fix for CVE-2014-0157

(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
author: Matthew Thode <prometheanfire@gentoo.org> 2014-04-11 15:24:04 +0000
committer: Matthew Thode <prometheanfire@gentoo.org> 2014-04-11 15:24:04 +0000
commit: a1d37aea2445c5ff73116d80e7a483f04466799b (patch)
tree: 613e5d2a61bf49e8dcfe355a448dd61ffd40c755 /www-apps
parent: Initial commit wrt #507280 by Bruce Guenter (diff)
download: gentoo-2-a1d37aea2445c5ff73116d80e7a483f04466799b.tar.gz
gentoo-2-a1d37aea2445c5ff73116d80e7a483f04466799b.tar.bz2
gentoo-2-a1d37aea2445c5ff73116d80e7a483f04466799b.zip
3 files changed, 158 insertions, 2 deletions
diff --git a/www-apps/horizon/ChangeLog b/www-apps/horizon/ChangeLog
index e2b2e30d976c..3fc0556244f9 100644
--- a/www-apps/horizon/ChangeLog
+++ b/www-apps/horizon/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for www-apps/horizon
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.25 2014/04/06 06:34:28 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.26 2014/04/11 15:24:04 prometheanfire Exp $
+
+*horizon-2013.2.3-r1 (11 Apr 2014)
+
+  11 Apr 2014; Matthew Thode <prometheanfire@gentoo.org>
+  +files/CVE-2014-0157-2013.2.3.patch, +horizon-2013.2.3-r1.ebuild,
+  -horizon-2013.2.3.ebuild:
+  fix for CVE-2014-0157
 
 *horizon-2013.2.3 (06 Apr 2014)
 
