summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'www-apps')
-rw-r--r--www-apps/horizon/ChangeLog9
-rw-r--r--www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch163
-rw-r--r--www-apps/horizon/horizon-2014.1.1-r1.ebuild (renamed from www-apps/horizon/horizon-2014.1.1.ebuild)7
3 files changed, 177 insertions, 2 deletions
diff --git a/www-apps/horizon/ChangeLog b/www-apps/horizon/ChangeLog
index 31b98f2b45df..792a176efd6d 100644
--- a/www-apps/horizon/ChangeLog
+++ b/www-apps/horizon/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for www-apps/horizon
# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.29 2014/06/16 03:39:52 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.30 2014/07/08 16:09:14 prometheanfire Exp $
+
+*horizon-2014.1.1-r1 (08 Jul 2014)
+
+ 08 Jul 2014; Matthew Thode <prometheanfire@gentoo.org>
+ +files/2014.1.1-CVE-2014-3473.patch, +horizon-2014.1.1-r1.ebuild,
+ -horizon-2014.1.1.ebuild:
+ fixing xss CVE-2014-3473 not vulnerable now, kthnx
*horizon-2014.1.1 (16 Jun 2014)
diff --git a/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch b/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch
new file mode 100644
index 000000000000..7ab9bebb3364
--- /dev/null
+++ b/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch
@@ -0,0 +1,163 @@
+From 32a7b713468161282f2ea01d5e2faff980d924cd Mon Sep 17 00:00:00 2001
+From: Julie Pichon <jpichon@redhat.com>
+Date: Thu, 22 May 2014 16:45:03 +0100
+Subject: [PATCH] Fix multiple Cross-Site Scripting (XSS) vulnerabilities.
+
+ * Ensure user emails are properly escaped
+
+User emails in the Users and Groups panel are being passed through the
+urlize filter to transform them into clickable links. However, urlize
+expects input to be already escaped and safe. We should make sure to
+escape the strings first as email addresses are not validated and can
+contain any type of string.
+
+Closes-Bug: #1320235
+
+ * Ensure network names are properly escaped in the Launch Instance menu
+
+Closes-Bug: #1322197
+
+ * Escape the URLs generated for the Horizon tables
+
+When generating the Horizon tables, there was an assumption that only
+the anchor text needed to be escaped. However some URLs are generated
+based on user-provided data and should be escaped as well. Also escape
+the link attributes for good measure.
+
+ * Use 'reverse' to generate the Resource URLs in the stacks tables
+
+Closes-Bug: #1308727
+
+Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e
+---
+ horizon/static/horizon/js/horizon.instances.js | 9 ++++++++-
+ horizon/tables/base.py | 4 +++-
+ openstack_dashboard/dashboards/admin/groups/tables.py | 3 ++-
+ openstack_dashboard/dashboards/admin/users/tables.py | 4 +++-
+ openstack_dashboard/dashboards/project/stacks/tables.py | 9 +++++++--
+ openstack_dashboard/dashboards/project/stacks/tabs.py | 6 ++++++
+ 6 files changed, 29 insertions(+), 6 deletions(-)
+
+diff --git a/horizon/static/horizon/js/horizon.instances.js b/horizon/static/horizon/js/horizon.instances.js
+index e8e9353..d4ef8a0 100644
+--- a/horizon/static/horizon/js/horizon.instances.js
++++ b/horizon/static/horizon/js/horizon.instances.js
+@@ -51,8 +51,15 @@ horizon.instances = {
+ $(this.get_network_element("")).each(function(){
+ var $this = $(this);
+ var $input = $this.children("input");
++ var name = $this.text().replace(/^\s+/,"")
++ .replace(/&/g, '&amp;')
++ .replace(/</g, '&lt;')
++ .replace(/>/g, '&gt;')
++ .replace(/"/g, '&quot;')
++ .replace(/'/g, '&#x27;')
++ .replace(/\//g, '&#x2F;');
+ var network_property = {
+- name:$this.text().replace(/^\s+/,""),
++ name:name,
+ id:$input.attr("id"),
+ value:$input.attr("value")
+ };
+diff --git a/horizon/tables/base.py b/horizon/tables/base.py
+index 10aaa98..4aceb81 100644
+--- a/horizon/tables/base.py
++++ b/horizon/tables/base.py
+@@ -676,7 +676,9 @@ class Cell(html.HTMLElement):
+ link_classes = ' '.join(self.column.link_classes)
+ # Escape the data inside while allowing our HTML to render
+ data = mark_safe('<a href="%s" class="%s">%s</a>' %
+- (self.url, link_classes, escape(unicode(data))))
++ (escape(self.url),
++ escape(link_classes),
++ escape(unicode(data))))
+ return data
+
+ @property
+diff --git a/openstack_dashboard/dashboards/admin/groups/tables.py b/openstack_dashboard/dashboards/admin/groups/tables.py
+index 1f32da2..286c22b 100644
+--- a/openstack_dashboard/dashboards/admin/groups/tables.py
++++ b/openstack_dashboard/dashboards/admin/groups/tables.py
+@@ -161,7 +161,8 @@ class AddMembersLink(tables.LinkAction):
+ class UsersTable(tables.DataTable):
+ name = tables.Column('name', verbose_name=_('User Name'))
+ email = tables.Column('email', verbose_name=_('Email'),
+- filters=[defaultfilters.urlize])
++ filters=[defaultfilters.escape,
++ defaultfilters.urlize])
+ id = tables.Column('id', verbose_name=_('User ID'))
+ enabled = tables.Column('enabled', verbose_name=_('Enabled'),
+ status=True,
+diff --git a/openstack_dashboard/dashboards/admin/users/tables.py b/openstack_dashboard/dashboards/admin/users/tables.py
+index b2032c4..9c6dc04 100644
+--- a/openstack_dashboard/dashboards/admin/users/tables.py
++++ b/openstack_dashboard/dashboards/admin/users/tables.py
+@@ -131,7 +131,9 @@ class UsersTable(tables.DataTable):
+ email = tables.Column('email', verbose_name=_('Email'),
+ filters=(lambda v: defaultfilters
+ .default_if_none(v, ""),
+- defaultfilters.urlize))
++ defaultfilters.escape,
++ defaultfilters.urlize)
++ )
+ # Default tenant is not returned from Keystone currently.
