From: Thomas Goirand Date: Sat, 16 Jul 2016 14:31:12 +0000 (+0200) Subject: * Remove CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=606ad77ad77d800616d39b82b1d8ecb371585920;p=openstack-build%2Fhorizon-build.git * Remove CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch applied upstream. Rewritten-From: 94ff955ece9092ed1bc089ecf13112aac291619b --- diff --git a/xenial/debian/changelog b/xenial/debian/changelog index 4067340..94d350e 100644 --- a/xenial/debian/changelog +++ b/xenial/debian/changelog @@ -3,7 +3,8 @@ horizon (3:10.0.0~b2-1) experimental; urgency=medium * New upstream release. * Fixed (build-)depends for this release. * Updated Danish translation of debconf templates (Closes: #830639). - * Add fix-oslo.utils-last-vers-compat.patch, useful until ~b2. + * Remove CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch + applied upstream. -- Thomas Goirand Mon, 11 Jul 2016 14:24:50 +0200 diff --git a/xenial/debian/patches/CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch b/xenial/debian/patches/CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch deleted file mode 100644 index 4aa0f32..0000000 --- a/xenial/debian/patches/CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch +++ /dev/null @@ -1,81 +0,0 @@ -Description: Escape angularjs templating in unsafe HTML - This code extends the unsafe (typically user-supplied) HTML escape - built into Django to also escape angularjs templating markers. Safe - HTML will be unaffected. -Author: Richard Jones -Origin: upstream, https://review.openstack.org/#/c/329998/ -Date: Tue, 3 May 2016 05:51:49 +0000 (+1000) -X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a -Bug-Ubuntu: https://launchpad.net/bugs/1567673 -Bug-Debian: https://bugs.debian.org/828967 -Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7 -Last-Update: 2016-06-29 - -diff --git a/horizon/utils/escape.py b/horizon/utils/escape.py -new file mode 100644 -index 0000000..6e27557 ---- /dev/null -+++ b/horizon/utils/escape.py -@@ -0,0 +1,31 @@ -+# Copyright 2016, Rackspace, US, Inc. -+# -+# Licensed under the Apache License, Version 2.0 (the "License"); -+# you may not use this file except in compliance with the License. -+# You may obtain a copy of the License at -+# -+# http://www.apache.org/licenses/LICENSE-2.0 -+# -+# Unless required by applicable law or agreed to in writing, software -+# distributed under the License is distributed on an "AS IS" BASIS, -+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+# See the License for the specific language governing permissions and -+# limitations under the License. -+ -+import django.utils.html -+ -+ -+def escape(text, existing=django.utils.html.escape): -+ # Replace our angular markup string with a different string -+ # (which just happens to be the Django comment string) -+ # this prevents user-supplied data from being intepreted in -+ # our pages by angularjs, thus preventing it from being used -+ # for XSS attacks. Note that we use {$ $} instead of the -+ # standard {{ }} - this is configured in horizon.framework -+ # angularjs module through $interpolateProvider. -+ return existing(text).replace('{$', '{%').replace('$}', '%}') -+ -+ -+# this will be invoked as early as possible in settings.py -+def monkeypatch_escape(): -+ django.utils.html.escape = escape -diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py -index 8e91132..e96a4df 100644 ---- a/openstack_dashboard/settings.py -+++ b/openstack_dashboard/settings.py -@@ -29,6 +29,9 @@ from openstack_dashboard.static_settings import find_static_files # noqa - from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa - from openstack_dashboard import theme_settings - -+from horizon.utils.escape import monkeypatch_escape -+ -+monkeypatch_escape() - - warnings.formatwarning = lambda message, category, *args, **kwargs: \ - '%s: %s' % (category.__name__, message) -diff --git a/openstack_dashboard/test/settings.py b/openstack_dashboard/test/settings.py -index 949fa79..fee5aa0 100644 ---- a/openstack_dashboard/test/settings.py -+++ b/openstack_dashboard/test/settings.py -@@ -18,6 +18,12 @@ from openstack_dashboard import exceptions - from openstack_dashboard.static_settings import find_static_files # noqa - from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa - -+from horizon.utils.escape import monkeypatch_escape -+ -+# this is used to protect from client XSS attacks, but it's worth -+# enabling in our test setup to find any issues it might cause -+monkeypatch_escape() -+ - STATICFILES_DIRS = get_staticfiles_dirs() - - TEST_DIR = os.path.dirname(os.path.abspath(__file__)) diff --git a/xenial/debian/patches/fix-oslo.utils-last-vers-compat.patch b/xenial/debian/patches/fix-oslo.utils-last-vers-compat.patch deleted file mode 100644 index ceb4210..0000000 --- a/xenial/debian/patches/fix-oslo.utils-last-vers-compat.patch +++ /dev/null @@ -1,28 +0,0 @@ -Description: Fix oslo.utils last version compatibility - Horizon is checking against port 0, which is now valid in oslo.utils. - This patch removes the wrong tests. -Author: Thomas Goirand -Forwarded: not-needed -Last-Update: 2016-07-12 - ---- horizon-10.0.0~b1.orig/horizon/test/tests/utils.py -+++ horizon-10.0.0~b1/horizon/test/tests/utils.py -@@ -196,7 +196,7 @@ class ValidatorsTests(test.TestCase): - - def test_port_validator(self): - VALID_PORTS = (1, 65535) -- INVALID_PORTS = (-1, 0, 65536) -+ INVALID_PORTS = (-1, 65536) - - for port in VALID_PORTS: - self.assertIsNone(validators.validate_port_range(port)) -@@ -222,8 +222,7 @@ class ValidatorsTests(test.TestCase): - VALID_RANGE = ('1:65535', - '1:1') - INVALID_RANGE = ('22:22:22:22', -- '1:-1', -- '0:65535') -+ '1:-1') - - test_call = validators.validate_port_or_colon_separated_port_range - for prange in VALID_RANGE: diff --git a/xenial/debian/patches/series b/xenial/debian/patches/series index 6cc10f0..e883b03 100644 --- a/xenial/debian/patches/series +++ b/xenial/debian/patches/series @@ -1,5 +1,3 @@ fix-dashboard-django-wsgi.patch fix-dashboard-manage.patch fixed-horizon-MANIFEST.in.patch -CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch -fix-oslo.utils-last-vers-compat.patch