[python-django-horizon] XSS vulnerability in Horizon log viewer (CVE-2012-2094)

[Pádraig Brady]

commit 7c6b151784c6ea144ff82d7dfe52b3a4a5ef0e21
Author: Pádraig Brady <P at draigBrady.com>
Date:   Tue Apr 17 19:17:54 2012 +0100

    XSS vulnerability in Horizon log viewer (CVE-2012-2094)

 python-django-horizon.spec |    7 ++++++-
 xss-in-log-viewer.patch    |   23 +++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletions(-)
---
diff --git a/python-django-horizon.spec b/python-django-horizon.spec
index 273b636..8bba655 100644
--- a/python-django-horizon.spec
+++ b/python-django-horizon.spec
@@ -10,7 +10,7 @@
 
 Name:       python-django-horizon
 Version:    2012.1
-Release:    1%{?dist}
+Release:    2%{?dist}
 #Release:    0.1.%{?release_letter}%{milestone}%{?dist}
 Summary:    Django application for talking to Openstack
 
@@ -27,6 +27,7 @@ Source1:    openstack-dashboard.conf
 
 Patch1:     %{name}-disable-debug.patch
 Patch2:     %{name}-default-db.patch
+Patch3:     xss-in-log-viewer.patch
 
 Requires:   Django >= 1.3.0
 Requires:   openstack-glance >= 2012.1
@@ -90,6 +91,7 @@ Documentation for the Django Horizon application for talking with Openstack
 %prep
 %setup -q -n horizon-%{version}
 %patch1 -p1
+%patch3 -p1
 
 %build
 %{__python} setup.py build
@@ -139,6 +141,9 @@ python %{_datadir}/openstack-dashboard/manage.py collectstatic --noinput >/dev/n
 %doc html
 
 %changelog
+* Tue Apr 17 2012 Pádraig Brady <P at draigBrady.com> - 2012.1-2
+- CVE-2012-2094 XSS vulnerability in Horizon log viewer
+
 * Mon Apr 09 2012 Cole Robinson <crobinso at redhat.com> - 2012.1-1
 - Update to essex final release
 - Package manage.py (bz 808219)
diff --git a/xss-in-log-viewer.patch b/xss-in-log-viewer.patch
new file mode 100644
index 0000000..883d3ea
--- /dev/null
+++ b/xss-in-log-viewer.patch
@@ -0,0 +1,23 @@
+commit 4f1472171ed9ecad6606683d924e4d9e3962a1c8
+Author: J. Daniel Schmidt <jdsn at suse.de>
+Date:   Tue Apr 10 14:56:37 2012 +0200
+
+    html escape the console log in refresh
+    
+    fixes bug 977944
+    
+    Change-Id: I89089155d1083332d02ae9039898227cbab42d07
+
+diff --git a/horizon/static/horizon/js/horizon.js b/horizon/static/horizon/js/horizon.js
+index 8cf2be5..c47364a 100644
+--- a/horizon/static/horizon/js/horizon.js
++++ b/horizon/static/horizon/js/horizon.js
+@@ -284,7 +284,7 @@ var Horizon = function() {
+         data: data,
+         method: 'get',
+         success: function(response_body) {
+-          $('pre.logs').html(response_body);
++          $('pre.logs').text(response_body);
+         },
+         error: function(response) {
+           if(via_user_submit) {