[python-django-horizon] XSS vulnerability in Horizon log viewer (CVE-2012-2094)
Pádraig Brady
pbrady at fedoraproject.org
Tue Apr 17 18:44:49 UTC 2012
commit 7c6b151784c6ea144ff82d7dfe52b3a4a5ef0e21
Author: Pádraig Brady <P at draigBrady.com>
Date: Tue Apr 17 19:17:54 2012 +0100
XSS vulnerability in Horizon log viewer (CVE-2012-2094)
python-django-horizon.spec | 7 ++++++-
xss-in-log-viewer.patch | 23 +++++++++++++++++++++++
2 files changed, 29 insertions(+), 1 deletions(-)
---
diff --git a/python-django-horizon.spec b/python-django-horizon.spec
index 273b636..8bba655 100644
--- a/python-django-horizon.spec
+++ b/python-django-horizon.spec
@@ -10,7 +10,7 @@
Name: python-django-horizon
Version: 2012.1
-Release: 1%{?dist}
+Release: 2%{?dist}
#Release: 0.1.%{?release_letter}%{milestone}%{?dist}
Summary: Django application for talking to Openstack
@@ -27,6 +27,7 @@ Source1: openstack-dashboard.conf
Patch1: %{name}-disable-debug.patch
Patch2: %{name}-default-db.patch
+Patch3: xss-in-log-viewer.patch
Requires: Django >= 1.3.0
Requires: openstack-glance >= 2012.1
@@ -90,6 +91,7 @@ Documentation for the Django Horizon application for talking with Openstack
%prep
%setup -q -n horizon-%{version}
%patch1 -p1
+%patch3 -p1
%build
%{__python} setup.py build
@@ -139,6 +141,9 @@ python %{_datadir}/openstack-dashboard/manage.py collectstatic --noinput >/dev/n
%doc html
%changelog
+* Tue Apr 17 2012 Pádraig Brady <P at draigBrady.com> - 2012.1-2
+- CVE-2012-2094 XSS vulnerability in Horizon log viewer
+
* Mon Apr 09 2012 Cole Robinson <crobinso at redhat.com> - 2012.1-1
- Update to essex final release
- Package manage.py (bz 808219)
diff --git a/xss-in-log-viewer.patch b/xss-in-log-viewer.patch
new file mode 100644
index 0000000..883d3ea
--- /dev/null
+++ b/xss-in-log-viewer.patch
@@ -0,0 +1,23 @@
+commit 4f1472171ed9ecad6606683d924e4d9e3962a1c8
+Author: J. Daniel Schmidt <jdsn at suse.de>
+Date: Tue Apr 10 14:56:37 2012 +0200
+
+ html escape the console log in refresh
+
+ fixes bug 977944
+
+ Change-Id: I89089155d1083332d02ae9039898227cbab42d07
+
+diff --git a/horizon/static/horizon/js/horizon.js b/horizon/static/horizon/js/horizon.js
+index 8cf2be5..c47364a 100644
+--- a/horizon/static/horizon/js/horizon.js
++++ b/horizon/static/horizon/js/horizon.js
+@@ -284,7 +284,7 @@ var Horizon = function() {
+ data: data,
+ method: 'get',
+ success: function(response_body) {
+- $('pre.logs').html(response_body);
++ $('pre.logs').text(response_body);
+ },
+ error: function(response) {
+ if(via_user_submit) {
More information about the scm-commits
mailing list