[Yahoo-eng-team] [Bug 1427135] [NEW] Neutron API reflects JavaScript/any input in error message

Mon, 02 Mar 2015 02:16:05 -0800 

Public bug reported:

During security scan of Neutron API, Nessus raises the following
security alert about reflected XSS:

REQUEST:
<script>cross_site_scripting.nasl</script>

API RESPONSE :
HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 596
Date: Mon, 29 Dec 2014 09:50:52 GMT
Connection: close
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 119, [...]
"URL fragments must start with / or http:// (you gave %r)" % url)
AssertionError: URL fragments must start with / or http:// (you gave 
'<script>cross_site_scripting.nasl</script>')

My proposal is to modify API error response in a way that doesn't causes 
reflection of the original input - doesn't matter if JavaScript or not.
IMO error message should end at line "Connection: close"

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1427135

Title:
  Neutron API reflects JavaScript/any input in error message

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  During security scan of Neutron API, Nessus raises the following
  security alert about reflected XSS:

  REQUEST:
  <script>cross_site_scripting.nasl</script>

  API RESPONSE :
  HTTP/1.1 500 Internal Server Error
  Content-Type: text/plain
  Content-Length: 596
  Date: Mon, 29 Dec 2014 09:50:52 GMT
  Connection: close
  File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 119, [...]
  "URL fragments must start with / or http:// (you gave %r)" % url)
  AssertionError: URL fragments must start with / or http:// (you gave 
'<script>cross_site_scripting.nasl</script>')

  My proposal is to modify API error response in a way that doesn't causes 
reflection of the original input - doesn't matter if JavaScript or not.
  IMO error message should end at line "Connection: close"

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1427135/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to