fixes for CVE-2013-6858 badness removed

(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)

5 files changed, 188 insertions, 6 deletions

diff --git a/www-apps/horizon/ChangeLog b/www-apps/horizon/ChangeLog
index dcc99e219e7d..c68e7ee5f3a7 100644
--- a/www-apps/horizon/ChangeLog
+++ b/www-apps/horizon/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for www-apps/horizon
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.16 2013/11/27 04:37:26 idella4 Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.17 2013/12/13 17:13:20 prometheanfire Exp $
+
+*horizon-2013.2-r2 (13 Dec 2013)
+*horizon-2013.1.4-r1 (13 Dec 2013)
+
+  13 Dec 2013; Matthew Thode <prometheanfire@gentoo.org>
+  +files/cve-2013-6858_2013.1.4.patch, +files/cve-2013-6858_2013.2.patch,
+  +horizon-2013.1.4-r1.ebuild, +horizon-2013.2-r2.ebuild,
+  -horizon-2013.1.4.ebuild, -horizon-2013.2.ebuild:
+  fixes for CVE-2013-6858 badness removed
 
 *horizon-2013.2-r1 (27 Nov 2013)
 
diff --git a/www-apps/horizon/files/cve-2013-6858_2013.1.4.patch b/www-apps/horizon/files/cve-2013-6858_2013.1.4.patch
new file mode 100644
index 000000000000..19a5bc85e8a9
--- /dev/null
+++ b/www-apps/horizon/files/cve-2013-6858_2013.1.4.patch
@@ -0,0 +1,73 @@
+From: Rob Raymond <rob.raymond@hp.com>
+Date: Mon, 4 Nov 2013 19:12:40 +0000 (-0700)
+Subject: Fix bug by escaping strings from Nova before displaying them
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=b14debc73132d1253220192e110f00f62ddb8bbc
+
+Fix bug by escaping strings from Nova before displaying them
+
+Fixes bug #1247675
+
+(cherry-picked from commit b8ff480)
+Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101
+---
+
+diff --git a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+index 2311e5c..17a4fb5 100644
+--- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
++++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+@@ -17,6 +17,7 @@
+ import logging
+ 
+ from django.core.urlresolvers import reverse
++from django.utils import html
+ from django.utils import safestring
+ from django.utils.http import urlencode
+ from django.utils.translation import ugettext_lazy as _
+@@ -68,6 +69,7 @@ class SnapshotVolumeNameColumn(tables.Column):
+         request = self.table.request
+         volume_name = api.cinder.volume_get(request,
+                                             snapshot.volume_id).display_name
++        volume_name = html.escape(volume_name)
+         return safestring.mark_safe(volume_name)
+ 
+     def get_link_url(self, snapshot):
+diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py
+index b14145b..e5426c1 100644
+--- a/openstack_dashboard/dashboards/project/volumes/tables.py
++++ b/openstack_dashboard/dashboards/project/volumes/tables.py
+@@ -19,7 +19,7 @@ import logging
+ from django.core.urlresolvers import reverse, NoReverseMatch
+ from django.template.defaultfilters import title
+ from django.utils import safestring
+-from django.utils.html import strip_tags
++from django.utils import html
+ from django.utils.translation import ugettext_lazy as _
+ 
+ from horizon import exceptions
+@@ -111,7 +111,7 @@ def get_attachment_name(request, attachment):
+                                          "attachment information."))
+     try:
+         url = reverse("horizon:project:instances:detail", args=(server_id,))
+-        instance = '<a href="%s">%s</a>' % (url, name)
++        instance = '<a href="%s">%s</a>' % (url, html.escape(name))
+     except NoReverseMatch:
+         instance = name
+     return instance
+@@ -132,7 +132,7 @@ class AttachmentColumn(tables.Column):
+             # without the server name...
+             instance = get_attachment_name(request, attachment)
+             vals = {"instance": instance,
+-                    "dev": attachment["device"]}
++                    "dev": html.escape(attachment["device"])}
+             attachments.append(link % vals)
+         return safestring.mark_safe(", ".join(attachments))
+ 
+@@ -225,7 +225,7 @@ class AttachmentsTable(tables.DataTable):
+     def get_object_display(self, attachment):
+         instance_name = get_attachment_name(self.request, attachment)
+         vals = {"dev": attachment['device'],
+-                "instance_name": strip_tags(instance_name)}
++                "instance_name": html.escape(instance_name)}
+         return _("%(dev)s on instance %(instance_name)s") % vals
+ 
+     def get_object_by_id(self, obj_id):
diff --git a/www-apps/horizon/files/cve-2013-6858_2013.2.patch b/www-apps/horizon/files/cve-2013-6858_2013.2.patch
new file mode 100644
index 000000000000..885aecbd190b
--- /dev/null
