From 20a46df57b886b824ad2454119f8d46ced8013b2 Mon Sep 17 00:00:00 2001 From: Thomas Goirand Date: Tue, 10 Dec 2013 00:32:26 +0800 Subject: [PATCH] Removes CVE-2013-6858 patch applied upstream. Refreshed patch. Change-Id: I361a264a9c46dc00e3889948208b72d7afe8f29f Rewritten-From: 0113a8a147117a20a6bb9231f4df6820c6d36b1a --- xenial/debian/changelog | 2 + ...ngs_from_Nova_before_displaying_them.patch | 68 ------------------- .../debian/patches/fix-dashboard-manage.patch | 6 +- xenial/debian/patches/series | 1 - 4 files changed, 5 insertions(+), 72 deletions(-) delete mode 100644 xenial/debian/patches/CVE-2013-6858_Fix_bug_by_escaping_strings_from_Nova_before_displaying_them.patch diff --git a/xenial/debian/changelog b/xenial/debian/changelog index 833a733..ac9f852 100644 --- a/xenial/debian/changelog +++ b/xenial/debian/changelog @@ -1,6 +1,8 @@ horizon (2014.1~b1-1) experimental; urgency=low * New upstream release (Icehouse beta 1). + * Removes CVE-2013-6858 patch applied upstream. + * Refreshed patch. -- Thomas Goirand Mon, 09 Dec 2013 22:14:27 +0800 diff --git a/xenial/debian/patches/CVE-2013-6858_Fix_bug_by_escaping_strings_from_Nova_before_displaying_them.patch b/xenial/debian/patches/CVE-2013-6858_Fix_bug_by_escaping_strings_from_Nova_before_displaying_them.patch deleted file mode 100644 index 20eab60..0000000 --- a/xenial/debian/patches/CVE-2013-6858_Fix_bug_by_escaping_strings_from_Nova_before_displaying_them.patch +++ /dev/null @@ -1,68 +0,0 @@ -Description: CVE-2013-6858: Fix bug by escaping strings from Nova before displaying them -Author: Rob Raymond -Origin: https://review.openstack.org/#/c/58465/ -Date: Mon, 4 Nov 2013 19:12:40 +0000 (-0700) -X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=6179f70290783e55b10bbd4b3b7ee74db3f8ef70 -Bug-Ubuntu: Bug-Ubuntu: https://launchpad.net/bugs/1247675 -Bug-Debian: Bug-Debian: http://bugs.debian.org/730752 - -diff --git a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py -index 17008f5..e5a3c69 100644 ---- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py -+++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py -@@ -15,6 +15,7 @@ - # under the License. - - from django.core.urlresolvers import reverse # noqa -+from django.utils import html - from django.utils.http import urlencode # noqa - from django.utils import safestring - from django.utils.translation import ugettext_lazy as _ # noqa -@@ -66,6 +67,7 @@ class SnapshotVolumeNameColumn(tables.Column): - volume = snapshot._volume - if volume: - volume_name = volume.display_name or volume.id -+ volume_name = html.escape(volume_name) - else: - volume_name = _("Unknown") - return safestring.mark_safe(volume_name) -diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py -index c84bf00..f993f18 100644 ---- a/openstack_dashboard/dashboards/project/volumes/tables.py -+++ b/openstack_dashboard/dashboards/project/volumes/tables.py -@@ -17,7 +17,7 @@ - from django.core.urlresolvers import NoReverseMatch # noqa - from django.core.urlresolvers import reverse # noqa - from django.template.defaultfilters import title # noqa --from django.utils.html import strip_tags # noqa -+from django.utils import html - from django.utils import safestring - from django.utils.translation import string_concat # noqa - from django.utils.translation import ugettext_lazy as _ # noqa -@@ -125,7 +125,7 @@ def get_attachment_name(request, attachment): - "attachment information.")) - try: - url = reverse("horizon:project:instances:detail", args=(server_id,)) -- instance = '%s' % (url, name) -+ instance = '%s' % (url, html.escape(name)) - except NoReverseMatch: - instance = name - return instance -@@ -146,7 +146,7 @@ class AttachmentColumn(tables.Column): - # without the server name... - instance = get_attachment_name(request, attachment) - vals = {"instance": instance, -- "dev": attachment["device"]} -+ "dev": html.escape(attachment["device"])} - attachments.append(link % vals) - return safestring.mark_safe(", ".join(attachments)) - -@@ -249,7 +249,7 @@ class AttachmentsTable(tables.DataTable): - def get_object_display(self, attachment): - instance_name = get_attachment_name(self.request, attachment) - vals = {"dev": attachment['device'], -- "instance_name": strip_tags(instance_name)} -+ "instance_name": html.escape(instance_name)} - return _("%(dev)s on instance %(instance_name)s") % vals - - def get_object_by_id(self, obj_id): diff --git a/xenial/debian/patches/fix-dashboard-manage.patch b/xenial/debian/patches/fix-dashboard-manage.patch index 1314038..84da543 100644 --- a/xenial/debian/patches/fix-dashboard-manage.patch +++ b/xenial/debian/patches/fix-dashboard-manage.patch @@ -4,9 +4,9 @@ Forwarded: not-needed Index: horizon/manage.py =================================================================== ---- horizon.orig/manage.py 2013-09-23 14:11:14.000000000 +0800 -+++ horizon/manage.py 2013-09-23 14:13:36.000000000 +0800 -@@ -5,6 +5,8 @@ +--- horizon.orig/manage.py 2013-12-09 22:14:14.000000000 +0800 ++++ horizon/manage.py 2013-12-10 00:30:58.000000000 +0800 +@@ -17,6 +17,8 @@ from django.core.management import execute_from_command_line # noqa diff --git a/xenial/debian/patches/series b/xenial/debian/patches/series index 88eda5c..e883b03 100644 --- a/xenial/debian/patches/series +++ b/xenial/debian/patches/series @@ -1,4 +1,3 @@ fix-dashboard-django-wsgi.patch fix-dashboard-manage.patch fixed-horizon-MANIFEST.in.patch -CVE-2013-6858_Fix_bug_by_escaping_strings_from_Nova_before_displaying_them.patch -- 2.45.2