[python-django-horizon/el6-havana] Rebased to 2013.2.3 and fixed CVE-2014-0157

Matthias Runge mrunge at fedoraproject.org
Thu Apr 10 08:18:52 UTC 2014 

commit 77b37529bf9aee15b612eaeae066695b4ea4444a
Author: Matthias Runge <mrunge at redhat.com>
Date:   Thu Apr 10 09:40:59 2014 +0200

    Rebased to 2013.2.3 and fixed CVE-2014-0157

 ...-Don-t-access-the-net-while-building-docs.patch |    2 +-
 0002-disable-debug-move-web-root.patch             |    2 +-
 ...file-location-to-tmp-and-also-add-localho.patch |    2 +-
 ...-Add-a-customization-module-based-on-RHOS.patch |    2 +-
 ...olicy-files-and-checks-to-etc-openstack-d.patch |    2 +-
 ...T_KEYSTORE-to-var-lib-openstack-dashboard.patch |    2 +-
 ...roduces-escaping-in-Horizon-Orchestration.patch |  139 ++++++++++++++++++++
 python-django-horizon.spec                         |    1 +
 8 files changed, 146 insertions(+), 6 deletions(-)
---
diff --git a/0001-Don-t-access-the-net-while-building-docs.patch b/0001-Don-t-access-the-net-while-building-docs.patch
index 1dc0e51..b3c01ad 100644
--- a/0001-Don-t-access-the-net-while-building-docs.patch
+++ b/0001-Don-t-access-the-net-while-building-docs.patch
@@ -1,4 +1,4 @@
-From 2ec34ddc2048b731fb4e768ba72648c690b904f3 Mon Sep 17 00:00:00 2001
+From f945b999b097f74783b910175d004579ca8e4919 Mon Sep 17 00:00:00 2001
 From: Matthias Runge <mrunge at redhat.com>
 Date: Fri, 5 Apr 2013 10:16:19 +0200
 Subject: [PATCH] Don't access the net while building docs (Note this hasn't
diff --git a/0002-disable-debug-move-web-root.patch b/0002-disable-debug-move-web-root.patch
index 0bd8a20..a020b9c 100644
--- a/0002-disable-debug-move-web-root.patch
+++ b/0002-disable-debug-move-web-root.patch
@@ -1,4 +1,4 @@
-From 8eea285d375533640ff89af704d3d3316ccf8490 Mon Sep 17 00:00:00 2001
+From 4259ab6b64ae1fc6f5f14664fad981781e4280e3 Mon Sep 17 00:00:00 2001
 From: Matthias Runge <mrunge at redhat.com>
 Date: Fri, 5 Apr 2013 10:07:53 +0200
 Subject: [PATCH] disable debug, move web root
diff --git a/0003-change-lockfile-location-to-tmp-and-also-add-localho.patch b/0003-change-lockfile-location-to-tmp-and-also-add-localho.patch
index 9c81fa1..67303f0 100644
--- a/0003-change-lockfile-location-to-tmp-and-also-add-localho.patch
+++ b/0003-change-lockfile-location-to-tmp-and-also-add-localho.patch
@@ -1,4 +1,4 @@
-From cb7088576dac83328e3e42dc0d37a40d98311846 Mon Sep 17 00:00:00 2001
+From f4bde71afb9b9ece56eed607061937f3d261c383 Mon Sep 17 00:00:00 2001
 From: Matthias Runge <mrunge at redhat.com>
 Date: Thu, 25 Jul 2013 11:32:38 +0200
 Subject: [PATCH] change lockfile location to '/tmp' and also add localhost to
diff --git a/0004-Add-a-customization-module-based-on-RHOS.patch b/0004-Add-a-customization-module-based-on-RHOS.patch
index 7095888..fa1c459 100644
--- a/0004-Add-a-customization-module-based-on-RHOS.patch
+++ b/0004-Add-a-customization-module-based-on-RHOS.patch
@@ -1,4 +1,4 @@
-From 784b1755a6ff837e1b7c2c4e2b840b6597fc34d5 Mon Sep 17 00:00:00 2001
+From 33218f8ba3ba47209b92ffd5c5bdf7fdce9ae926 Mon Sep 17 00:00:00 2001
 From: Matthias Runge <mrunge at redhat.com>
 Date: Thu, 14 Feb 2013 12:55:54 +0100
 Subject: [PATCH] Add a customization module based on RHOS
diff --git a/0005-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch b/0005-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch
index 36adaa9..8876377 100644
--- a/0005-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch
+++ b/0005-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch
@@ -1,4 +1,4 @@
-From 3363133f606033863973456724037c075bb2f010 Mon Sep 17 00:00:00 2001
+From 499eaf237a6fb1b8e0233f59793d54827bfbf2e7 Mon Sep 17 00:00:00 2001
 From: Matthias Runge <mrunge at redhat.com>
 Date: Mon, 9 Sep 2013 14:13:07 +0200
 Subject: [PATCH] move RBAC policy files and checks to /etc/openstack-dashboard