+++ b/www-apps/horizon/files/cve-2013-6858_2013.2.patch
@@ -0,0 +1,77 @@
+From 6179f70290783e55b10bbd4b3b7ee74db3f8ef70 Mon Sep 17 00:00:00 2001
+From: Rob Raymond <rob.raymond@hp.com>
+Date: Mon, 4 Nov 2013 12:12:40 -0700
+Subject: [PATCH] Fix bug by escaping strings from Nova before displaying them
+
+Fixes bug #1247675
+
+(cherry-picked from commit b8ff480)
+Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101
+---
+ .../project/images_and_snapshots/volume_snapshots/tables.py       | 2 ++
+ openstack_dashboard/dashboards/project/volumes/tables.py          | 8 ++++----
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+index 17008f5..e5a3c69 100644
+--- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
++++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+@@ -15,6 +15,7 @@
+ #    under the License.
+ 
+ from django.core.urlresolvers import reverse  # noqa
++from django.utils import html
+ from django.utils.http import urlencode  # noqa
+ from django.utils import safestring
+ from django.utils.translation import ugettext_lazy as _  # noqa
+@@ -66,6 +67,7 @@ def get_raw_data(self, snapshot):
+         volume = snapshot._volume
+         if volume:
+             volume_name = volume.display_name or volume.id
++            volume_name = html.escape(volume_name)
+         else:
+             volume_name = _("Unknown")
+         return safestring.mark_safe(volume_name)
+diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py
+index c84bf00..f993f18 100644
+--- a/openstack_dashboard/dashboards/project/volumes/tables.py
++++ b/openstack_dashboard/dashboards/project/volumes/tables.py
+@@ -17,7 +17,7 @@
+ from django.core.urlresolvers import NoReverseMatch  # noqa
+ from django.core.urlresolvers import reverse  # noqa
+ from django.template.defaultfilters import title  # noqa
+-from django.utils.html import strip_tags  # noqa
++from django.utils import html
+ from django.utils import safestring
+ from django.utils.translation import string_concat  # noqa
+ from django.utils.translation import ugettext_lazy as _  # noqa
+@@ -125,7 +125,7 @@ def get_attachment_name(request, attachment):
+                                          "attachment information."))
+     try:
+         url = reverse("horizon:project:instances:detail", args=(server_id,))
+-        instance = '<a href="%s">%s</a>' % (url, name)
++        instance = '<a href="%s">%s</a>' % (url, html.escape(name))
+     except NoReverseMatch:
+         instance = name
+     return instance
+@@ -146,7 +146,7 @@ def get_raw_data(self, volume):
+             # without the server name...
+             instance = get_attachment_name(request, attachment)
+             vals = {"instance": instance,
+-                    "dev": attachment["device"]}
++                    "dev": html.escape(attachment["device"])}
+             attachments.append(link % vals)
+         return safestring.mark_safe(", ".join(attachments))
+ 
+@@ -249,7 +249,7 @@ def get_object_id(self, obj):
+     def get_object_display(self, attachment):
+         instance_name = get_attachment_name(self.request, attachment)
+         vals = {"dev": attachment['device'],
+-                "instance_name": strip_tags(instance_name)}
++                "instance_name": html.escape(instance_name)}
+         return _("%(dev)s on instance %(instance_name)s") % vals
+ 
+     def get_object_by_id(self, obj_id):
+-- 
+1.8.5.1
+
diff --git a/www-apps/horizon/horizon-2013.1.4.ebuild b/www-apps/horizon/horizon-2013.1.4-r1.ebuild
index 0c43fa201674..b268a2baaeef 100644
--- a/www-apps/horizon/horizon-2013.1.4.ebuild
+++ b/www-apps/horizon/horizon-2013.1.4-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2013.1.4.ebuild,v 1.1 2013/10/29 06:21:54 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2013.1.4-r1.ebuild,v 1.1 2013/12/13 17:13:20 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -34,3 +34,5 @@ RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}]
 		<dev-python/python-swiftclient-2[${PYTHON_USEDEP}]
 		dev-python/pytz[${PYTHON_USEDEP}]
 		dev-python/lockfile[${PYTHON_USEDEP}]"
+
+PATCHES=( "${FILESDIR}/cve-2013-6858_2013.1.4.patch" )
diff --git a/www-apps/horizon/horizon-2013.2.ebuild b/www-apps/horizon/horizon-2013.2-r2.ebuild
index 12b3ab13b486..e0825600f358 100644
--- a/www-apps/horizon/horizon-2013.2.ebuild
+++ b/www-apps/horizon/horizon-2013.2-r2.ebuild
@@ -1,24 +1,39 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2013.2.ebuild,v 1.1 2013/10/29 06:21:54 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2013.2-r2.ebuild,v 1.1 2013/12/13 17:13:20 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
 