+ #default_tenant = tables.Column('default_tenant',
+ # verbose_name=_('Default Project'))
+diff --git a/openstack_dashboard/dashboards/project/stacks/tables.py b/openstack_dashboard/dashboards/project/stacks/tables.py
+index e5f829a..1174746 100644
+--- a/openstack_dashboard/dashboards/project/stacks/tables.py
++++ b/openstack_dashboard/dashboards/project/stacks/tables.py
+@@ -114,11 +114,16 @@ class StacksTable(tables.DataTable):
+ ChangeStackTemplate)
+
+
++def get_resource_url(obj):
++ return urlresolvers.reverse('horizon:project:stacks:resource',
++ args=(obj.stack_id, obj.resource_name))
++
++
+ class EventsTable(tables.DataTable):
+
+ logical_resource = tables.Column('resource_name',
+ verbose_name=_("Stack Resource"),
+- link=lambda d: d.resource_name,)
++ link=get_resource_url)
+ physical_resource = tables.Column('physical_resource_id',
+ verbose_name=_("Resource"),
+ link=mappings.resource_to_url)
+@@ -163,7 +168,7 @@ class ResourcesTable(tables.DataTable):
+
+ logical_resource = tables.Column('resource_name',
+ verbose_name=_("Stack Resource"),
+- link=lambda d: d.resource_name)
++ link=get_resource_url)
+ physical_resource = tables.Column('physical_resource_id',
+ verbose_name=_("Resource"),
+ link=mappings.resource_to_url)
+diff --git a/openstack_dashboard/dashboards/project/stacks/tabs.py b/openstack_dashboard/dashboards/project/stacks/tabs.py
+index c68464a..976541a 100644
+--- a/openstack_dashboard/dashboards/project/stacks/tabs.py
++++ b/openstack_dashboard/dashboards/project/stacks/tabs.py
+@@ -79,6 +79,9 @@ class StackEventsTab(tabs.Tab):
+ stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
+ events = api.heat.events_list(self.request, stack_identifier)
+ LOG.debug('got events %s' % events)
++ # The stack id is needed to generate the resource URL.
++ for event in events:
++ event.stack_id = stack.id
+ except Exception:
+ events = []
+ messages.error(request, _(
+@@ -99,6 +102,9 @@ class StackResourcesTab(tabs.Tab):
+ stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
+ resources = api.heat.resources_list(self.request, stack_identifier)
+ LOG.debug('got resources %s' % resources)
++ # The stack id is needed to generate the resource URL.
++ for r in resources:
++ r.stack_id = stack.id
+ except Exception:
+ resources = []
+ messages.error(request, _(
+--
+1.8.5.5
+
diff --git a/www-apps/horizon/horizon-2014.1.1.ebuild b/www-apps/horizon/horizon-2014.1.1-r1.ebuild
index c1f4be7e6f80..82cfcbfaaf03 100644
--- a/www-apps/horizon/horizon-2014.1.1.ebuild
+++ b/www-apps/horizon/horizon-2014.1.1-r1.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2014.1.1.ebuild,v 1.1 2014/06/16 03:39:52 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2014.1.1-r1.ebuild,v 1.1 2014/07/08 16:09:14 prometheanfire Exp $
EAPI=5
PYTHON_COMPAT=( python2_7 )
@@ -41,6 +41,7 @@ RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}]
>=dev-python/django-compressor-1.3[${PYTHON_USEDEP}]
>=dev-python/django-openstack-auth-1.1.4[${PYTHON_USEDEP}]
>=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
+ >=dev-python/httplib2-0.7.5[${PYTHON_USEDEP}]
>=dev-python/iso8601-0.1.9[${PYTHON_USEDEP}]
>=dev-python/kombu-2.4.8[${PYTHON_USEDEP}]
>=dev-python/lesscpy-0.9j[${PYTHON_USEDEP}]
@@ -59,6 +60,10 @@ RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}]
>=dev-python/pytz-2010h[${PYTHON_USEDEP}]
>=dev-python/six-1.5.2[${PYTHON_USEDEP}]"
+PATCHES=(
+ "${FILESDIR}/2014.1.1-CVE-2014-3473.patch"
+)
+
src_test() {
./run_tests.sh -N --coverage
}