diff --git a/0006-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch b/0006-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch
index c7721b7..8342e29 100644
--- a/0006-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch
+++ b/0006-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch
@@ -1,4 +1,4 @@
-From 9a593f6774ef19d7cac5a270a72e788031bf25c8 Mon Sep 17 00:00:00 2001
+From 7f7882eb403c493cb857c0c7523e964ffd165c19 Mon Sep 17 00:00:00 2001
 From: Matthias Runge <mrunge at redhat.com>
 Date: Mon, 9 Sep 2013 20:52:51 +0200
 Subject: [PATCH] move SECRET_KEYSTORE to '/var/lib/openstack-dashboard'
diff --git a/0007-Introduces-escaping-in-Horizon-Orchestration.patch b/0007-Introduces-escaping-in-Horizon-Orchestration.patch
new file mode 100644
index 0000000..da79f9d
--- /dev/null
+++ b/0007-Introduces-escaping-in-Horizon-Orchestration.patch
@@ -0,0 +1,139 @@
+From dc03d5ef5a1b588eb0ba041bf99d595ae0e89f5f Mon Sep 17 00:00:00 2001
+From: CristianFiorentino <cristian.fiorentino at intel.com>
+Date: Mon, 10 Mar 2014 17:36:31 -0300
+Subject: [PATCH] Introduces escaping in Horizon/Orchestration
+
+1) Escape help_text a second time to avoid bootstrap tooltip XSS issue
+
+The "Description" parameter in a Heat template is used to populate
+a help_text tooltip in the dynamically generated Heat form. Bootstrap
+inserts this tooltip into the DOM using .html() which undoes any
+escaping we do in Django (it should be using .text()).
+
+This was fixed by forcing the help_text content to be escaped a second
+time. The issue itself is mitigated in bootstrap.js release 2.0.3
+(ours is currently 2.0.1).
+
+2) Properly escape untrusted Heat template 'outputs'
+
+The 'outputs' parameter in a Heat template was included in a Django
+template with HTML autoescaping turned off. Malicious HTML content
+could be included in a Heat template and would be rendered by Horizon
+when details about a created stack were displayed.
+
+This was fixed by not disabling autoescaping and explicitly escaping
+untrusted values in any strings that are later marked "safe" to render
+without further escaping.
+
+Conflicts:
+	openstack_dashboard/dashboards/project/stacks/mappings.py
+
+Change-Id: Icd9f9d9ca77068b12227d77469773a325c840001
+Closes-Bug: #1289033
+Co-Authored-By: Kieran Spear <kispear at gmail.com>
+---
+ horizon/templates/horizon/common/_form_fields.html      |  7 ++++++-
+ .../dashboards/project/stacks/mappings.py               | 10 ++++++++--
+ .../stacks/templates/stacks/_detail_overview.html       |  3 +--
+ openstack_dashboard/dashboards/project/stacks/tests.py  | 17 +++++++++++------
+ 4 files changed, 26 insertions(+), 11 deletions(-)
+
+diff --git a/horizon/templates/horizon/common/_form_fields.html b/horizon/templates/horizon/common/_form_fields.html
+index 3567614..f6fb98f 100644
+--- a/horizon/templates/horizon/common/_form_fields.html
++++ b/horizon/templates/horizon/common/_form_fields.html
+@@ -14,7 +14,12 @@
+         <span class="help-inline">{{ error }}</span>
+       {% endfor %}
+     {% endif %}
+-    <span class="help-block">{{ field.help_text }}</span>
++    {% comment %}
++    Escape help_text a second time here, to avoid an XSS issue in bootstrap.js.
++    This can most likely be removed once we upgrade bootstrap.js past 2.0.2.
++    Note: the spaces are necessary here.
++    {% endcomment %}
++    <span class="help-block">{% filter force_escape %} {{ field.help_text }} {% endfilter %} </span>
+     <div class="input">
+       {{ field }}
+     </div>
+diff --git a/openstack_dashboard/dashboards/project/stacks/mappings.py b/openstack_dashboard/dashboards/project/stacks/mappings.py
+index 0353291..f1389c5 100644
+--- a/openstack_dashboard/dashboards/project/stacks/mappings.py
++++ b/openstack_dashboard/dashboards/project/stacks/mappings.py
