[python-django-horizon/el6-havana] Rebased to 2013.2.3 and fixed CVE-2014-0157
Matthias Runge
mrunge at fedoraproject.org
Thu Apr 10 08:18:52 UTC 2014
commit 77b37529bf9aee15b612eaeae066695b4ea4444a
Author: Matthias Runge <mrunge at redhat.com>
Date: Thu Apr 10 09:40:59 2014 +0200
Rebased to 2013.2.3 and fixed CVE-2014-0157
...-Don-t-access-the-net-while-building-docs.patch | 2 +-
0002-disable-debug-move-web-root.patch | 2 +-
...file-location-to-tmp-and-also-add-localho.patch | 2 +-
...-Add-a-customization-module-based-on-RHOS.patch | 2 +-
...olicy-files-and-checks-to-etc-openstack-d.patch | 2 +-
...T_KEYSTORE-to-var-lib-openstack-dashboard.patch | 2 +-
...roduces-escaping-in-Horizon-Orchestration.patch | 139 ++++++++++++++++++++
python-django-horizon.spec | 1 +
8 files changed, 146 insertions(+), 6 deletions(-)
---
diff --git a/0001-Don-t-access-the-net-while-building-docs.patch b/0001-Don-t-access-the-net-while-building-docs.patch
index 1dc0e51..b3c01ad 100644
--- a/0001-Don-t-access-the-net-while-building-docs.patch
+++ b/0001-Don-t-access-the-net-while-building-docs.patch
@@ -1,4 +1,4 @@
-From 2ec34ddc2048b731fb4e768ba72648c690b904f3 Mon Sep 17 00:00:00 2001
+From f945b999b097f74783b910175d004579ca8e4919 Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Fri, 5 Apr 2013 10:16:19 +0200
Subject: [PATCH] Don't access the net while building docs (Note this hasn't
diff --git a/0002-disable-debug-move-web-root.patch b/0002-disable-debug-move-web-root.patch
index 0bd8a20..a020b9c 100644
--- a/0002-disable-debug-move-web-root.patch
+++ b/0002-disable-debug-move-web-root.patch
@@ -1,4 +1,4 @@
-From 8eea285d375533640ff89af704d3d3316ccf8490 Mon Sep 17 00:00:00 2001
+From 4259ab6b64ae1fc6f5f14664fad981781e4280e3 Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Fri, 5 Apr 2013 10:07:53 +0200
Subject: [PATCH] disable debug, move web root
diff --git a/0003-change-lockfile-location-to-tmp-and-also-add-localho.patch b/0003-change-lockfile-location-to-tmp-and-also-add-localho.patch
index 9c81fa1..67303f0 100644
--- a/0003-change-lockfile-location-to-tmp-and-also-add-localho.patch
+++ b/0003-change-lockfile-location-to-tmp-and-also-add-localho.patch
@@ -1,4 +1,4 @@
-From cb7088576dac83328e3e42dc0d37a40d98311846 Mon Sep 17 00:00:00 2001
+From f4bde71afb9b9ece56eed607061937f3d261c383 Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Thu, 25 Jul 2013 11:32:38 +0200
Subject: [PATCH] change lockfile location to '/tmp' and also add localhost to
diff --git a/0004-Add-a-customization-module-based-on-RHOS.patch b/0004-Add-a-customization-module-based-on-RHOS.patch
index 7095888..fa1c459 100644
--- a/0004-Add-a-customization-module-based-on-RHOS.patch
+++ b/0004-Add-a-customization-module-based-on-RHOS.patch
@@ -1,4 +1,4 @@
-From 784b1755a6ff837e1b7c2c4e2b840b6597fc34d5 Mon Sep 17 00:00:00 2001
+From 33218f8ba3ba47209b92ffd5c5bdf7fdce9ae926 Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Thu, 14 Feb 2013 12:55:54 +0100
Subject: [PATCH] Add a customization module based on RHOS
diff --git a/0005-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch b/0005-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch
index 36adaa9..8876377 100644
--- a/0005-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch
+++ b/0005-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch
@@ -1,4 +1,4 @@
-From 3363133f606033863973456724037c075bb2f010 Mon Sep 17 00:00:00 2001
