[python-django-horizon/el6-havana] Fix CVE 2013-6406 (RHBZ#1035914)

Mon Dec 2 11:01:24 UTC 2013

commit 3769cbc00fc2a413c623f848d810985646e90527
Author: Matthias Runge <mrunge at redhat.com>
Date:   Mon Dec 2 11:59:30 2013 +0100

    Fix CVE 2013-6406 (RHBZ#1035914)

 ...escaping-strings-from-Nova-before-display.patch |   74 ++++++++++++++++++++
 python-django-horizon.spec                         |    2 +
 2 files changed, 76 insertions(+), 0 deletions(-)
---

diff --git a/0011-Fix-bug-by-escaping-strings-from-Nova-before-display.patch b/0011-Fix-bug-by-escaping-strings-from-Nova-before-display.patch
new file mode 100644
index 0000000..011bffe
--- /dev/null
+++ b/0011-Fix-bug-by-escaping-strings-from-Nova-before-display.patch
@@ -0,0 +1,74 @@
+From e3b02de5cc88fd4a4f3ef48ad4b11ef353c730f8 Mon Sep 17 00:00:00 2001
+From: Rob Raymond <rob.raymond at hp.com>
+Date: Mon, 4 Nov 2013 12:12:40 -0700
+Subject: [PATCH] Fix bug by escaping strings from Nova before displaying them
+
+Fixes bug #1247675
+
+Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101
+(cherry picked from commit b8ff4804e11fb64a49d1c3f2811cece6494ad82d)
+---
+ .../project/images_and_snapshots/volume_snapshots/tables.py       | 2 ++
+ openstack_dashboard/dashboards/project/volumes/tables.py          | 8 ++++----
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+index 17008f5..e5a3c69 100644
+--- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
++++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+@@ -15,6 +15,7 @@
+ #    under the License.
+ 
+ from django.core.urlresolvers import reverse  # noqa
++from django.utils import html
+ from django.utils.http import urlencode  # noqa
+ from django.utils import safestring
+ from django.utils.translation import ugettext_lazy as _  # noqa
+@@ -66,6 +67,7 @@ class SnapshotVolumeNameColumn(tables.Column):
+         volume = snapshot._volume
+         if volume:
+             volume_name = volume.display_name or volume.id
++            volume_name = html.escape(volume_name)
+         else:
+             volume_name = _("Unknown")
+         return safestring.mark_safe(volume_name)
+diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py
+index c84bf00..f993f18 100644
+--- a/openstack_dashboard/dashboards/project/volumes/tables.py
++++ b/openstack_dashboard/dashboards/project/volumes/tables.py
+@@ -17,7 +17,7 @@
+ from django.core.urlresolvers import NoReverseMatch  # noqa
+ from django.core.urlresolvers import reverse  # noqa
+ from django.template.defaultfilters import title  # noqa
+-from django.utils.html import strip_tags  # noqa
++from django.utils import html
+ from django.utils import safestring
+ from django.utils.translation import string_concat  # noqa
+ from django.utils.translation import ugettext_lazy as _  # noqa
+@@ -125,7 +125,7 @@ def get_attachment_name(request, attachment):
+                                          "attachment information."))
+     try:
+         url = reverse("horizon:project:instances:detail", args=(server_id,))
+-        instance = '<a href="%s">%s</a>' % (url, name)
++        instance = '<a href="%s">%s</a>' % (url, html.escape(name))
+     except NoReverseMatch:
+         instance = name
+     return instance
+@@ -146,7 +146,7 @@ class AttachmentColumn(tables.Column):
+             # without the server name...
+             instance = get_attachment_name(request, attachment)
+             vals = {"instance": instance,
+-                    "dev": attachment["device"]}
++                    "dev": html.escape(attachment["device"])}
+             attachments.append(link % vals)
+         return safestring.mark_safe(", ".join(attachments))
+ 
+@@ -249,7 +249,7 @@ class AttachmentsTable(tables.DataTable):
+     def get_object_display(self, attachment):
+         instance_name = get_attachment_name(self.request, attachment)
+         vals = {"dev": attachment['device'],
+-                "instance_name": strip_tags(instance_name)}
++                "instance_name": html.escape(instance_name)}
+         return _("%(dev)s on instance %(instance_name)s") % vals
+ 
+     def get_object_by_id(self, obj_id):
diff --git a/python-django-horizon.spec b/python-django-horizon.spec
index fb23780..ddaef47 100644
--- a/python-django-horizon.spec
+++ b/python-django-horizon.spec
@@ -32,6 +32,7 @@ Patch0007: 0007-move-SECRET_KEY-secret_key_store-to-tmp.patch
 Patch0008: 0008-fix-up-issues-with-customization.patch
 Patch0009: 0009-do-not-truncate-the-logo-related-rhbz-877138.patch
 Patch0010: 0010-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch
+Patch0011: 0011-Fix-bug-by-escaping-strings-from-Nova-before-display.patch
 
 
 
@@ -166,6 +167,7 @@ Customization module for OpenStack Dashboard to provide a branded logo.
 %patch0008 -p1
 %patch0009 -p1
 %patch0010 -p1
+%patch0011 -p1
 
 # remove unnecessary .po files
 find . -name "django*.po" -exec rm -f '{}' \;
