Package: horizon / 2014.1.3-7+deb8u2

CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patc Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
Description: CVE-2016-4428: Escape angularjs templating in unsafe HTML
 This code extends the unsafe (typically user-supplied) HTML escape
 built into Django to also escape angularjs templating markers. Safe
 HTML will be unaffected.
Bug-Ubuntu: https://launchpad.net/bugs/1567673
Bug-Debian: https://bugs.debian.org/828967
Origin: upstream, https://review.openstack.org/#/c/329997/
Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
Author: Richard Jones <r1chardj0n3s@gmail.com>
Date: Tue, 3 May 2016 05:51:49 +0000 (+1000)
X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=d585e5eb9acf92d10d39b6c2038917a7e8ac71bb
Last-Update: 2016-06-29

--- /dev/null
+++ horizon-2014.1.3/horizon/utils/escape.py
@@ -0,0 +1,31 @@
+# Copyright 2016, Rackspace, US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import django.utils.html
+
+
+def escape(text, existing=django.utils.html.escape):
+    # Replace our angular markup string with a different string
+    # (which just happens to be the Django comment string)
+    # this prevents user-supplied data from being intepreted in
+    # our pages by angularjs, thus preventing it from being used
+    # for XSS attacks. Note that we use {$ $} instead of the
+    # standard {{ }} - this is configured in horizon.framework
+    # angularjs module through $interpolateProvider
+    return existing(text).replace('{$', '{%').replace('$}', '%}')
+
+
+# this will be invoked as early as possible in settings.py
+def monkeypatch_escape():
+    django.utils.html.escape = escape
--- horizon-2014.1.3.orig/openstack_dashboard/settings.py
+++ horizon-2014.1.3/openstack_dashboard/settings.py
@@ -27,6 +27,10 @@ from django.utils.translation import uge
 
 from openstack_dashboard import exceptions
 
+from horizon.utils.escape import monkeypatch_escape
+
+monkeypatch_escape()
+
 warnings.formatwarning = lambda message, category, *args, **kwargs: \
     '%s: %s' % (category.__name__, message)
 
--- horizon-2014.1.3.orig/openstack_dashboard/test/settings.py
+++ horizon-2014.1.3/openstack_dashboard/test/settings.py
@@ -17,6 +17,11 @@ from horizon.utils import secret_key
 
 from openstack_dashboard import exceptions
 
+from horizon.utils.escape import monkeypatch_escape
+
+# this is used to protect from client XSS attacks, but it's worth
+# enabling in our test setup to find any issues it might cause
+monkeypatch_escape()
 
 TEST_DIR = os.path.dirname(os.path.abspath(__file__))
 ROOT_PATH = os.path.abspath(os.path.join(TEST_DIR, ".."))