 inherit distutils-r1
 
-DESCRIPTION="Horizon is a Django-based project aimed at providing a complete
-OpenStack Dashboard."
+DESCRIPTION="A Django-based project aimed at providing a complete OpenStack Dashboard."
 HOMEPAGE="https://launchpad.net/horizon"
 SRC_URI="http://launchpad.net/${PN}/havana/${PV}/+download/${P}.tar.gz"
 
 LICENSE="Apache-2.0"
 SLOT="0"
 KEYWORDS="~amd64 ~x86"
+IUSE="test"
 
 DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
 		>=dev-python/pbr-0.5.21[${PYTHON_USEDEP}]
-		<dev-python/pbr-1.0[${PYTHON_USEDEP}]"
+		<dev-python/pbr-1.0[${PYTHON_USEDEP}]
+	test? ( >=dev-python/hacking-0.5.6[${PYTHON_USEDEP}]
+			<dev-python/hacking-0.8[${PYTHON_USEDEP}]
+			>=dev-python/coverage-3.6[${PYTHON_USEDEP}]
+			>=dev-python/mox-0.5.3[${PYTHON_USEDEP}]
+			dev-python/django-nose[${PYTHON_USEDEP}]
+			dev-python/nose[${PYTHON_USEDEP}]
+			dev-python/nose-exclude[${PYTHON_USEDEP}]
+			dev-python/nosexcover[${PYTHON_USEDEP}]
+			>=dev-python/openstack-nose-plugin-0.7[${PYTHON_USEDEP}]
+			>=dev-python/nosehtmloutput-0.0.3[${PYTHON_USEDEP}]
+			dev-python/selenium[${PYTHON_USEDEP}]
+			>=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}]
+			=dev-python/docutils-0.9.1-r1[${PYTHON_USEDEP}]
+			dev-python/oslo-sphinx[${PYTHON_USEDEP}]
+			)"
 RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}]
 		<dev-python/django-1.6[${PYTHON_USEDEP}]
 		>=dev-python/django-compressor-1.3[${PYTHON_USEDEP}]
@@ -40,3 +55,9 @@ RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}]
 		<dev-python/python-troveclient-1[${PYTHON_USEDEP}]
 		>=dev-python/pytz-2010h[${PYTHON_USEDEP}]
 		>=dev-python/lockfile-0.8[${PYTHON_USEDEP}]"
+
+PATCHES=( "${FILESDIR}/cve-2013-6858_2013.2.patch" )
+
+src_test() {
+	./run_tests.sh -N --coverage
+}