+From 499eaf237a6fb1b8e0233f59793d54827bfbf2e7 Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Mon, 9 Sep 2013 14:13:07 +0200
Subject: [PATCH] move RBAC policy files and checks to /etc/openstack-dashboard
diff --git a/0006-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch b/0006-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch
index c7721b7..8342e29 100644
--- a/0006-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch
+++ b/0006-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch
@@ -1,4 +1,4 @@
-From 9a593f6774ef19d7cac5a270a72e788031bf25c8 Mon Sep 17 00:00:00 2001
+From 7f7882eb403c493cb857c0c7523e964ffd165c19 Mon Sep 17 00:00:00 2001
From: Matthias Runge <mrunge at redhat.com>
Date: Mon, 9 Sep 2013 20:52:51 +0200
Subject: [PATCH] move SECRET_KEYSTORE to '/var/lib/openstack-dashboard'
diff --git a/0007-Introduces-escaping-in-Horizon-Orchestration.patch b/0007-Introduces-escaping-in-Horizon-Orchestration.patch
new file mode 100644
index 0000000..da79f9d
--- /dev/null
+++ b/0007-Introduces-escaping-in-Horizon-Orchestration.patch
@@ -0,0 +1,139 @@
+From dc03d5ef5a1b588eb0ba041bf99d595ae0e89f5f Mon Sep 17 00:00:00 2001
+From: CristianFiorentino <cristian.fiorentino at intel.com>
+Date: Mon, 10 Mar 2014 17:36:31 -0300
+Subject: [PATCH] Introduces escaping in Horizon/Orchestration
+
+1) Escape help_text a second time to avoid bootstrap tooltip XSS issue
+
+The "Description" parameter in a Heat template is used to populate
+a help_text tooltip in the dynamically generated Heat form. Bootstrap
+inserts this tooltip into the DOM using .html() which undoes any
+escaping we do in Django (it should be using .text()).
+
+This was fixed by forcing the help_text content to be escaped a second
+time. The issue itself is mitigated in bootstrap.js release 2.0.3
+(ours is currently 2.0.1).
+
+2) Properly escape untrusted Heat template 'outputs'
+
+The 'outputs' parameter in a Heat template was included in a Django
+template with HTML autoescaping turned off. Malicious HTML content
+could be included in a Heat template and would be rendered by Horizon
+when details about a created stack were displayed.
+
+This was fixed by not disabling autoescaping and explicitly escaping
+untrusted values in any strings that are later marked "safe" to render
+without further escaping.
+
+Conflicts:
+ openstack_dashboard/dashboards/project/stacks/mappings.py
+
+Change-Id: Icd9f9d9ca77068b12227d77469773a325c840001
+Closes-Bug: #1289033
+Co-Authored-By: Kieran Spear <kispear at gmail.com>
+---
+ horizon/templates/horizon/common/_form_fields.html | 7 ++++++-
+ .../dashboards/project/stacks/mappings.py | 10 ++++++++--
+ .../stacks/templates/stacks/_detail_overview.html | 3 +--
+ openstack_dashboard/dashboards/project/stacks/tests.py | 17 +++++++++++------
+ 4 files changed, 26 insertions(+), 11 deletions(-)
+
+diff --git a/horizon/templates/horizon/common/_form_fields.html b/horizon/templates/horizon/common/_form_fields.html
+index 3567614..f6fb98f 100644
+--- a/horizon/templates/horizon/common/_form_fields.html
++++ b/horizon/templates/horizon/common/_form_fields.html
+@@ -14,7 +14,12 @@
+ <span class="help-inline">{{ error }}</span>
+ {% endfor %}
+ {% endif %}
+- <span class="help-block">{{ field.help_text }}</span>
++ {% comment %}
++ Escape help_text a second time here, to avoid an XSS issue in bootstrap.js.
++ This can most likely be removed once we upgrade bootstrap.js past 2.0.2.
++ Note: the spaces are necessary here.
