[Openstack-security] [Bug 1308727] Re: [OSSA 2014-023] XSS in Horizon Heat template - resource name (CVE-2014-3473)

OpenStack Infra 1308727 at bugs.launchpad.net
Wed Jul 9 14:59:47 UTC 2014 

Reviewed:  https://review.openstack.org/105477
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=32a7b713468161282f2ea01d5e2faff980d924cd
Submitter: Jenkins
Branch:    stable/icehouse

commit 32a7b713468161282f2ea01d5e2faff980d924cd
Author: Julie Pichon <jpichon at redhat.com>
Date:   Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities.
    
     * Ensure user emails are properly escaped
    
    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.
    
    Closes-Bug: #1320235
    
     * Ensure network names are properly escaped in the Launch Instance menu
    
    Closes-Bug: #1322197
    
     * Escape the URLs generated for the Horizon tables
    
    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well. Also escape
    the link attributes for good measure.
    
     * Use 'reverse' to generate the Resource URLs in the stacks tables
    
    Closes-Bug: #1308727
    
    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e


** Tags added: in-stable-icehouse

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1308727

Title:
  [OSSA 2014-023] XSS in Horizon Heat template - resource name
  (CVE-2014-3473)

Status in OpenStack Dashboard (Horizon):
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Committed

Bug description:
  The attached yaml will result in a Cross Site Script when viewing the
  resources or events of an Orchestration stack in the following paths:

  /project/stacks/stack/{stack_id}/?tab=stack_details__resources
  /project/stacks/stack/{stack_id}/?tab=stack_details__events

  The A tag's href attribute does not properly URL encode the name of
  the resource string resulting in escaping out of the attribute and
  arbitrary HTML written to the page.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1308727/+subscriptions

More information about the Openstack-security mailing list