From 34065b81d6d95a11e1a965accae2e5f75573bda9 Mon Sep 17 00:00:00 2001
From: Thomas Goirand <zigo@debian.org>
Date: Wed, 29 Jun 2016 15:02:13 +0200
Subject: [PATCH]   * CVE-2016-4428: Possible client side template injection in
 horizon. Added    
 CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch from    
 upstream (Closes: #828967).

Rewritten-From: 2da8b9aec26feb1e64e2a53a24811b7d596256ba
---
 trusty/debian/changelog                       |  8 ++
 ..._angularjs_templating_in_unsafe_HTML.patch | 80 +++++++++++++++++++
 trusty/debian/patches/series                  |  1 +
 3 files changed, 89 insertions(+)
 create mode 100644 trusty/debian/patches/CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch

diff --git a/trusty/debian/changelog b/trusty/debian/changelog
index 01de083..a7d5c07 100644
--- a/trusty/debian/changelog
+++ b/trusty/debian/changelog
@@ -1,3 +1,11 @@
+horizon (3:9.0.1-2) unstable; urgency=high
+
+  * CVE-2016-4428: Possible client side template injection in horizon. Added
+    CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch from
+    upstream (Closes: #828967).
+
+ -- Thomas Goirand <zigo@debian.org>  Wed, 29 Jun 2016 14:59:37 +0200
+
 horizon (3:9.0.1-1) unstable; urgency=medium
 
   * Increase epoch.
diff --git a/trusty/debian/patches/CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch b/trusty/debian/patches/CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch
new file mode 100644
index 0000000..cbcdef3
--- /dev/null
+++ b/trusty/debian/patches/CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch
@@ -0,0 +1,80 @@
+Author: Richard Jones <r1chardj0n3s@gmail.com>
+ This code extends the unsafe (typically user-supplied) HTML escape
+ built into Django to also escape angularjs templating markers. Safe
+ HTML will be unaffected.
+Date: Tue, 3 May 2016 05:51:49 +0000 (+1000)
+Subject: Escape angularjs templating in unsafe HTML
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=fc8d70560401f3985e5672a4c580f10d51e985a4
+Bug-Ubuntu: https://bugs.launchpad.net/horizon/+bug/1567673
+Bug-Debian: https://bugs.debian.org/828967
+Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
+Origin: upstream, https://review.openstack.org/#/c/329996/
+Last-Update: 2016-06-29
+
+Index: horizon/horizon/utils/escape.py
+===================================================================
+--- /dev/null
++++ horizon/horizon/utils/escape.py
+@@ -0,0 +1,31 @@
++# Copyright 2016, Rackspace, US, Inc.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#    http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++import django.utils.html
++
++
++def escape(text, existing=django.utils.html.escape):
++    # Replace our angular markup string with a different string
++    # (which just happens to be the Django comment string)
++    # this prevents user-supplied data from being intepreted in
++    # our pages by angularjs, thus preventing it from being used
++    # for XSS attacks. Note that we use {$ $} instead of the
++    # standard {{ }} - this is configured in horizon.framework
++    # angularjs module through $interpolateProvider.
++    return existing(text).replace('{$', '{%').replace('$}', '%}')
++
++
++# this will be invoked as early as possible in settings.py
++def monkeypatch_escape():
++    django.utils.html.escape = escape
+Index: horizon/openstack_dashboard/settings.py
+===================================================================
+--- horizon.orig/openstack_dashboard/settings.py
++++ horizon/openstack_dashboard/settings.py
+@@ -30,6 +30,9 @@ from openstack_dashboard.static_settings
+ from openstack_dashboard import theme_settings
+ from openstack_dashboard.utils import settings
+ 
++from horizon.utils.escape import monkeypatch_escape
++
++monkeypatch_escape()
+ 
+ warnings.formatwarning = lambda message, category, *args, **kwargs: \
+     '%s: %s' % (category.__name__, message)
+Index: horizon/openstack_dashboard/test/settings.py
+===================================================================
+--- horizon.orig/openstack_dashboard/test/settings.py
++++ horizon/openstack_dashboard/test/settings.py
+@@ -18,6 +18,12 @@ from openstack_dashboard import exceptio
+ from openstack_dashboard.static_settings import find_static_files  # noqa
+ from openstack_dashboard.static_settings import get_staticfiles_dirs  # noqa
+ 
++from horizon.utils.escape import monkeypatch_escape
++
++# this is used to protect from client XSS attacks, but it's worth
++# enabling in our test setup to find any issues it might cause
++monkeypatch_escape()
++
+ STATICFILES_DIRS = get_staticfiles_dirs()
+ 
+ TEST_DIR = os.path.dirname(os.path.abspath(__file__))
diff --git a/trusty/debian/patches/series b/trusty/debian/patches/series
index 41ab217..284e65c 100644
--- a/trusty/debian/patches/series
+++ b/trusty/debian/patches/series
@@ -2,3 +2,4 @@ fix-dashboard-django-wsgi.patch
 fix-dashboard-manage.patch
 fixed-horizon-MANIFEST.in.patch
 Fix_remaining_Django_1.9_test_failures.patch
+CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patch
-- 
2.45.2