24301089 problem in SERVICE/HORIZON
authorDrew Fisher <drew.fisher@oracle.com>
Fri, 15 Jul 2016 08:40:02 -0700
changeset 6418 2a0fae99277a
parent 6416 99d76bb5892c
child 6419 c11c56158669
24301089 problem in SERVICE/HORIZON
components/openstack/horizon/horizon.p5m
components/openstack/horizon/patches/19-CVE-2016-4428.patch
--- a/components/openstack/horizon/horizon.p5m	Thu Jul 14 23:05:42 2016 -0700
+++ b/components/openstack/horizon/horizon.p5m	Fri Jul 15 08:40:02 2016 -0700
@@ -287,6 +287,7 @@
 file path=usr/lib/python$(PYVER)/vendor-packages/horizon/templatetags/truncate_filter.py
 file path=usr/lib/python$(PYVER)/vendor-packages/horizon/utils/__init__.py
 file path=usr/lib/python$(PYVER)/vendor-packages/horizon/utils/csvbase.py
+file path=usr/lib/python$(PYVER)/vendor-packages/horizon/utils/escape.py
 file path=usr/lib/python$(PYVER)/vendor-packages/horizon/utils/filters.py
 file path=usr/lib/python$(PYVER)/vendor-packages/horizon/utils/functions.py
 file path=usr/lib/python$(PYVER)/vendor-packages/horizon/utils/html.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/horizon/patches/19-CVE-2016-4428.patch	Fri Jul 15 08:40:02 2016 -0700
@@ -0,0 +1,94 @@
+Patch taken from https://review.openstack.org/329997 (Liberty) and
+slightly modified to adjust for gpatch fuzz for application to Kilo.
+
+From d585e5eb9acf92d10d39b6c2038917a7e8ac71bb Mon Sep 17 00:00:00 2001
+From: Richard Jones <[email protected]>
+Date: Tue, 3 May 2016 15:51:49 +1000
+Subject: [PATCH] Escape angularjs templating in unsafe HTML
+
+This code extends the unsafe (typically user-supplied) HTML escape
+built into Django to also escape angularjs templating markers. Safe
+HTML will be unaffected.
+
+Closes-bug: 1567673
+Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
+(cherry picked from commit 4bc01cedf39cdeff2553d01cdace707a1ecf6620)
+---
+ horizon/utils/escape.py              | 31 +++++++++++++++++++++++++++++++
+ openstack_dashboard/settings.py      |  3 +++
+ openstack_dashboard/test/settings.py |  6 ++++++
+ 3 files changed, 40 insertions(+)
+ create mode 100644 horizon/utils/escape.py
+
+diff --git a/horizon/utils/escape.py b/horizon/utils/escape.py
+new file mode 100644
+index 0000000..471a90f
+--- /dev/null
++++ b/horizon/utils/escape.py
[email protected]@ -0,0 +1,31 @@
++# Copyright 2016, Rackspace, US, Inc.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#    http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++import django.utils.html
++
++
++def escape(text, existing=django.utils.html.escape):
++    # Replace our angular markup string with a different string
++    # (which just happens to be the Django comment string)
++    # this prevents user-supplied data from being intepreted in
++    # our pages by angularjs, thus preventing it from being used
++    # for XSS attacks. Note that we use {$ $} instead of the
++    # standard {{ }} - this is configured in horizon.framework
++    # angularjs module through $interpolateProvider
++    return existing(text).replace('{$', '{%').replace('$}', '%}')
++
++
++# this will be invoked as early as possible in settings.py
++def monkeypatch_escape():
++    django.utils.html.escape = escape
+diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py
+index 5761a91..803b079 100644
+--- a/openstack_dashboard/settings.py
++++ b/openstack_dashboard/settings.py
[email protected]@ -27,6 +27,9 @@ from openstack_dashboard import exceptions
+ from openstack_dashboard import exceptions
+ from openstack_dashboard.static_settings import get_staticfiles_dirs  # noqa
+ 
++from horizon.utils.escape import monkeypatch_escape
++
++monkeypatch_escape()
+ 
+ warnings.formatwarning = lambda message, category, *args, **kwargs: \
+     '%s: %s' % (category.__name__, message)
+diff --git a/openstack_dashboard/test/settings.py b/openstack_dashboard/test/settings.py
+index 1926644..45f1d06 100644
+--- a/openstack_dashboard/test/settings.py
++++ b/openstack_dashboard/test/settings.py
[email protected]@ -17,6 +17,12 @@ from openstack_dashboard import exceptions
+ from openstack_dashboard import exceptions
+ from openstack_dashboard.static_settings import get_staticfiles_dirs  # noqa
+ 
++from horizon.utils.escape import monkeypatch_escape
++
++# this is used to protect from client XSS attacks, but it's worth
++# enabling in our test setup to find any issues it might cause
++monkeypatch_escape()
++
+ STATICFILES_DIRS = get_staticfiles_dirs()
+ 
+ TEST_DIR = os.path.dirname(os.path.abspath(__file__))
+-- 
+1.9.1
+
+