[PKG-Openstack-devel] Bug#759409: CVE_2014-3594: XSS issue with the unordered_list filter
Thomas Goirand
zigo at debian.org
Sat Aug 23 02:35:10 UTC 2014
Source: horizon
Version: 2014.1.2-2
Severity: important
Tags: security patch
Title: Persistent XSS in Horizon Host Aggregates interface
Reporters: Dennis Felsch and Mario Heiderich (Ruhr-University Bochum)
Products: Horizon
Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.2
Description:
Dennis Felsch and Mario Heiderich from the Horst Görtz Institute for
IT-Security, Ruhr-University Bochum reported a persistent XSS in
Horizon. A malicious administrator may conduct a persistent XSS attack
by registering a malicious host aggregate in Horizon Host Aggregate
interface. Once executed in a legitimate context this attack may reveal
another admin token, potentially resulting in a lateral privilege
escalation. All Horizon setups are affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/havana, stable/icehouse and master (Juno
development branch) on the public disclosure date.
CVE: CVE-2014-3594
>From 22edde980e0fb2238a62845bcd6922b39506b67b Mon Sep 17 00:00:00 2001
From: Julie Pichon <jpichon at redhat.com>
Date: Tue, 29 Jul 2014 16:17:44 +0100
Subject: [PATCH] Fix XSS issue with the unordered_list filter
When using the unordered_list filter in a Horizon table (as opposed to
a template directly), autoescaping is not set by default and the input
wasn't sanitised.
Closes-Bug: #1349491
Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec
---
openstack_dashboard/dashboards/admin/aggregates/tables.py | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/openstack_dashboard/dashboards/admin/aggregates/tables.py b/openstack_dashboard/dashboards/admin/aggregates/tables.py
index 4f2c9aa..a6277f6 100644
--- a/openstack_dashboard/dashboards/admin/aggregates/tables.py
+++ b/openstack_dashboard/dashboards/admin/aggregates/tables.py
@@ -98,6 +98,10 @@ def get_zone_hosts(zone):
return host_details
+def safe_unordered_list(value):
+ return filters.unordered_list(value, autoescape=True)
+
+
class HostAggregatesTable(tables.DataTable):
name = tables.Column('name', verbose_name=_('Name'))
availability_zone = tables.Column('availability_zone',
@@ -105,11 +109,11 @@ class HostAggregatesTable(tables.DataTable):
hosts = tables.Column(get_aggregate_hosts,
verbose_name=_("Hosts"),
wrap_list=True,
- filters=(filters.unordered_list,))
+ filters=(safe_unordered_list,))
metadata = tables.Column(get_metadata,
verbose_name=_("Metadata"),
wrap_list=True,
- filters=(filters.unordered_list,))
+ filters=(safe_unordered_list,))
class Meta:
name = "host_aggregates"
@@ -128,7 +132,7 @@ class AvailabilityZonesTable(tables.DataTable):
hosts = tables.Column(get_zone_hosts,
verbose_name=_('Hosts'),
wrap_list=True,
- filters=(filters.unordered_list,))
+ filters=(safe_unordered_list,))
available = tables.Column(get_available,
verbose_name=_('Available'),
status=True,
status=True, -- 1.9.3
More information about the Openstack-devel
mailing list