+@@ -19,6 +19,8 @@ import urlparse
+ 
+ from django.core.urlresolvers import reverse  # noqa
+ from django.template.defaultfilters import register  # noqa
++from django.utils import html
++from django.utils import safestring
+ 
+ from openstack_dashboard.api import swift
+ 
+@@ -76,11 +78,15 @@ def stack_output(output):
+     if not output:
+         return u''
+     if isinstance(output, dict) or isinstance(output, list):
+-        return u'<pre>%s</pre>' % json.dumps(output, indent=2)
++        json_string = json.dumps(output, indent=2)
++        safe_output = u'<pre>%s</pre>' % html.escape(json_string)
++        return safestring.mark_safe(safe_output)
+     if isinstance(output, basestring):
+         parts = urlparse.urlsplit(output)
+         if parts.netloc and parts.scheme in ('http', 'https'):
+-            return u'<a href="%s" target="_blank">%s</a>' % (output, output)
++            url = html.escape(output)
++            safe_link = u'<a href="%s" target="_blank">%s</a>' % (url, url)
++            return safestring.mark_safe(safe_link)
+     return unicode(output)
+ 
+ 
+diff --git a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html b/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html
+index f4756e0..33fe783 100644
+--- a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html
++++ b/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html
+@@ -36,9 +36,8 @@
+     <dt>{{ output.output_key }}</dt>
+     <dd>{{ output.description }}</dd>
+     <dd>
+-    {% autoescape off %}
+     {{ output.output_value|stack_output }}
+-    {% endautoescape %}</dd>
++    </dd>
+     {% endfor %}
+   </dl>
+ </div>
+diff --git a/openstack_dashboard/dashboards/project/stacks/tests.py b/openstack_dashboard/dashboards/project/stacks/tests.py
+index 408d86f..986e3e0 100644
+--- a/openstack_dashboard/dashboards/project/stacks/tests.py
++++ b/openstack_dashboard/dashboards/project/stacks/tests.py
+@@ -16,6 +16,7 @@ import json
+ 
+ from django.core.urlresolvers import reverse  # noqa
+ from django import http
++from django.utils import html
+ 
+ from mox import IsA  # noqa
+ 
+@@ -77,12 +78,16 @@ class MappingsTests(test.TestCase):
+         self.assertEqual(u'foo', mappings.stack_output('foo'))
+         self.assertEqual(u'', mappings.stack_output(None))
+ 
+-        self.assertEqual(
+-            u'<pre>[\n  "one", \n  "two", \n  "three"\n]</pre>',
+-            mappings.stack_output(['one', 'two', 'three']))
+-        self.assertEqual(
+-            u'<pre>{\n  "foo": "bar"\n}</pre>',
+-            mappings.stack_output({'foo': 'bar'}))
++        outputs = ['one', 'two', 'three']
++        expected_text = """[\n  "one", \n  "two", \n  "three"\n]"""
++
++        self.assertEqual(u'<pre>%s</pre>' % html.escape(expected_text),
++                         mappings.stack_output(outputs))
++
++        outputs = {'foo': 'bar'}
++        expected_text = """{\n  "foo": "bar"\n}"""
++        self.assertEqual(u'<pre>%s</pre>' % html.escape(expected_text),
++                         mappings.stack_output(outputs))
+ 
+         self.assertEqual(
+             u'<a href="http://www.example.com/foo" target="_blank">'
diff --git a/python-django-horizon.spec b/python-django-horizon.spec
index c03747f..ef3395d 100644
--- a/python-django-horizon.spec
+++ b/python-django-horizon.spec
@@ -27,6 +27,7 @@ Patch0003: 0003-change-lockfile-location-to-tmp-and-also-add-localho.patch
 Patch0004: 0004-Add-a-customization-module-based-on-RHOS.patch
 Patch0005: 0005-move-RBAC-policy-files-and-checks-to-etc-openstack-d.patch
 Patch0006: 0006-move-SECRET_KEYSTORE-to-var-lib-openstack-dashboard.patch
+Patch0007: 0007-Introduces-escaping-in-Horizon-Orchestration.patch
 
 
 BuildArch:  noarch

More information about the scm-commits mailing list