[python-django-horizon] Cherry-pick from master (CVE-2013-6406)
Matthias Runge
mrunge at fedoraproject.org
Mon Dec 2 09:37:27 UTC 2013
commit b4354fd5e331b635aa7b288f374efcb1e42d24ab
Author: Matthias Runge <mrunge at redhat.com>
Date: Mon Dec 2 10:34:29 2013 +0100
Cherry-pick from master (CVE-2013-6406)
Fix-bug-by-escaping-strings-from-Nova-before-display
(CVE-2013-6406)
...-Don-t-access-the-net-while-building-docs.patch | 2 +-
0002-disable-debug-move-web-root.patch | 2 +-
...file-location-to-tmp-and-also-add-localho.patch | 2 +-
...-Add-a-customization-module-based-on-RHOS.patch | 2 +-
...oslo.sphinx-and-remove-local-copy-of-doc-.patch | 2 +-
...olicy-files-and-checks-to-etc-openstack-d.patch | 2 +-
0007-move-SECRET_KEY-secret_key_store-to-tmp.patch | 2 +-
0008-fix-up-issues-with-customization.patch | 2 +-
...not-truncate-the-logo-related-rhbz-877138.patch | 2 +-
...T_KEYSTORE-to-var-lib-openstack-dashboard.patch | 2 +-
...escaping-strings-from-Nova-before-display.patch | 76 ++++++++++++++++++++
python-django-horizon.spec | 7 ++-
12 files changed, 92 insertions(+), 11 deletions(-)
---
diff --git a/0001-Don-t-access-the-net-while-building-docs.patch b/0001-Don-t-access-the-net-while-building-docs.patch
index a31e028..230c43c 100644
--- a/0001-Don-t-access-the-net-while-building-docs.patch
+++ b/0001-Don-t-access-the-net-while-building-docs.patch
@@ -1,4 +1,4 @@
-From 82bd61e0d9e3121507abf9acc51f5739e5bce22e Mon Sep 17 00:00:00 2001
+From 5aa18b349bc82432d0a55a0a0de1cab75f1f0256 Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Fri, 5 Apr 2013 10:16:19 +0200
Subject: [PATCH] Don't access the net while building docs (Note this hasn't
diff --git a/0002-disable-debug-move-web-root.patch b/0002-disable-debug-move-web-root.patch
index 253efec..73649e0 100644
--- a/0002-disable-debug-move-web-root.patch
+++ b/0002-disable-debug-move-web-root.patch
@@ -1,4 +1,4 @@
-From 9fbf589a1f2c3b1bb58566eac8963847a12f5b9f Mon Sep 17 00:00:00 2001
+From ca2e5852377a438a997bdb5c7da2489e2a312b5a Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Fri, 5 Apr 2013 10:07:53 +0200
Subject: [PATCH] disable debug, move web root
diff --git a/0003-change-lockfile-location-to-tmp-and-also-add-localho.patch b/0003-change-lockfile-location-to-tmp-and-also-add-localho.patch
index 7c4aaaa..7538b75 100644
--- a/0003-change-lockfile-location-to-tmp-and-also-add-localho.patch
+++ b/0003-change-lockfile-location-to-tmp-and-also-add-localho.patch
@@ -1,4 +1,4 @@
-From 1ee6b707c9be851daf1e823b65926501e2438ac5 Mon Sep 17 00:00:00 2001
+From c767b5ecbde0729499dab5ea6cce842ebf221403 Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Thu, 25 Jul 2013 11:32:38 +0200
Subject: [PATCH] change lockfile location to '/tmp' and also add localhost to
diff --git a/0004-Add-a-customization-module-based-on-RHOS.patch b/0004-Add-a-customization-module-based-on-RHOS.patch
index e512b93..ba1f9e3 100644
--- a/0004-Add-a-customization-module-based-on-RHOS.patch
+++ b/0004-Add-a-customization-module-based-on-RHOS.patch
@@ -1,4 +1,4 @@
-From 739b10c814b688bbf79f648b63ac1c23d029d692 Mon Sep 17 00:00:00 2001
+From a589f3805381cabca1a3b66dddc1717483191c7e Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Thu, 14 Feb 2013 12:55:54 +0100
Subject: [PATCH] Add a customization module based on RHOS
diff --git a/0005-Revert-Use-oslo.sphinx-and-remove-local-copy-of-doc-.patch b/0005-Revert-Use-oslo.sphinx-and-remove-local-copy-of-doc-.patch
index 9e17c01..0057127 100644
--- a/0005-Revert-Use-oslo.sphinx-and-remove-local-copy-of-doc-.patch
+++ b/0005-Revert-Use-oslo.sphinx-and-remove-local-copy-of-doc-.patch
@@ -1,4 +1,4 @@
-From 558cb56d4924b61e1b5d59be0a01c0c2196e475d Mon Sep 17 00:00:00 2001
+From d2be0ab6922c1133de4a5c98d9711745c5d6cecb Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Mon, 9 Sep 2013 13:51:19 +0200
Subject: [PATCH] Revert "Use oslo.sphinx and remove local copy of doc theme"
