[gentoo-commits] gentoo-x86 commit in www-apps/horizon/files: 2014.1.2-CVE-2014-3594.patch 2014.1.1-CVE-2014-3473.patch

Thu, 21 Aug 2014 14:00:07 -0700 

prometheanfire    14/08/21 20:59:43

  Added:                2014.1.2-CVE-2014-3594.patch
  Removed:              2014.1.1-CVE-2014-3473.patch
  Log:
  bup, fix for bug 520420 CVE-2014-3594
  
  (Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 
0x2471eb3e40ac5ac3)

Revision  Changes    Path
1.1                  www-apps/horizon/files/2014.1.2-CVE-2014-3594.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-apps/horizon/files/2014.1.2-CVE-2014-3594.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-apps/horizon/files/2014.1.2-CVE-2014-3594.patch?rev=1.1&content-type=text/plain

Index: 2014.1.2-CVE-2014-3594.patch
===================================================================
>From ba908ae88d5925f4f6783eb234cc4ea95017472b Mon Sep 17 00:00:00 2001
From: Julie Pichon <jpic...@redhat.com>
Date: Tue, 29 Jul 2014 16:17:44 +0100
Subject: Fix XSS issue with the unordered_list filter

When using the unordered_list filter in a Horizon table (as opposed to
a template directly), autoescaping is not set by default and the input
wasn't sanitised.

Closes-Bug: #1349491
Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec

diff --git a/openstack_dashboard/dashboards/admin/aggregates/tables.py 
b/openstack_dashboard/dashboards/admin/aggregates/tables.py
index 5cefae1..f0c2122 100644
--- a/openstack_dashboard/dashboards/admin/aggregates/tables.py
+++ b/openstack_dashboard/dashboards/admin/aggregates/tables.py
@@ -93,6 +93,10 @@ def get_zone_hosts(zone):
     return host_details
 
 
+def safe_unordered_list(value):
+    return filters.unordered_list(value, autoescape=True)
+
+
 class HostAggregatesTable(tables.DataTable):
     name = tables.Column('name', verbose_name=_('Name'))
     availability_zone = tables.Column('availability_zone',
@@ -100,11 +104,11 @@ class HostAggregatesTable(tables.DataTable):
     hosts = tables.Column(get_aggregate_hosts,
                           verbose_name=_("Hosts"),
                           wrap_list=True,
-                          filters=(filters.unordered_list,))
+                          filters=(safe_unordered_list,))
     metadata = tables.Column(get_metadata,
                              verbose_name=_("Metadata"),
                              wrap_list=True,
-                             filters=(filters.unordered_list,))
+                             filters=(safe_unordered_list,))
 
     class Meta:
         name = "host_aggregates"
@@ -123,7 +127,7 @@ class AvailabilityZonesTable(tables.DataTable):
     hosts = tables.Column(get_zone_hosts,
                           verbose_name=_('Hosts'),
                           wrap_list=True,
-                          filters=(filters.unordered_list,))
+                          filters=(safe_unordered_list,))
     available = tables.Column(get_available,
                               verbose_name=_('Available'),
                               status=True,
-- 
cgit v0.10.1

Reply via email to