summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Thode <prometheanfire@gentoo.org>2014-08-21 20:59:43 +0000
committerMatthew Thode <prometheanfire@gentoo.org>2014-08-21 20:59:43 +0000
commit8460e86aa62b22cb9a30d8da053cdd45118ea549 (patch)
treece3881dfbaa5f5496a18ee67aa944d5666d06567 /www-apps
parentbup (diff)
downloadgentoo-2-8460e86aa62b22cb9a30d8da053cdd45118ea549.tar.gz
gentoo-2-8460e86aa62b22cb9a30d8da053cdd45118ea549.tar.bz2
gentoo-2-8460e86aa62b22cb9a30d8da053cdd45118ea549.zip
bup, fix for bug 520420 CVE-2014-3594
(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Diffstat (limited to 'www-apps')
-rw-r--r--www-apps/horizon/ChangeLog9
-rw-r--r--www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch163
-rw-r--r--www-apps/horizon/files/2014.1.2-CVE-2014-3594.patch53
-rw-r--r--www-apps/horizon/horizon-2014.1.2.ebuild (renamed from www-apps/horizon/horizon-2014.1.1-r1.ebuild)7
4 files changed, 65 insertions, 167 deletions
diff --git a/www-apps/horizon/ChangeLog b/www-apps/horizon/ChangeLog
index a43d99ba1a49..f4ea88310b07 100644
--- a/www-apps/horizon/ChangeLog
+++ b/www-apps/horizon/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for www-apps/horizon
# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.32 2014/08/10 20:13:31 slyfox Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.33 2014/08/21 20:59:43 prometheanfire Exp $
+
+*horizon-2014.1.2 (21 Aug 2014)
+
+ 21 Aug 2014; Matthew Thode <prometheanfire@gentoo.org>
+ +files/2014.1.2-CVE-2014-3594.patch, +horizon-2014.1.2.ebuild,
+ -files/2014.1.1-CVE-2014-3473.patch, -horizon-2014.1.1-r1.ebuild:
+ bup, fix for bug 520420 CVE-2014-3594
10 Aug 2014; Sergei Trofimovich <slyfox@gentoo.org>
horizon-2014.1.1-r1.ebuild, horizon-2014.1.9999.ebuild, horizon-9999.ebuild:
diff --git a/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch b/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch
deleted file mode 100644
index 7ab9bebb3364..000000000000
--- a/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From 32a7b713468161282f2ea01d5e2faff980d924cd Mon Sep 17 00:00:00 2001
-From: Julie Pichon <jpichon@redhat.com>
-Date: Thu, 22 May 2014 16:45:03 +0100
-Subject: [PATCH] Fix multiple Cross-Site Scripting (XSS) vulnerabilities.
-
- * Ensure user emails are properly escaped
-
-User emails in the Users and Groups panel are being passed through the
-urlize filter to transform them into clickable links. However, urlize
-expects input to be already escaped and safe. We should make sure to
-escape the strings first as email addresses are not validated and can
-contain any type of string.
-
-Closes-Bug: #1320235
-
- * Ensure network names are properly escaped in the Launch Instance menu
-
-Closes-Bug: #1322197
-
- * Escape the URLs generated for the Horizon tables
-
-When generating the Horizon tables, there was an assumption that only
-the anchor text needed to be escaped. However some URLs are generated
-based on user-provided data and should be escaped as well. Also escape
-the link attributes for good measure.
-
- * Use 'reverse' to generate the Resource URLs in the stacks tables
-
-Closes-Bug: #1308727
-
-Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e
----
- horizon/static/horizon/js/horizon.instances.js | 9 ++++++++-
- horizon/tables/base.py | 4 +++-
- openstack_dashboard/dashboards/admin/groups/tables.py | 3 ++-
- openstack_dashboard/dashboards/admin/users/tables.py | 4 +++-
- openstack_dashboard/dashboards/project/stacks/tables.py | 9 +++++++--
- openstack_dashboard/dashboards/project/stacks/tabs.py | 6 ++++++
- 6 files changed, 29 insertions(+), 6 deletions(-)
-
-diff --git a/horizon/static/horizon/js/horizon.instances.js b/horizon/static/horizon/js/horizon.instances.js
-index e8e9353..d4ef8a0 100644
---- a/horizon/static/horizon/js/horizon.instances.js
-+++ b/horizon/static/horizon/js/horizon.instances.js
-@@ -51,8 +51,15 @@ horizon.instances = {
- $(this.get_network_element("")).each(function(){
- var $this = $(this);
- var $input = $this.children("input");
-+ var name = $this.text().replace(/^\s+/,"")
-+ .replace(/&/g, '&amp;')
-+ .replace(/</g, '&lt;')
-+ .replace(/>/g, '&gt;')
-+ .replace(/"/g, '&quot;')
-+ .replace(/'/g, '&#x27;')
-+ .replace(/\//g, '&#x2F;');
- var network_property = {
-- name:$this.text().replace(/^\s+/,""),
-+ name:name,
- id:$input.attr("id"),
- value:$input.attr("value")
- };
-diff --git a/horizon/tables/base.py b/horizon/tables/base.py
-index 10aaa98..4aceb81 100644
---- a/horizon/tables/base.py
-+++ b/horizon/tables/base.py
-@@ -676,7 +676,9 @@ class Cell(html.HTMLElement):
- link_classes = ' '.join(self.column.link_classes)
- # Escape the data inside while allowing our HTML to render
- data = mark_safe('<a href="%s" class="%s">%s</a>' %
-- (self.url, link_classes, escape(unicode(data))))
-+ (escape(self.url),
-+ escape(link_classes),
-+ escape(unicode(data))))
- return data
-
- @property
-diff --git a/openstack_dashboard/dashboards/admin/groups/tables.py b/openstack_dashboard/dashboards/admin/groups/tables.py
-index 1f32da2..286c22b 100644
---- a/openstack_dashboard/dashboards/admin/groups/tables.py
-+++ b/openstack_dashboard/dashboards/admin/groups/tables.py
-@@ -161,7 +161,8 @@ class AddMembersLink(tables.LinkAction):
- class UsersTable(tables.DataTable):
- name = tables.Column('name', verbose_name=_('User Name'))
- email = tables.Column('email', verbose_name=_('Email'),
-- filters=[defaultfilters.urlize])
-+ filters=[defaultfilters.escape,
-+ defaultfilters.urlize])
- id = tables.Column('id', verbose_name=_('User ID'))
- enabled = tables.Column('enabled', verbose_name=_('Enabled'),
- status=True,
-diff --git a/openstack_dashboard/dashboards/admin/users/tables.py b/openstack_dashboard/dashboards/admin/users/tables.py
-index b2032c4..9c6dc04 100644
---- a/openstack_dashboard/dashboards/admin/users/tables.py
-+++ b/openstack_dashboard/dashboards/admin/users/tables.py
-@@ -131,7 +131,9 @@ class UsersTable(tables.DataTable):
- email = tables.Column('email', verbose_name=_('Email'),
- filters=(lambda v: defaultfilters
- .default_if_none(v, ""),
-- defaultfilters.urlize))
-+ defaultfilters.escape,
-+ defaultfilters.urlize)
-+ )
- # Default tenant is not returned from Keystone currently.
- #default_tenant = tables.Column('default_tenant',
- # verbose_name=_('Default Project'))
-diff --git a/openstack_dashboard/dashboards/project/stacks/tables.py b/openstack_dashboard/dashboards/project/stacks/tables.py
-index e5f829a..1174746 100644
---- a/openstack_dashboard/dashboards/project/stacks/tables.py
-+++ b/openstack_dashboard/dashboards/project/stacks/tables.py
-@@ -114,11 +114,16 @@ class StacksTable(tables.DataTable):
- ChangeStackTemplate)
-
-
-+def get_resource_url(obj):
-+ return urlresolvers.reverse('horizon:project:stacks:resource',
-+ args=(obj.stack_id, obj.resource_name))
-+
-+
- class EventsTable(tables.DataTable):
-
- logical_resource = tables.Column('resource_name',
- verbose_name=_("Stack Resource"),
-- link=lambda d: d.resource_name,)
-+ link=get_resource_url)
- physical_resource = tables.Column('physical_resource_id',
- verbose_name=_("Resource"),
- link=mappings.resource_to_url)
-@@ -163,7 +168,7 @@ class ResourcesTable(tables.DataTable):
-
- logical_resource = tables.Column('resource_name',
- verbose_name=_("Stack Resource"),
-- link=lambda d: d.resource_name)
-+ link=get_resource_url)
- physical_resource = tables.Column('physical_resource_id',
- verbose_name=_("Resource"),
- link=mappings.resource_to_url)
-diff --git a/openstack_dashboard/dashboards/project/stacks/tabs.py b/openstack_dashboard/dashboards/project/stacks/tabs.py
-index c68464a..976541a 100644
---- a/openstack_dashboard/dashboards/project/stacks/tabs.py
-+++ b/openstack_dashboard/dashboards/project/stacks/tabs.py
-@@ -79,6 +79,9 @@ class StackEventsTab(tabs.Tab):
- stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
- events = api.heat.events_list(self.request, stack_identifier)
- LOG.debug('got events %s' % events)
-+ # The stack id is needed to generate the resource URL.
-+ for event in events:
-+ event.stack_id = stack.id
- except Exception:
- events = []
- messages.error(request, _(
-@@ -99,6 +102,9 @@ class StackResourcesTab(tabs.Tab):
- stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
- resources = api.heat.resources_list(self.request, stack_identifier)
- LOG.debug('got resources %s' % resources)
-+ # The stack id is needed to generate the resource URL.
