[Openstack-security] [Bug 1308727] Re: [OSSA 2014-023] XSS in Horizon Heat template - resource name (CVE-2014-3473)

OpenStack Infra 1308727 at bugs.launchpad.net
Thu Jul 10 20:19:46 UTC 2014 

Reviewed:  https://review.openstack.org/105478
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=c844bd692894353c60b320005b804970605e910f
Submitter: Jenkins
Branch:    stable/havana

commit c844bd692894353c60b320005b804970605e910f
Author: Julie Pichon <jpichon at redhat.com>
Date:   Thu May 22 16:45:03 2014 +0100

    Fix multiple Cross-Site Scripting (XSS) vulnerabilities
    
     * Ensure user emails are properly escaped
    
    User emails in the Users and Groups panel are being passed through the
    urlize filter to transform them into clickable links. However, urlize
    expects input to be already escaped and safe. We should make sure to
    escape the strings first as email addresses are not validated and can
    contain any type of string.
    
    Closes-Bug: #1320235
    
     * Ensure network names are properly escaped in the Launch Instance menu
    
    Closes-Bug: #1322197
    
     * Escape the URLs generated for the Horizon tables
    
    When generating the Horizon tables, there was an assumption that only
    the anchor text needed to be escaped. However some URLs are generated
    based on user-provided data and should be escaped as well. Also escape
    the link attributes for good measure.
    
     * Use 'reverse' to generate the Resource URLs in the stacks tables
    
    Closes-Bug: #1308727
    
    Conflicts:
    	horizon/tables/base.py
    	openstack_dashboard/dashboards/admin/users/tables.py
    
    Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e


** Changed in: horizon/havana
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1308727

Title:
  [OSSA 2014-023] XSS in Horizon Heat template - resource name
  (CVE-2014-3473)

Status in OpenStack Dashboard (Horizon):
  Fix Committed
Status in OpenStack Dashboard (Horizon) havana series:
  Fix Committed
Status in OpenStack Dashboard (Horizon) icehouse series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  The attached yaml will result in a Cross Site Script when viewing the
  resources or events of an Orchestration stack in the following paths:

  /project/stacks/stack/{stack_id}/?tab=stack_details__resources
  /project/stacks/stack/{stack_id}/?tab=stack_details__events

  The A tag's href attribute does not properly URL encode the name of
  the resource string resulting in escaping out of the attribute and
  arbitrary HTML written to the page.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1308727/+subscriptions

More information about the Openstack-security mailing list