[openstack-dev] [security] [api] Script injection issue
aheczko at mirantis.com
Fri Nov 17 12:33:23 UTC 2017
Thanks TommyLike for this bug report. Sounds like Stored XSS .
Could you please share more details, e.g. branch / release, APIs tested
On Fri, Nov 17, 2017 at 12:36 PM, Davanum Srinivas <davanum at gmail.com>
> Adding [api] to make sure the API (SIG?) sees this too
> On Fri, Nov 17, 2017 at 3:22 AM, TommyLike Hu <tommylikehu at gmail.com>
> > Hey all,
> > Recently when we integrating and testing OpenStack services. We
> > there is a potential script injection issue that some of our services
> > the input with special character  , for instance we can create an
> > instance or a volume with the name of '<script>script inside</script>'.
> > of the possible solutions is add HTML encode/decode support in Horizon,
> > it's not guaranteed every OpenStack user is using Horizon. So should we
> > apply more strict restriction on user's input?
> > Also, I found Google Cloud have a strict and explicit restrction in
> > their instance insert API document .
> > : Nova:
> > https://github.com/openstack/nova/blob/master/nova/api/
> > : Cinder:
> > https://github.com/openstack/cinder/blob/master/cinder/api/
> > : Google Cloud:
> > https://cloud.google.com/compute/docs/reference/latest/instances/insert
> > Thanks
> > TommyLike.Hu
> > ____________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> Davanum Srinivas :: https://twitter.com/dims
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
Security Engineer @ Mirantis Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev