diff options
| author |   Matt Thode <prometheanfire@gentoo.org> | 2014-04-11 15:24:10 +0000 |
|---|---|---|
| committer | Matt Thode <prometheanfire@gentoo.org> | 2014-04-11 15:24:10 +0000 |
| commit | 1abbcb38e20a89f320ddd4f2b83184a2ee2034fd (patch) | |
| tree | 1324558fc8caf52f76827b686a3c05212ec0f551 /www-apps | |
| parent | Initial commit wrt #507280 by Bruce Guenter (diff) | |
| download | historical-1abbcb38e20a89f320ddd4f2b83184a2ee2034fd.tar.gz historical-1abbcb38e20a89f320ddd4f2b83184a2ee2034fd.tar.bz2 historical-1abbcb38e20a89f320ddd4f2b83184a2ee2034fd.zip | |
fix for CVE-2014-0157
Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64
Manifest-Sign-Key: 0x2471EB3E40AC5AC3
Diffstat (limited to 'www-apps')
| -rw-r--r-- | www-apps/horizon/ChangeLog | 9 | ||||
| -rw-r--r-- | www-apps/horizon/Manifest | 31 | ||||
| -rw-r--r-- | www-apps/horizon/files/CVE-2014-0157-2013.2.3.patch | 148 | ||||
| -rw-r--r-- | www-apps/horizon/horizon-2013.2.3-r1.ebuild (renamed from www-apps/horizon/horizon-2013.2.3.ebuild) | 3 |
4 files changed, 174 insertions, 17 deletions
diff --git a/www-apps/horizon/ChangeLog b/www-apps/horizon/ChangeLog index e2b2e30d976c..3fc0556244f9 100644 --- a/www-apps/horizon/ChangeLog +++ b/www-apps/horizon/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for www-apps/horizon # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.25 2014/04/06 06:34:28 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.26 2014/04/11 15:24:04 prometheanfire Exp $ + +*horizon-2013.2.3-r1 (11 Apr 2014) + + 11 Apr 2014; Matthew Thode <prometheanfire@gentoo.org> + +files/CVE-2014-0157-2013.2.3.patch, +horizon-2013.2.3-r1.ebuild, + -horizon-2013.2.3.ebuild: + fix for CVE-2014-0157 *horizon-2013.2.3 (06 Apr 2014) diff --git a/www-apps/horizon/Manifest b/www-apps/horizon/Manifest index d621fe00c70b..65e394f428c6 100644 --- a/www-apps/horizon/Manifest +++ b/www-apps/horizon/Manifest @@ -1,26 +1,27 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 +AUX CVE-2014-0157-2013.2.3.patch 6079 SHA256 a2ca6f7278eba57a63bb9e25f8842aa38da83bb2db8c71641f2c53e2ec8a5d7f SHA512 758531fcee0261ee8fe911d8dbaa966c39df463ace2611e4d3e1a5784a259e40ebea0191e9fc87482d9cff9d4ed8b0743e64058d374d2084c7063d93bf63bf3f WHIRLPOOL d8c65a6605d7c8e7b392c5d75df1992d64500b6e62a3fc1cd21937b8a9091bfff37617687b85a4d3846df4ffd2c709c67a8ccb393c499154e368dbd334d30210 DIST horizon-2013.2.3.tar.gz 2315092 SHA256 de9b87ee62d8b28792399be0fc867ba99618eaaad289cf9842b5c7084e12620f SHA512 de1c8a319eca8214de4231924f08f5fe866edd98613e6342ac84d13768acea8c40d2340a3baac6605b0d66c9ee7cc3740bd734ac1d27a729f2e04b843dfc3250 WHIRLPOOL 09f94416d164507e03bd9ea7945e4bd4810008e22137621e53365579814e9000a4bc8f877a747eeaaba14bcddbccf95d20fccd979d8330c5d4aaf5e76fd623c8 -EBUILD horizon-2013.2.3.ebuild 2563 SHA256 ec769a6b1034cd3d201786472e88dea07daf6f269bdf5a40f212b9c2c6cbf323 SHA512 de0348806e5f31a8176ea1c5f58df1ba4b51cbdecfa7f9c8d97a0d55285b514380067acc7ee5b694fd8be4a9e484e40805f9a4c232f1e19d442233c88b7d338e WHIRLPOOL b82bf4514989ede5b4493010d9cadcea9a71618f1f5648c9927c90667e6709d2f77e81afb6ba54cec34c5efa07b9256f15864955c06252c456a64478e15fd298 +EBUILD horizon-2013.2.3-r1.ebuild 2611 SHA256 fc2ff9276da8ca4c42eafd6bf17513a090cbfeac6e8d77679d7027225a389901 SHA512 04baed0cd63fbfd76a59ac69dd266511d249d95678be6fee318690ce21f46aacc647d73f0a4ed1231af861d67121d805e0e982a33595555dbe0a1599c8a52e55 WHIRLPOOL a1d9909161a4c34e2ad4a523b4bdb65f60dab12a59d3ff3a7f4d98362956413085cc443904af673812e69b983bce41d03cbfc72df5bfc4459d8b1f8de200c19d EBUILD horizon-2013.2.9999.ebuild 2561 SHA256 d44fe5f23dd395b9cc470e0fe490114d0b21c4d85d7b08716f7f451f70a13014 SHA512 b22bdb54e939560df734c21fd88a25dea847b73e28ca379aa58bf1553e53be838d795429fb51f3d16d2c9c5a64d9ce955e50474713fec7f1d6eccc57157ea97e WHIRLPOOL 893655521d6c928c9a28ea1e29f8fcad2e2f0403f22530dffe2ff4452ad577c78979557e15da90c0782c9c39728012475502b0a26035826a341e3eabb08eba4e EBUILD horizon-9999.ebuild 1765 SHA256 1a4317a6a01ed5bdc3cbdbf76157e8404a2f7feccc9426ac98a6784e550e1798 SHA512 67b6ef8663d7146a979c5211e2f427dea730d63c209560853f817a0a2a6422d97eaef00a39286f05eb8ce093e90a1dd7c758195062b95fbaa11d1e24d5d0b38e WHIRLPOOL 0b1291b7641f8edd19f70fbb6e9061137a49766546759e2b6371c7efe504f677814eed6dfc9c483d1f411f2f02f434994c2022bdb4c43ce788604f2ddaa5d366 -MISC ChangeLog 4581 SHA256 5712e42498600fa7c18c166c0718bc2ff65aacab5c1d7bc7700340d6c8fd86db SHA512 5d59ca6e7ce57ed4eec33e69d1e96018c573fcfe6db545827bc6a9a286f4f37438319bcb47a1e29fcaf21f9b754f3888bef1dba16d1fa8cefb45706a83ad1509 WHIRLPOOL f0f24507fc2131b2f202b051f8819e87fa8a77e0abe4a2e9831cf47c1d8f9cae12d6f5aa4592a1af54008c6a103087ecc7a7a744e5373d8eff18e576065a8a9f +MISC ChangeLog 4795 SHA256 013bc551a9c19b8dfc19b1c7f4ac750b232bbde4d8f61828126c82854dc72de6 SHA512 e8d4ec94c4e04b159ec22610546d7a55e404c72a2663762f4653e9dcf8c2bc4e53b7f9aeee2b1b83449a58aef6708695943186bc15d0d11a040b3fc2e71234c4 WHIRLPOOL 07e554ba94f17f59a6619490a1832ff3c9a1c38ebadf0b9561d28d044237e686240e92b49f019852bb5f8ac47484f1aace78b2edde1e6f689c8ed93e4b205766 MISC metadata.xml 502 SHA256 8a64a12fb6d42791ddde4f06dbeb1e32359e41fafb25b69b16d773eabf18ad57 SHA512 35da4f1a5a38b64361e5003731e9a0bfc81498c3e43b9b9e5b152d6fad2d8157a3632b737a9987bcec726d1057c52b05ee73e4fc280d9353f4649fe20c0b5915 WHIRLPOOL 028f50558b926a576c36fa0da5dfce8cae2a948f0adb4cd71df2f17e806565caaa0698dc262a484012e8c5d9d8cc6d0f4ef77983ea6d79b6b8b3e03ec80b7ea1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) -iQIcBAEBCAAGBQJTQPWvAAoJECRx6z5ArFrDtNEP+QFLgCh9LFch4mugT8AWIQkO -jzHcnGqaZ7u1oPcWUkY6cZIVM4XIyIDU46ZmW0KkAmi7epDZw1KPI7MLf+fI80d7 -Zbpxn2R/a+KLbWFxBNSXATpDfJyrE76obCY4xdhb1CedHa8ZukXdeOKbEyF5/gjv -6yAqgp7rkQWlW3tjSkgHTZysJ0SwdQ/KTq1vSnkls7PZK176FbbVmjN8zeZs+mOE -96KUEAyMARZJ0DYMcdc0+it4mmFBRQGMeekPTJ7HyBtnGqPoKtBxQnM5b5bKgkBU -DuOiT/UHUCS5+KNvHq36AqBubJquudvpBP9jE0Uz1qBXXbkE5E6QPab6mXe//4SF -OzHygmFKy15dVeHN9qfUWXKbejfkHI06FwxCyEZTxrYpKspksjpFCsO7kBUyL0kk -nlNtROVR8YvZMMxWJ1dytZ3cyOAaqppVr3E5VlSzPwNZO+DEIAjJQRmA+czuUnUM -zN72uIzQiogeF24siqLkMBy0rwEyVk7jEcVuxFbZ5M6FA79R4sQ/YiAUlu0dXI2b -jNi2ZIky2gKqa+SgkVfgIbEqFBSaHvDebpTpADAv6zGbXJ0f3L1CmpW/W07t0owt -wbhr6nVaBKX2EPQ7123TIakKzHwFiP5E09/GWnm4eQ+LZPwL2gdnfw32MkNJJUwj -eZ1OoPb9hgtUBoU9JzXY -=l1I6 +iQIcBAEBCAAGBQJTSAkcAAoJECRx6z5ArFrDE5oQAJUhgiUhmKvAhybzA/XIC3PV +YeLIT1NpXPd8Fu0BmUJGiqy9a25Cf6aybeFf1o+ZCfrmm3gi0RtpW0M9n+ibSmkU +74vP8wBxOIpRo4vBls1c2h6XzRdY8V3nu0o0ppbPihx3fvlSQDR252PDq6SbT6+6 +7167PhVb+TjLG40GA6YBXlAGFwOzCM7fl2De15AYkObnv2tRBp5FFYtI2vDfMfBT +eBpXfpSASwXeiCDiLEnwCcrJbOi+rIx/JQVrwwPSFKK0ERWVarz6ZLv31hcShT+t +gyVgW3fOc0dxO5yLvVmbOU7F/5tHmWEj1T//OwjDsGAT8TgSsxXQPKDIvD1SFTSM +Gsh6+5mbkdJR0WyWNVeN6DQnAAbQ7ziFvJ4cypUDbPET/W5JMiFms4clA+1pbAEi +d4QkjwmOpNWDRZiD1J26Z6Ajei9XDfgyMUsDDUoQpq/NDqHrrIeISwKysdfOmsMT +yiTjbdBcHnV2ADlJ9JH3sDtKsOBOFdiPZESt4ynEua6yJ+bt6ZlfTBHI2HxT03zw +W1/ZF/5hDPlKPHqocA/KRrLxRRjc6BpAhIKhpsbAGPiX1EHQ643C8UWug/XKvErs +k+qhgY+iT5g0B/YD4Ke4kH6Caodf/WEpjHX0RrU5hdIpuenCcbNpI2DhDvi4N6WC +vgQXoSVIGo9Z9ta+nbBy +=OM5X -----END PGP SIGNATURE----- diff --git a/www-apps/horizon/files/CVE-2014-0157-2013.2.3.patch b/www-apps/horizon/files/CVE-2014-0157-2013.2.3.patch new file mode 100644 index 000000000000..bdc6dc711421 --- /dev/null +++ b/www-apps/horizon/files/CVE-2014-0157-2013.2.3.patch @@ -0,0 +1,148 @@ +From b8f5d9e0749af2845937c23b4636b0981e2d5732 Mon Sep 17 00:00:00 2001 +From: CristianFiorentino <cristian.fiorentino@intel.com> +Date: Mon, 10 Mar 2014 17:36:31 -0300 +Subject: [PATCH] Introduces escaping in Horizon/Orchestration + +1) Escape help_text a second time to avoid bootstrap tooltip XSS issue + +The "Description" parameter in a Heat template is used to populate +a help_text tooltip in the dynamically generated Heat form. Bootstrap +inserts this tooltip into the DOM using .html() which undoes any +escaping we do in Django (it should be using .text()). + +This was fixed by forcing the help_text content to be escaped a second +time. The issue itself is mitigated in bootstrap.js release 2.0.3 +(ours is currently 2.0.1). + +2) Properly escape untrusted Heat template 'outputs' + +The 'outputs' parameter in a Heat template was included in a Django +template with HTML autoescaping turned off. Malicious HTML content +could be included in a Heat template and would be rendered by Horizon +when details about a created stack were displayed. + +This was fixed by not disabling autoescaping and explicitly escaping +untrusted values in any strings that are later marked "safe" to render +without further escaping. + +Conflicts: + openstack_dashboard/dashboards/project/stacks/mappings.py + +Change-Id: Icd9f9d9ca77068b12227d77469773a325c840001 +Closes-Bug: #1289033 +Co-Authored-By: Kieran Spear <kispear@gmail.com> +--- + horizon/templates/horizon/common/_form_fields.html | 7 ++++++- + .../dashboards/project/stacks/mappings.py | 10 ++++++++-- + .../stacks/templates/stacks/_detail_overview.html | 3 +-- + openstack_dashboard/dashboards/project/stacks/tests.py | 17 +++++++++++------ + 4 files changed, 26 insertions(+), 11 deletions(-) + +diff --git a/horizon/templates/horizon/common/_form_fields.html +b/horizon/templates/horizon/common/_form_fields.html +index 3567614..f6fb98f 100644 +--- a/horizon/templates/horizon/common/_form_fields.html ++++ b/horizon/templates/horizon/common/_form_fields.html +@@ -14,7 +14,12 @@ + <span class="help-inline">{{ error }}</span> + {% endfor %} + {% endif %} +- <span class="help-block">{{ field.help_text }}</span> ++ {% comment %} ++ Escape help_text a second time here, to avoid an XSS issue in bootstrap.js. ++ This can most likely be removed once we upgrade bootstrap.js past 2.0.2. ++ Note: the spaces are necessary here. ++ {% endcomment %} ++ <span class="help-block">{% filter force_escape %} {{ field.help_text }} {% endfilter %} </span> + <div class="input"> + {{ field }} + </div> +diff --git a/openstack_dashboard/dashboards/project/stacks/mappings.py +b/openstack_dashboard/dashboards/project/stacks/mappings.py +index 0353291..f1389c5 100644 +--- a/openstack_dashboard/dashboards/project/stacks/mappings.py ++++ b/openstack_dashboard/dashboards/project/stacks/mappings.py +@@ -19,6 +19,8 @@ import urlparse + + from django.core.urlresolvers import reverse # noqa + from django.template.defaultfilters import register # noqa ++from django.utils import html ++from django.utils import safestring + + from openstack_dashboard.api import swift + +@@ -76,11 +78,15 @@ def stack_output(output): + if not output: + return u'' + if isinstance(output, dict) or isinstance(output, list): +- return u'<pre>%s</pre>' % json.dumps(output, indent=2) ++ json_string = json.dumps(output, indent=2) ++ safe_output = u'<pre>%s</pre>' % html.escape(json_string) ++ return safestring.mark_safe(safe_output) + if isinstance(output, basestring): + parts = urlparse.urlsplit(output) + if parts.netloc and parts.scheme in ('http', 'https'): +- return u'<a href="%s" target="_blank">%s</a>' % (output, output) ++ url = html.escape(output) ++ safe_link = u'<a href="%s" target="_blank">%s</a>' % (url, url) ++ return safestring.mark_safe(safe_link) + return unicode(output) + + +diff --git a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html +b/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html +index f4756e0..33fe783 100644 +--- a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html ++++ b/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html +@@ -36,9 +36,8 @@ + <dt>{{ output.output_key }}</dt> + <dd>{{ output.description }}</dd> + <dd> +- {% autoescape off %} + {{ output.output_value|stack_output }} +- {% endautoescape %}</dd> ++ </dd> + {% endfor %} + </dl> + </div> +diff --git a/openstack_dashboard/dashboards/project/stacks/tests.py +b/openstack_dashboard/dashboards/project/stacks/tests.py +index 408d86f..986e3e0 100644 +--- a/openstack_dashboard/dashboards/project/stacks/tests.py ++++ b/openstack_dashboard/dashboards/project/stacks/tests.py +@@ -16,6 +16,7 @@ import json + + from django.core.urlresolvers import reverse # noqa + from django import http ++from django.utils import html + + from mox import IsA # noqa + +@@ -77,12 +78,16 @@ class MappingsTests(test.TestCase): + self.assertEqual(u'foo', mappings.stack_output('foo')) + self.assertEqual(u'', mappings.stack_output(None)) + +- self.assertEqual( +- u'<pre>[\n "one", \n "two", \n "three"\n]</pre>', +- mappings.stack_output(['one', 'two', 'three'])) +- self.assertEqual( +- u'<pre>{\n "foo": "bar"\n}</pre>', +- mappings.stack_output({'foo': 'bar'})) ++ outputs = ['one', 'two', 'three'] ++ expected_text = """[\n "one", \n "two", \n "three"\n]""" ++ ++ self.assertEqual(u'<pre>%s</pre>' % html.escape(expected_text), ++ mappings.stack_output(outputs)) ++ ++ outputs = {'foo': 'bar'} ++ expected_text = """{\n "foo": "bar"\n}""" ++ self.assertEqual(u'<pre>%s</pre>' % html.escape(expected_text), ++ mappings.stack_output(outputs)) + + self.assertEqual( + u'<a href="http://www.example.com/foo" target="_blank">' +-- +1.8.3.1 + + + diff --git a/www-apps/horizon/horizon-2013.2.3.ebuild b/www-apps/horizon/horizon-2013.2.3-r1.ebuild index edc26d8c1241..2159f0c26f63 100644 --- a/www-apps/horizon/horizon-2013.2.3.ebuild +++ b/www-apps/horizon/horizon-2013.2.3-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2013.2.3.ebuild,v 1.1 2014/04/06 06:34:28 prometheanfire Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2013.2.3-r1.ebuild,v 1.1 2014/04/11 15:24:04 prometheanfire Exp $ EAPI=5 PYTHON_COMPAT=( python2_7 ) @@ -58,6 +58,7 @@ RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}] >=dev-python/lockfile-0.8[${PYTHON_USEDEP}]" PATCHES=( + "${FILESDIR}/CVE-2014-0157-2013.2.3.patch" ) src_test() { |