diff --git a/www-apps/horizon/files/CVE-2014-0157-2013.2.3.patch b/www-apps/horizon/files/CVE-2014-0157-2013.2.3.patch
new file mode 100644
index 000000000000..bdc6dc711421
--- /dev/null
+++ b/www-apps/horizon/files/CVE-2014-0157-2013.2.3.patch
@@ -0,0 +1,148 @@
+From b8f5d9e0749af2845937c23b4636b0981e2d5732 Mon Sep 17 00:00:00 2001
+From: CristianFiorentino <cristian.fiorentino@intel.com>
+Date: Mon, 10 Mar 2014 17:36:31 -0300
+Subject: [PATCH] Introduces escaping in Horizon/Orchestration
+
+1) Escape help_text a second time to avoid bootstrap tooltip XSS issue
+
+The "Description" parameter in a Heat template is used to populate
+a help_text tooltip in the dynamically generated Heat form. Bootstrap
+inserts this tooltip into the DOM using .html() which undoes any
+escaping we do in Django (it should be using .text()).
+
+This was fixed by forcing the help_text content to be escaped a second
+time. The issue itself is mitigated in bootstrap.js release 2.0.3
+(ours is currently 2.0.1).
+
+2) Properly escape untrusted Heat template 'outputs'
+
+The 'outputs' parameter in a Heat template was included in a Django
+template with HTML autoescaping turned off. Malicious HTML content
+could be included in a Heat template and would be rendered by Horizon
+when details about a created stack were displayed.
+
+This was fixed by not disabling autoescaping and explicitly escaping
+untrusted values in any strings that are later marked "safe" to render
+without further escaping.
+
+Conflicts:
+	openstack_dashboard/dashboards/project/stacks/mappings.py
+
+Change-Id: Icd9f9d9ca77068b12227d77469773a325c840001
+Closes-Bug: #1289033
+Co-Authored-By: Kieran Spear <kispear@gmail.com>
+---
+ horizon/templates/horizon/common/_form_fields.html      |  7 ++++++-
+ .../dashboards/project/stacks/mappings.py               | 10 ++++++++--
+ .../stacks/templates/stacks/_detail_overview.html       |  3 +--
+ openstack_dashboard/dashboards/project/stacks/tests.py  | 17 +++++++++++------
+ 4 files changed, 26 insertions(+), 11 deletions(-)
+
+diff --git a/horizon/templates/horizon/common/_form_fields.html 
+b/horizon/templates/horizon/common/_form_fields.html
+index 3567614..f6fb98f 100644
+--- a/horizon/templates/horizon/common/_form_fields.html
++++ b/horizon/templates/horizon/common/_form_fields.html
+@@ -14,7 +14,12 @@
+         <span class="help-inline">{{ error }}</span>
+       {% endfor %}
+     {% endif %}
+-    <span class="help-block">{{ field.help_text }}</span>
++    {% comment %}
++    Escape help_text a second time here, to avoid an XSS issue in bootstrap.js.
++    This can most likely be removed once we upgrade bootstrap.js past 2.0.2.
++    Note: the spaces are necessary here.
++    {% endcomment %}
++    <span class="help-block">{% filter force_escape %} {{ field.help_text }} {% endfilter %} </span>
+     <div class="input">
+       {{ field }}
+     </div>
+diff --git a/openstack_dashboard/dashboards/project/stacks/mappings.py 
+b/openstack_dashboard/dashboards/project/stacks/mappings.py
+index 0353291..f1389c5 100644
+--- a/openstack_dashboard/dashboards/project/stacks/mappings.py
++++ b/openstack_dashboard/dashboards/project/stacks/mappings.py
+@@ -19,6 +19,8 @@ import urlparse
+ 
+ from django.core.urlresolvers import reverse  # noqa
+ from django.template.defaultfilters import register  # noqa
++from django.utils import html
++from django.utils import safestring
+ 
+ from openstack_dashboard.api import swift
+ 
+@@ -76,11 +78,15 @@ def stack_output(output):
+     if not output:
+         return u''
+     if isinstance(output, dict) or isinstance(output, list):
+-        return u'<pre>%s</pre>' % json.dumps(output, indent=2)
++        json_string = json.dumps(output, indent=2)
++        safe_output = u'<pre>%s</pre>' % html.escape(json_string)
++        return safestring.mark_safe(safe_output)
+     if isinstance(output, basestring):
+         parts = urlparse.urlsplit(output)
+         if parts.netloc and parts.scheme in ('http', 'https'):
+-            return u'<a href="%s" target="_blank">%s</a>' % (output, output)
++            url = html.escape(output)
++            safe_link = u'<a href="%s" target="_blank">%s</a>' % (url, url)
++            return safestring.mark_safe(safe_link)
+     return unicode(output)
+ 
+ 
+diff --git a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html 
+b/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html
+index f4756e0..33fe783 100644
+--- a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html
++++ b/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html
+@@ -36,9 +36,8 @@
+     <dt>{{ output.output_key }}</dt>
+     <dd>{{ output.description }}</dd>
+     <dd>
+-    {% autoescape off %}
+     {{ output.output_value|stack_output }}
+-    {% endautoescape %}</dd>
++    </dd>
+     {% endfor %}
+   </dl>
+ </div>
+diff --git a/openstack_dashboard/dashboards/project/stacks/tests.py 
+b/openstack_dashboard/dashboards/project/stacks/tests.py
+index 408d86f..986e3e0 100644
+--- a/openstack_dashboard/dashboards/project/stacks/tests.py
++++ b/openstack_dashboard/dashboards/project/stacks/tests.py
+@@ -16,6 +16,7 @@ import json
+ 
+ from django.core.urlresolvers import reverse  # noqa
+ from django import http
++from django.utils import html
+ 
+ from mox import IsA  # noqa
+ 
+@@ -77,12 +78,16 @@ class MappingsTests(test.TestCase):
+         self.assertEqual(u'foo', mappings.stack_output('foo'))
+         self.assertEqual(u'', mappings.stack_output(None))
+ 
+-        self.assertEqual(
+-            u'<pre>[\n  "one", \n  "two", \n  "three"\n]</pre>',
+-            mappings.stack_output(['one', 'two', 'three']))
+-        self.assertEqual(
+-            u'<pre>{\n  "foo": "bar"\n}</pre>',
+-            mappings.stack_output({'foo': 'bar'}))
++        outputs = ['one', 'two', 'three']
++        expected_text = """[\n  "one", \n  "two", \n  "three"\n]"""
++
++        self.assertEqual(u'<pre>%s</pre>' % html.escape(expected_text),
++                         mappings.stack_output(outputs))
++
++        outputs = {'foo': 'bar'}
++        expected_text = """{\n  "foo": "bar"\n}"""
++        self.assertEqual(u'<pre>%s</pre>' % html.escape(expected_text),
++                         mappings.stack_output(outputs))
+ 
+         self.assertEqual(
+             u'<a href="http://www.example.com/foo" target="_blank">'
+-- 
+1.8.3.1
+
+
+
diff --git a/www-apps/horizon/horizon-2013.2.3.ebuild b/www-apps/horizon/horizon-2013.2.3-r1.ebuild
index edc26d8c1241..2159f0c26f63 100644
--- a/www-apps/horizon/horizon-2013.2.3.ebuild
+++ b/www-apps/horizon/horizon-2013.2.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2013.2.3.ebuild,v 1.1 2014/04/06 06:34:28 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2013.2.3-r1.ebuild,v 1.1 2014/04/11 15:24:04 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -58,6 +58,7 @@ RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}]
 		>=dev-python/lockfile-0.8[${PYTHON_USEDEP}]"
 
 PATCHES=(
+		"${FILESDIR}/CVE-2014-0157-2013.2.3.patch"
 )
 
 src_test() {
author	Matthew Thode <prometheanfire@gentoo.org>	2014-04-11 15:24:04 +0000
committer	Matthew Thode <prometheanfire@gentoo.org>	2014-04-11 15:24:04 +0000
commit	a1d37aea2445c5ff73116d80e7a483f04466799b (patch)
tree	613e5d2a61bf49e8dcfe355a448dd61ffd40c755 /www-apps
parent	Initial commit wrt #507280 by Bruce Guenter (diff)
download	gentoo-2-a1d37aea2445c5ff73116d80e7a483f04466799b.tar.gz gentoo-2-a1d37aea2445c5ff73116d80e7a483f04466799b.tar.bz2 gentoo-2-a1d37aea2445c5ff73116d80e7a483f04466799b.zip