyas@oracle.com # Date 1433914286 25200 # Node ID 5a11150c7d2ec47ef1f340dcb0c612fa64d58de2 # Parent 7fdc03aa284cd58491a1949341a01ba22c1a42c9 21203559 problem in SERVICE/HORIZON diff -r 7fdc03aa284c -r 5a11150c7d2e components/openstack/horizon/patches/13-CVE-2015-3219.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openstack/horizon/patches/13-CVE-2015-3219.patch Tue Jun 09 22:31:26 2015 -0700 @@ -0,0 +1,47 @@ +Errata patch for CVE-2015-3219 +https://bugs.launchpad.net/horizon/+bug/1453074 + +Fixed upstream and in a future release. +------- +From: lin-hua-cheng +Date: Mon, 1 Jun 2015 17:55:00 -0700 +Subject: [PATCH] Escape the description param from heat template + +The heat template allows user to define custom parameters, +the fields are then converted to input fields. The description +param maps to the help_text attribute of the field. + +Since the value comes from the user, the value must be escaped +before rendering. + +Change-Id: I79d540a8363b2507c4bccdc0cc38e283962919d2 +Closes-bug: #1453074 +--- + openstack_dashboard/dashboards/project/stacks/forms.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/openstack_dashboard/dashboards/project/stacks/forms.py +b/openstack_dashboard/dashboards/project/stacks/forms.py +index 5ee01df..ba9e141 100644 +--- a/openstack_dashboard/dashboards/project/stacks/forms.py ++++ b/openstack_dashboard/dashboards/project/stacks/forms.py +@@ -13,6 +13,7 @@ + import json + import logging + ++from django.utils import html + from django.utils.translation import ugettext_lazy as _ + from django.views.decorators.debug import sensitive_variables # noqa + +@@ -310,7 +311,7 @@ class CreateStackForm(forms.SelfHandlingForm): + field_args = { + 'initial': param.get('Default', None), + 'label': param.get('Label', param_key), +- 'help_text': param.get('Description', ''), ++ 'help_text': html.escape(param.get('Description', '')), + 'required': param.get('Default', None) is None + } + +-- +1.9.1 +