diff --git a/0006-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch b/0006-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch
index 52c95f1..967cfb6 100644
--- a/0006-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch
+++ b/0006-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch
@@ -1,4 +1,4 @@
-From 2691af274619bba80b69d9b82dc361b4753d9988 Mon Sep 17 00:00:00 2001
+From bd493f10d0387e9209f6b5bb155d18287af49901 Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Mon, 9 Sep 2013 14:13:07 +0200
Subject: [PATCH] move RBAC policy files and checks to /etc/openstack-dashboard
diff --git a/0007-move-SECRET_KEY-secret_key_store-to-tmp.patch b/0007-move-SECRET_KEY-secret_key_store-to-tmp.patch
index b17e09d..100fd00 100644
--- a/0007-move-SECRET_KEY-secret_key_store-to-tmp.patch
+++ b/0007-move-SECRET_KEY-secret_key_store-to-tmp.patch
@@ -1,4 +1,4 @@
-From a9e19f40c6e110f0a4096bb35727d6234bbe5059 Mon Sep 17 00:00:00 2001
+From 948386ba19d517ed7db5d687c6df0040bf0a1eb4 Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Mon, 9 Sep 2013 20:52:51 +0200
Subject: [PATCH] move SECRET_KEY secret_key_store to /tmp
diff --git a/0008-fix-up-issues-with-customization.patch b/0008-fix-up-issues-with-customization.patch
index 133f23a..70880fb 100644
--- a/0008-fix-up-issues-with-customization.patch
+++ b/0008-fix-up-issues-with-customization.patch
@@ -1,4 +1,4 @@
-From 5f76f2ac05c527e4ac0fb1efff93b7bf339aeb6b Mon Sep 17 00:00:00 2001
+From 7901d2b031e4aaa83850b72d84f91e3f718e20cf Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Thu, 19 Sep 2013 12:58:00 +0200
Subject: [PATCH] fix up issues with customization
diff --git a/0009-do-not-truncate-the-logo-related-rhbz-877138.patch b/0009-do-not-truncate-the-logo-related-rhbz-877138.patch
index c5ff820..d93447d 100644
--- a/0009-do-not-truncate-the-logo-related-rhbz-877138.patch
+++ b/0009-do-not-truncate-the-logo-related-rhbz-877138.patch
@@ -1,4 +1,4 @@
-From 2359369ccfc585806600fd4b34127d514715853e Mon Sep 17 00:00:00 2001
+From e3014c15ec43eebe4b699ceccfd25f6e3c31e42a Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Thu, 19 Sep 2013 13:58:16 +0200
Subject: [PATCH] do not truncate the logo (related rhbz 877138)
diff --git a/0010-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch b/0010-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch
index 49ccacb..51910c5 100644
--- a/0010-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch
+++ b/0010-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch
@@ -1,4 +1,4 @@
-From 8d6d4842c2eb7b50a1df290465790d8975f5c056 Mon Sep 17 00:00:00 2001
+From 3ce878cdd3b0b5a8cd66399acd4524bcdf6ac9f9 Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Fri, 4 Oct 2013 09:46:36 +0200
Subject: [PATCH] move SECRET_KEYSTORE to '/var/lib/openstack-dashboard'
diff --git a/0011-Fix-bug-by-escaping-strings-from-Nova-before-display.patch b/0011-Fix-bug-by-escaping-strings-from-Nova-before-display.patch
new file mode 100644
index 0000000..b30a61a
--- /dev/null
+++ b/0011-Fix-bug-by-escaping-strings-from-Nova-before-display.patch
@@ -0,0 +1,76 @@
+From 32d1f38c68ed9ebc9c68bb178ee4ad7a15fd3c68 Mon Sep 17 00:00:00 2001
+From: Rob Raymond <rob.raymond at hp.com>
+Date: Mon, 4 Nov 2013 12:12:40 -0700
+Subject: [PATCH] Fix bug by escaping strings from Nova before displaying them
+
+Fixes bug #1247675
+
+(cherry-picked from commit b8ff480)
+Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101
+
+(cherry picked from commit 6179f70290783e55b10bbd4b3b7ee74db3f8ef70)
+---
+ .../project/images_and_snapshots/volume_snapshots/tables.py | 2 ++
+ openstack_dashboard/dashboards/project/volumes/tables.py | 8 ++++----
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+index 17008f5..e5a3c69 100644
+--- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
++++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+@@ -15,6 +15,7 @@
+ # under the License.
