From 30912445fde86557ca771746e57a855ee20ea718 Mon Sep 17 00:00:00 2001
From: Thomas Goirand <thomas@goirand.fr>
Date: Wed, 4 Dec 2013 20:46:56 +0800
Subject: [PATCH] CVE-2013-6858: persistent XSS vulnerability. Applies upstream
 patch: Fix bug by escaping strings from Nova before displaying them (Closes:
 #730752).

Change-Id: I70ded71b3f320be826c111e66195fe46c11e5ee1

Rewritten-From: 16a924f55c6e24e2c55ece098acef973c847ab64
---
 trusty/debian/changelog                       |  7 ++
 ...ngs_from_Nova_before_displaying_them.patch | 68 +++++++++++++++++++
 trusty/debian/patches/series                  |  1 +
 3 files changed, 76 insertions(+)
 create mode 100644 trusty/debian/patches/CVE-2013-6858_Fix_bug_by_escaping_strings_from_Nova_before_displaying_them.patch

diff --git a/trusty/debian/changelog b/trusty/debian/changelog
index 1b3ceb7..b6b806e 100644
--- a/trusty/debian/changelog
+++ b/trusty/debian/changelog
@@ -1,3 +1,10 @@
+horizon (2013.2-2) unstable; urgency=low
+
+  * CVE-2013-6858: persistent XSS vulnerability. Applies upstream patch: Fix
+    bug by escaping strings from Nova before displaying them (Closes: #730752).
+
+ -- Thomas Goirand <zigo@debian.org>  Wed, 04 Dec 2013 20:43:44 +0800
+
 horizon (2013.2-1) unstable; urgency=low
 
   * New upstream release.
diff --git a/trusty/debian/patches/CVE-2013-6858_Fix_bug_by_escaping_strings_from_Nova_before_displaying_them.patch b/trusty/debian/patches/CVE-2013-6858_Fix_bug_by_escaping_strings_from_Nova_before_displaying_them.patch
new file mode 100644
index 0000000..20eab60
--- /dev/null
+++ b/trusty/debian/patches/CVE-2013-6858_Fix_bug_by_escaping_strings_from_Nova_before_displaying_them.patch
@@ -0,0 +1,68 @@
+Description: CVE-2013-6858: Fix bug by escaping strings from Nova before displaying them
+Author: Rob Raymond <rob.raymond@hp.com>
+Origin: https://review.openstack.org/#/c/58465/
+Date: Mon, 4 Nov 2013 19:12:40 +0000 (-0700)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=6179f70290783e55b10bbd4b3b7ee74db3f8ef70
+Bug-Ubuntu: Bug-Ubuntu: https://launchpad.net/bugs/1247675
+Bug-Debian: Bug-Debian: http://bugs.debian.org/730752
+
+diff --git a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+index 17008f5..e5a3c69 100644
+--- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
++++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+@@ -15,6 +15,7 @@
+ #    under the License.
+ 
+ from django.core.urlresolvers import reverse  # noqa
++from django.utils import html
+ from django.utils.http import urlencode  # noqa
+ from django.utils import safestring
+ from django.utils.translation import ugettext_lazy as _  # noqa
+@@ -66,6 +67,7 @@ class SnapshotVolumeNameColumn(tables.Column):
+         volume = snapshot._volume
+         if volume:
+             volume_name = volume.display_name or volume.id
++            volume_name = html.escape(volume_name)
+         else:
+             volume_name = _("Unknown")
+         return safestring.mark_safe(volume_name)
+diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py
+index c84bf00..f993f18 100644
+--- a/openstack_dashboard/dashboards/project/volumes/tables.py
++++ b/openstack_dashboard/dashboards/project/volumes/tables.py
+@@ -17,7 +17,7 @@
+ from django.core.urlresolvers import NoReverseMatch  # noqa
+ from django.core.urlresolvers import reverse  # noqa
+ from django.template.defaultfilters import title  # noqa
+-from django.utils.html import strip_tags  # noqa
++from django.utils import html
+ from django.utils import safestring
+ from django.utils.translation import string_concat  # noqa
+ from django.utils.translation import ugettext_lazy as _  # noqa
+@@ -125,7 +125,7 @@ def get_attachment_name(request, attachment):
+                                          "attachment information."))
+     try:
+         url = reverse("horizon:project:instances:detail", args=(server_id,))
+-        instance = '<a href="%s">%s</a>' % (url, name)
++        instance = '<a href="%s">%s</a>' % (url, html.escape(name))
+     except NoReverseMatch:
+         instance = name
+     return instance
+@@ -146,7 +146,7 @@ class AttachmentColumn(tables.Column):
+             # without the server name...
+             instance = get_attachment_name(request, attachment)
+             vals = {"instance": instance,
+-                    "dev": attachment["device"]}
++                    "dev": html.escape(attachment["device"])}
+             attachments.append(link % vals)
+         return safestring.mark_safe(", ".join(attachments))
+ 
+@@ -249,7 +249,7 @@ class AttachmentsTable(tables.DataTable):
+     def get_object_display(self, attachment):
+         instance_name = get_attachment_name(self.request, attachment)
+         vals = {"dev": attachment['device'],
+-                "instance_name": strip_tags(instance_name)}
++                "instance_name": html.escape(instance_name)}
+         return _("%(dev)s on instance %(instance_name)s") % vals
+ 
+     def get_object_by_id(self, obj_id):
diff --git a/trusty/debian/patches/series b/trusty/debian/patches/series
index e883b03..88eda5c 100644
--- a/trusty/debian/patches/series
+++ b/trusty/debian/patches/series
@@ -1,3 +1,4 @@
 fix-dashboard-django-wsgi.patch
 fix-dashboard-manage.patch
 fixed-horizon-MANIFEST.in.patch
+CVE-2013-6858_Fix_bug_by_escaping_strings_from_Nova_before_displaying_them.patch
-- 
2.45.2