[openstack-dev] [security] Script injection issue
fungi at yuggoth.org
Fri Nov 17 13:47:50 UTC 2017
On 2017-11-17 08:22:31 +0000 (+0000), TommyLike Hu wrote:
> Recently when we integrating and testing OpenStack services. We
> found there is a potential script injection issue that some of our
> services accept the input with special character  , for
> instance we can create an instance or a volume with the name of
> '<script>script inside</script>'. One of the possible solutions is
> add HTML encode/decode support in Horizon, but it's not guaranteed
> every OpenStack user is using Horizon. So should we apply more
> strict restriction on user's input?
Just my opinion, but I think its up to frontends to know what
strings are safe to present. Web-based interfaces are not the only
possible place those strings may end up, and if we consider it the
API's responsibility to strip out every possible sequence that might
cause trouble for every kind of frontend or consuming application
then we'll eventually be left accepting only ASCII alphanumerics.
> Also, I found Google Cloud have a strict and explicit restrction in
> their instance insert API document .
To my knowledge, Google Cloud is proprietary software and can afford
to make decisions tightly coupling the security of their Web
frontend to their APIs. OpenStack can't easily make the same sorts
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 949 bytes
Desc: Digital signature
More information about the OpenStack-dev