diff options
Diffstat (limited to 'www-apps')
-rw-r--r-- | www-apps/horizon/ChangeLog | 9 | ||||
-rw-r--r-- | www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch | 163 | ||||
-rw-r--r-- | www-apps/horizon/horizon-2014.1.1-r1.ebuild (renamed from www-apps/horizon/horizon-2014.1.1.ebuild) | 7 |
3 files changed, 177 insertions, 2 deletions
diff --git a/www-apps/horizon/ChangeLog b/www-apps/horizon/ChangeLog index 31b98f2b45df..792a176efd6d 100644 --- a/www-apps/horizon/ChangeLog +++ b/www-apps/horizon/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for www-apps/horizon # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.29 2014/06/16 03:39:52 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.30 2014/07/08 16:09:14 prometheanfire Exp $ + +*horizon-2014.1.1-r1 (08 Jul 2014) + + 08 Jul 2014; Matthew Thode <prometheanfire@gentoo.org> + +files/2014.1.1-CVE-2014-3473.patch, +horizon-2014.1.1-r1.ebuild, + -horizon-2014.1.1.ebuild: + fixing xss CVE-2014-3473 not vulnerable now, kthnx *horizon-2014.1.1 (16 Jun 2014) diff --git a/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch b/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch new file mode 100644 index 000000000000..7ab9bebb3364 --- /dev/null +++ b/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch @@ -0,0 +1,163 @@ +From 32a7b713468161282f2ea01d5e2faff980d924cd Mon Sep 17 00:00:00 2001 +From: Julie Pichon <jpichon@redhat.com> +Date: Thu, 22 May 2014 16:45:03 +0100 +Subject: [PATCH] Fix multiple Cross-Site Scripting (XSS) vulnerabilities. + + * Ensure user emails are properly escaped + +User emails in the Users and Groups panel are being passed through the +urlize filter to transform them into clickable links. However, urlize +expects input to be already escaped and safe. We should make sure to +escape the strings first as email addresses are not validated and can +contain any type of string. + +Closes-Bug: #1320235 + + * Ensure network names are properly escaped in the Launch Instance menu + +Closes-Bug: #1322197 + + * Escape the URLs generated for the Horizon tables + +When generating the Horizon tables, there was an assumption that only +the anchor text needed to be escaped. However some URLs are generated +based on user-provided data and should be escaped as well. Also escape +the link attributes for good measure. + + * Use 'reverse' to generate the Resource URLs in the stacks tables + +Closes-Bug: #1308727 + +Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e +--- + horizon/static/horizon/js/horizon.instances.js | 9 ++++++++- + horizon/tables/base.py | 4 +++- + openstack_dashboard/dashboards/admin/groups/tables.py | 3 ++- + openstack_dashboard/dashboards/admin/users/tables.py | 4 +++- + openstack_dashboard/dashboards/project/stacks/tables.py | 9 +++++++-- + openstack_dashboard/dashboards/project/stacks/tabs.py | 6 ++++++ + 6 files changed, 29 insertions(+), 6 deletions(-) + +diff --git a/horizon/static/horizon/js/horizon.instances.js b/horizon/static/horizon/js/horizon.instances.js +index e8e9353..d4ef8a0 100644 +--- a/horizon/static/horizon/js/horizon.instances.js ++++ b/horizon/static/horizon/js/horizon.instances.js +@@ -51,8 +51,15 @@ horizon.instances = { + $(this.get_network_element("")).each(function(){ + var $this = $(this); + var $input = $this.children("input"); ++ var name = $this.text().replace(/^\s+/,"") ++ .replace(/&/g, '&') ++ .replace(/</g, '<') ++ .replace(/>/g, '>') ++ .replace(/"/g, '"') ++ .replace(/'/g, ''') ++ .replace(/\//g, '/'); + var network_property = { +- name:$this.text().replace(/^\s+/,""), ++ name:name, + id:$input.attr("id"), + value:$input.attr("value") + }; +diff --git a/horizon/tables/base.py b/horizon/tables/base.py +index 10aaa98..4aceb81 100644 +--- a/horizon/tables/base.py ++++ b/horizon/tables/base.py +@@ -676,7 +676,9 @@ class Cell(html.HTMLElement): + link_classes = ' '.join(self.column.link_classes) + # Escape the data inside while allowing our HTML to render + data = mark_safe('<a href="%s" class="%s">%s</a>' % +- (self.url, link_classes, escape(unicode(data)))) ++ (escape(self.url), ++ escape(link_classes), ++ escape(unicode(data)))) + return data + + @property +diff --git a/openstack_dashboard/dashboards/admin/groups/tables.py b/openstack_dashboard/dashboards/admin/groups/tables.py +index 1f32da2..286c22b 100644 +--- a/openstack_dashboard/dashboards/admin/groups/tables.py ++++ b/openstack_dashboard/dashboards/admin/groups/tables.py +@@ -161,7 +161,8 @@ class