++ {% endcomment %}
++ <span class="help-block">{% filter force_escape %} {{ field.help_text }} {% endfilter %} </span>
+ <div class="input">
+ {{ field }}
+ </div>
+diff --git a/openstack_dashboard/dashboards/project/stacks/mappings.py b/openstack_dashboard/dashboards/project/stacks/mappings.py
+index 0353291..f1389c5 100644
+--- a/openstack_dashboard/dashboards/project/stacks/mappings.py
++++ b/openstack_dashboard/dashboards/project/stacks/mappings.py
+@@ -19,6 +19,8 @@ import urlparse
+
+ from django.core.urlresolvers import reverse # noqa
+ from django.template.defaultfilters import register # noqa
++from django.utils import html
++from django.utils import safestring
+
+ from openstack_dashboard.api import swift
+
+@@ -76,11 +78,15 @@ def stack_output(output):
+ if not output:
+ return u''
+ if isinstance(output, dict) or isinstance(output, list):
+- return u'<pre>%s</pre>' % json.dumps(output, indent=2)
++ json_string = json.dumps(output, indent=2)
++ safe_output = u'<pre>%s</pre>' % html.escape(json_string)
++ return safestring.mark_safe(safe_output)
+ if isinstance(output, basestring):
+ parts = urlparse.urlsplit(output)
+ if parts.netloc and parts.scheme in ('http', 'https'):
+- return u'<a href="%s" target="_blank">%s</a>' % (output, output)
++ url = html.escape(output)
++ safe_link = u'<a href="%s" target="_blank">%s</a>' % (url, url)
++ return safestring.mark_safe(safe_link)
+ return unicode(output)
+
+
+diff --git a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html b/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html
+index f4756e0..33fe783 100644
+--- a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html
++++ b/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html
+@@ -36,9 +36,8 @@
+ <dt>{{ output.output_key }}</dt>
+ <dd>{{ output.description }}</dd>
+ <dd>
+- {% autoescape off %}
+ {{ output.output_value|stack_output }}
+- {% endautoescape %}</dd>
++ </dd>
+ {% endfor %}
+ </dl>
+ </div>
+diff --git a/openstack_dashboard/dashboards/project/stacks/tests.py b/openstack_dashboard/dashboards/project/stacks/tests.py
+index 408d86f..986e3e0 100644
+--- a/openstack_dashboard/dashboards/project/stacks/tests.py
++++ b/openstack_dashboard/dashboards/project/stacks/tests.py
+@@ -16,6 +16,7 @@ import json
+
+ from django.core.urlresolvers import reverse # noqa
+ from django import http
++from django.utils import html
+
+ from mox import IsA # noqa
+
+@@ -77,12 +78,16 @@ class MappingsTests(test.TestCase):
+ self.assertEqual(u'foo', mappings.stack_output('foo'))
+ self.assertEqual(u'', mappings.stack_output(None))
+
+- self.assertEqual(
+- u'<pre>[\n "one", \n "two", \n "three"\n]</pre>',
+- mappings.stack_output(['one', 'two', 'three']))
+- self.assertEqual(
+- u'<pre>{\n "foo": "bar"\n}</pre>',
+- mappings.stack_output({'foo': 'bar'}))
++ outputs = ['one', 'two', 'three']
++ expected_text = """[\n "one", \n "two", \n "three"\n]"""
++
++ self.assertEqual(u'<pre>%s</pre>' % html.escape(expected_text),
++ mappings.stack_output(outputs))
++
++ outputs = {'foo': 'bar'}
++ expected_text = """{\n "foo": "bar"\n}"""
++ self.assertEqual(u'<pre>%s</pre>' % html.escape(expected_text),
++ mappings.stack_output(outputs))
+
+ self.assertEqual(
+ u'<a href="http://www.example.com/foo" target="_blank">'
diff --git a/python-django-horizon.spec b/python-django-horizon.spec
index c03747f..ef3395d 100644
--- a/python-django-horizon.spec
+++ b/python-django-horizon.spec
@@ -27,6 +27,7 @@ Patch0003: 0003-change-lockfile-location-to-tmp-and-also-add-localho.patch
Patch0004: 0004-Add-a-customization-module-based-on-RHOS.patch
Patch0005: 0005-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch
Patch0006: 0006-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch
+Patch0007: 0007-Introduces-escaping-in-Horizon-Orchestration.patch
BuildArch: noarch
More information about the scm-commits
mailing list