<div dir="auto">This will need the VMT's attention, so please raise as an issue on launchpad and we can tag it as for the vmt members as a possible OSSA.<div dir="auto"><br></div><div dir="auto">Apologies for top post, replying from phone.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 17 Nov 2017 12:34 pm, "Adam Heczko" <<a href="mailto:aheczko@mirantis.com">aheczko@mirantis.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks TommyLike for this bug report. Sounds like Stored XSS [1].<div>Could you please share more details, e.g. branch / release, APIs tested etc.?</div><div><br></div><div>[1] <a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting" target="_blank">https://www.owasp.org/<wbr>index.php/Types_of_Cross-Site_<wbr>Scripting</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 17, 2017 at 12:36 PM, Davanum Srinivas <span dir="ltr"><<a href="mailto:davanum@gmail.com" target="_blank">davanum@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Adding [api] to make sure the API (SIG?) sees this too<br>
<div><div class="m_442496784445769614h5"><br>
On Fri, Nov 17, 2017 at 3:22 AM, TommyLike Hu <<a href="mailto:tommylikehu@gmail.com" target="_blank">tommylikehu@gmail.com</a>> wrote:<br>
> Hey all,<br>
>      Recently when we integrating and testing OpenStack services. We found<br>
> there is a potential script injection issue that some of our services accept<br>
> the input with special character [1] [2], for instance we can create an<br>
> instance or a volume with the name of '<script>script inside</script>'. One<br>
> of the possible solutions is add HTML encode/decode support in Horizon, but<br>
> it's not guaranteed every OpenStack user is using Horizon. So should we<br>
> apply more strict restriction on user's input?<br>
>      Also, I found  Google Cloud have a strict and explicit restrction in<br>
> their instance insert API document [3].<br>
><br>
> [1]: Nova:<br>
> <a href="https://github.com/openstack/nova/blob/master/nova/api/validation/parameter_types.py#L148" rel="noreferrer" target="_blank">https://github.com/openstack/n<wbr>ova/blob/master/nova/api/valid<wbr>ation/parameter_types.py#L148</a><br>
> [2]: Cinder:<br>
> <a href="https://github.com/openstack/cinder/blob/master/cinder/api/openstack/wsgi.py#L1253" rel="noreferrer" target="_blank">https://github.com/openstack/c<wbr>inder/blob/master/cinder/api/o<wbr>penstack/wsgi.py#L1253</a><br>
> [3]: Google Cloud:<br>
> <a href="https://cloud.google.com/compute/docs/reference/latest/instances/insert" rel="noreferrer" target="_blank">https://cloud.google.com/compu<wbr>te/docs/reference/latest/insta<wbr>nces/insert</a><br>
><br>
> Thanks<br>
> TommyLike.Hu<br>
><br>
><br>
><br>
</div></div>> ______________________________<wbr>______________________________<wbr>______________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
><br>
<span class="m_442496784445769614HOEnZb"><font color="#888888"><br>
<br>
<br>
--<br>
Davanum Srinivas :: <a href="https://twitter.com/dims" rel="noreferrer" target="_blank">https://twitter.com/dims</a><br>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_442496784445769614gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div style="color:rgb(136,136,136);font-size:12.8000001907349px">Adam Heczko</div><div style="color:rgb(136,136,136);font-size:12.8000001907349px">Security Engineer @ Mirantis Inc.</div></div></div>
</div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div></div>