+
+ from django.core.urlresolvers import reverse # noqa
++from django.utils import html
+ from django.utils.http import urlencode # noqa
+ from django.utils import safestring
+ from django.utils.translation import ugettext_lazy as _ # noqa
+@@ -66,6 +67,7 @@ class SnapshotVolumeNameColumn(tables.Column):
+ volume = snapshot._volume
+ if volume:
+ volume_name = volume.display_name or volume.id
++ volume_name = html.escape(volume_name)
+ else:
+ volume_name = _("Unknown")
+ return safestring.mark_safe(volume_name)
+diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py
+index c84bf00..f993f18 100644
+--- a/openstack_dashboard/dashboards/project/volumes/tables.py
++++ b/openstack_dashboard/dashboards/project/volumes/tables.py
+@@ -17,7 +17,7 @@
+ from django.core.urlresolvers import NoReverseMatch # noqa
+ from django.core.urlresolvers import reverse # noqa
+ from django.template.defaultfilters import title # noqa
+-from django.utils.html import strip_tags # noqa
++from django.utils import html
+ from django.utils import safestring
+ from django.utils.translation import string_concat # noqa
+ from django.utils.translation import ugettext_lazy as _ # noqa
+@@ -125,7 +125,7 @@ def get_attachment_name(request, attachment):
+ "attachment information."))
+ try:
+ url = reverse("horizon:project:instances:detail", args=(server_id,))
+- instance = '<a href="%s">%s</a>' % (url, name)
++ instance = '<a href="%s">%s</a>' % (url, html.escape(name))
+ except NoReverseMatch:
+ instance = name
+ return instance
+@@ -146,7 +146,7 @@ class AttachmentColumn(tables.Column):
+ # without the server name...
+ instance = get_attachment_name(request, attachment)
+ vals = {"instance": instance,
+- "dev": attachment["device"]}
++ "dev": html.escape(attachment["device"])}
+ attachments.append(link % vals)
+ return safestring.mark_safe(", ".join(attachments))
+
+@@ -249,7 +249,7 @@ class AttachmentsTable(tables.DataTable):
+ def get_object_display(self, attachment):
+ instance_name = get_attachment_name(self.request, attachment)
+ vals = {"dev": attachment['device'],
+- "instance_name": strip_tags(instance_name)}
++ "instance_name": html.escape(instance_name)}
+ return _("%(dev)s on instance %(instance_name)s") % vals
+
+ def get_object_by_id(self, obj_id):
diff --git a/python-django-horizon.spec b/python-django-horizon.spec
index 7eb09b0..9b07316 100644
--- a/python-django-horizon.spec
+++ b/python-django-horizon.spec
@@ -1,6 +1,6 @@
Name: python-django-horizon
Version: 2013.2
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Django application for talking to Openstack
Group: Development/Libraries
@@ -32,6 +32,7 @@ Patch0007: 0007-move-SECRET_KEY-secret_key_store-to-tmp.patch
Patch0008: 0008-fix-up-issues-with-customization.patch
Patch0009: 0009-do-not-truncate-the-logo-related-rhbz-877138.patch
Patch0010: 0010-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch
+Patch0011: 0011-Fix-bug-by-escaping-strings-from-Nova-before-display.patch
@@ -165,6 +166,7 @@ Customization module for OpenStack Dashboard to provide a branded logo.
%patch0008 -p1
%patch0009 -p1
%patch0010 -p1
+%patch0011 -p1
# remove unnecessary .po files
find . -name "django*.po" -exec rm -f '{}' \;
@@ -329,6 +331,9 @@ sed -i 's:^SECRET_KEY =.*:SECRET_KEY = "badcafe":' openstack_dashboard/local/loc
%{_datadir}/openstack-dashboard/openstack_dashboard_theme
%changelog
+* Mon Dec 02 2013 Matthias Runge <mrunge at redhat.com> - 2013.2-4
+- fixes CVE-2013-6406 (rhbz#1035913)
+
* Wed Nov 13 2013 Matthias Runge <mrunge at redhat.com> - 2013.2-3
- add requirement python-pbr
More information about the scm-commits
mailing list