Mercurial Mercurial > upstream > oracle > userland-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
19468547 problem in SERVICE/HORIZON
authorDrew Fisher <drew.fisher@oracle.com>
Wed, 20 Aug 2014 13:45:40 -0600
changeset 2055 3531d9b89148
parent 2054 5f403d9bcaad
child 2056 437eb2339be5
19468547 problem in SERVICE/HORIZON
components/openstack/horizon/patches/13-CVE-2014-3594.patch file | annotate | diff | comparison | revisions 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/horizon/patches/13-CVE-2014-3594.patch	Wed Aug 20 13:45:40 2014 -0600
@@ -0,0 +1,49 @@
+Upstream patch to fix CVE-2014-3594.  This will be fixed in future
+2013.2.4 and 2014.1.3 releases.
+
+From 96c6cdaa084857b82b9681378d5d3a6a4732015e Mon Sep 17 00:00:00 2001
+From: Julie Pichon <[email protected]>
+Date: Thu, 7 Aug 2014 12:01:56 +0100
+Subject: [PATCH] Fix XSS issue with the unordered_list filter
+
+When using the unordered_list filter in a Horizon table (as opposed to
+a template directly), autoescaping is not set by default and the input
+wasn't sanitised.
+
+Closes-Bug: #1349491
+Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec
+---
+ .../dashboards/admin/info/tables.py                |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/openstack_dashboard/dashboards/admin/info/tables.py b/openstack_dashboard/dashboards/admin/info/tables.py
+index d4f3fe7..a123fab 100644
+--- a/openstack_dashboard/dashboards/admin/info/tables.py
++++ b/openstack_dashboard/dashboards/admin/info/tables.py
+@@ -127,6 +127,10 @@ def get_metadata(aggregate):
+             in aggregate.metadata.iteritems()]
+ 
+ 
++def safe_unordered_list(value):
++    return filters.unordered_list(value, autoescape=True)
++
++
+ class AggregatesTable(tables.DataTable):
+     name = tables.Column("name",
+                          verbose_name=_("Name"))
+@@ -135,11 +139,11 @@ class AggregatesTable(tables.DataTable):
+     hosts = tables.Column(get_hosts,
+                           verbose_name=_("Hosts"),
+                           wrap_list=True,
+-                          filters=(filters.unordered_list,))
++                          filters=(safe_unordered_list,))
+     metadata = tables.Column(get_metadata,
+                              verbose_name=_("Metadata"),
+                              wrap_list=True,
+-                             filters=(filters.unordered_list,))
++                             filters=(safe_unordered_list,))
+ 
+     class Meta:
+         name = "aggregates"
+-- 
+1.7.9.5
upstream/oracle/userland-gate