AddMembersLink(tables.LinkAction): + class UsersTable(tables.DataTable): + name = tables.Column('name', verbose_name=_('User Name')) + email = tables.Column('email', verbose_name=_('Email'), +- filters=[defaultfilters.urlize]) ++ filters=[defaultfilters.escape, ++ defaultfilters.urlize]) + id = tables.Column('id', verbose_name=_('User ID')) + enabled = tables.Column('enabled', verbose_name=_('Enabled'), + status=True, +diff --git a/openstack_dashboard/dashboards/admin/users/tables.py b/openstack_dashboard/dashboards/admin/users/tables.py +index b2032c4..9c6dc04 100644 +--- a/openstack_dashboard/dashboards/admin/users/tables.py ++++ b/openstack_dashboard/dashboards/admin/users/tables.py +@@ -131,7 +131,9 @@ class UsersTable(tables.DataTable): + email = tables.Column('email', verbose_name=_('Email'), + filters=(lambda v: defaultfilters + .default_if_none(v, ""), +- defaultfilters.urlize)) ++ defaultfilters.escape, ++ defaultfilters.urlize) ++ ) + # Default tenant is not returned from Keystone currently. + #default_tenant = tables.Column('default_tenant', + # verbose_name=_('Default Project')) +diff --git a/openstack_dashboard/dashboards/project/stacks/tables.py b/openstack_dashboard/dashboards/project/stacks/tables.py +index e5f829a..1174746 100644 +--- a/openstack_dashboard/dashboards/project/stacks/tables.py ++++ b/openstack_dashboard/dashboards/project/stacks/tables.py +@@ -114,11 +114,16 @@ class StacksTable(tables.DataTable): + ChangeStackTemplate) + + ++def get_resource_url(obj): ++ return urlresolvers.reverse('horizon:project:stacks:resource', ++ args=(obj.stack_id, obj.resource_name)) ++ ++ + class EventsTable(tables.DataTable): + + logical_resource = tables.Column('resource_name', + verbose_name=_("Stack Resource"), +- link=lambda d: d.resource_name,) ++ link=get_resource_url) + physical_resource = tables.Column('physical_resource_id', + verbose_name=_("Resource"), + link=mappings.resource_to_url) +@@ -163,7 +168,7 @@ class ResourcesTable(tables.DataTable): + + logical_resource = tables.Column('resource_name', + verbose_name=_("Stack Resource"), +- link=lambda d: d.resource_name) ++ link=get_resource_url) + physical_resource = tables.Column('physical_resource_id', + verbose_name=_("Resource"), + link=mappings.resource_to_url) +diff --git a/openstack_dashboard/dashboards/project/stacks/tabs.py b/openstack_dashboard/dashboards/project/stacks/tabs.py +index c68464a..976541a 100644 +--- a/openstack_dashboard/dashboards/project/stacks/tabs.py ++++ b/openstack_dashboard/dashboards/project/stacks/tabs.py +@@ -79,6 +79,9 @@ class StackEventsTab(tabs.Tab): + stack_identifier = '%s/%s' % (stack.stack_name, stack.id) + events = api.heat.events_list(self.request, stack_identifier) + LOG.debug('got events %s' % events) ++ # The stack id is needed to generate the resource URL. ++ for event in events: ++ event.stack_id = stack.id + except Exception: + events = [] + messages.error(request, _( +@@ -99,6 +102,9 @@ class StackResourcesTab(tabs.Tab): + stack_identifier = '%s/%s' % (stack.stack_name, stack.id) + resources = api.heat.resources_list(self.request, stack_identifier) + LOG.debug('got resources %s' % resources) ++ # The stack id is needed to generate the resource URL. ++ for r in resources: ++ r.stack_id = stack.id + except Exception: + resources = [] + messages.error(request, _( +-- +1.8.5.5 + diff --git a/www-apps/horizon/horizon-2014.1.1.ebuild b/www-apps/horizon/horizon-2014.1.1-r1.ebuild index c1f4be7e6f80..82cfcbfaaf03 100644 --- a/www-apps/horizon/horizon-2014.1.1.ebuild +++ b/www-apps/horizon/horizon-2014.1.1-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2014.1.1.ebuild,v 1.1 2014/06/16 03:39:52 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2014.1.1-r1.ebuild,v 1.1 2014/07/08 16:09:14 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -41,6 +41,7 @@ RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}] >=dev-python/django-compressor-1.3[${PYTHON_USEDEP}] >=dev-python/django-openstack-auth-1.1.4[${PYTHON_USEDEP}] >=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}] + >=dev-python/httplib2-0.7.5[${PYTHON_USEDEP}] >=dev-python/iso8601-0.1.9[${PYTHON_USEDEP}] >=dev-python/kombu-2.4.8[${PYTHON_USEDEP}] >=dev-python/lesscpy-0.9j[${PYTHON_USEDEP}] @@ -59,6 +60,10 @@ RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}] >=dev-python/pytz-2010h[${PYTHON_USEDEP}] >=dev-python/six-1.5.2[${PYTHON_USEDEP}]" +PATCHES=( + "${FILESDIR}/2014.1.1-CVE-2014-3473.patch" +) + src_test() { ./run_tests.sh -N --coverage } |