-+ for r in resources:
-+ r.stack_id = stack.id
- except Exception:
- resources = []
- messages.error(request, _(
---
-1.8.5.5
-
diff --git a/www-apps/horizon/files/2014.1.2-CVE-2014-3594.patch b/www-apps/horizon/files/2014.1.2-CVE-2014-3594.patch
new file mode 100644
index 000000000000..564e53b0d634
--- /dev/null
+++ b/www-apps/horizon/files/2014.1.2-CVE-2014-3594.patch
@@ -0,0 +1,53 @@
+From ba908ae88d5925f4f6783eb234cc4ea95017472b Mon Sep 17 00:00:00 2001
+From: Julie Pichon <jpichon@redhat.com>
+Date: Tue, 29 Jul 2014 16:17:44 +0100
+Subject: Fix XSS issue with the unordered_list filter
+
+When using the unordered_list filter in a Horizon table (as opposed to
+a template directly), autoescaping is not set by default and the input
+wasn't sanitised.
+
+Closes-Bug: #1349491
+Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec
+
+diff --git a/openstack_dashboard/dashboards/admin/aggregates/tables.py b/openstack_dashboard/dashboards/admin/aggregates/tables.py
+index 5cefae1..f0c2122 100644
+--- a/openstack_dashboard/dashboards/admin/aggregates/tables.py
++++ b/openstack_dashboard/dashboards/admin/aggregates/tables.py
+@@ -93,6 +93,10 @@ def get_zone_hosts(zone):
+ return host_details
+
+
++def safe_unordered_list(value):
++ return filters.unordered_list(value, autoescape=True)
++
++
+ class HostAggregatesTable(tables.DataTable):
+ name = tables.Column('name', verbose_name=_('Name'))
+ availability_zone = tables.Column('availability_zone',
+@@ -100,11 +104,11 @@ class HostAggregatesTable(tables.DataTable):
+ hosts = tables.Column(get_aggregate_hosts,
+ verbose_name=_("Hosts"),
+ wrap_list=True,
+- filters=(filters.unordered_list,))
++ filters=(safe_unordered_list,))
+ metadata = tables.Column(get_metadata,
+ verbose_name=_("Metadata"),
+ wrap_list=True,
+- filters=(filters.unordered_list,))
++ filters=(safe_unordered_list,))
+
+ class Meta:
+ name = "host_aggregates"
+@@ -123,7 +127,7 @@ class AvailabilityZonesTable(tables.DataTable):
+ hosts = tables.Column(get_zone_hosts,
+ verbose_name=_('Hosts'),
+ wrap_list=True,
+- filters=(filters.unordered_list,))
++ filters=(safe_unordered_list,))
+ available = tables.Column(get_available,
+ verbose_name=_('Available'),
+ status=True,
+--
+cgit v0.10.1
+
diff --git a/www-apps/horizon/horizon-2014.1.1-r1.ebuild b/www-apps/horizon/horizon-2014.1.2.ebuild
index f3eb1ed1820c..9a3db8afb733 100644
--- a/www-apps/horizon/horizon-2014.1.1-r1.ebuild
+++ b/www-apps/horizon/horizon-2014.1.2.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2014.1.1-r1.ebuild,v 1.2 2014/08/10 20:13:31 slyfox Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2014.1.2.ebuild,v 1.1 2014/08/21 20:59:43 prometheanfire Exp $
EAPI=5
PYTHON_COMPAT=( python2_7 )
@@ -40,6 +40,7 @@ RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}]
<dev-python/django-1.7[${PYTHON_USEDEP}]
>=dev-python/django-compressor-1.3[${PYTHON_USEDEP}]
>=dev-python/django-openstack-auth-1.1.4[${PYTHON_USEDEP}]
+ !~dev-python/django-openstack-auth-1.1.6[${PYTHON_USEDEP}]
>=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
>=dev-python/httplib2-0.7.5[${PYTHON_USEDEP}]
>=dev-python/iso8601-0.1.9[${PYTHON_USEDEP}]
@@ -58,10 +59,10 @@ RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}]
>=dev-python/python-swiftclient-1.6[${PYTHON_USEDEP}]
>=dev-python/python-troveclient-1.0.3[${PYTHON_USEDEP}]
>=dev-python/pytz-2010h[${PYTHON_USEDEP}]
- >=dev-python/six-1.5.2[${PYTHON_USEDEP}]"
+ >=dev-python/six-1.6.0[${PYTHON_USEDEP}]"
PATCHES=(
- "${FILESDIR}/2014.1.1-CVE-2014-3473.patch"
+ "${FILESDIR}/2014.1.2-CVE-2014-3594.patch"
)
src_test() {