fixing xss CVE-2014-3473 not vulnerable now, kthnx

Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64
Manifest-Sign-Key: 0x2471EB3E40AC5AC3

4 files changed, 193 insertions, 17 deletions

diff --git a/www-apps/horizon/ChangeLog b/www-apps/horizon/ChangeLog
index 31b98f2b45df..792a176efd6d 100644
--- a/www-apps/horizon/ChangeLog
+++ b/www-apps/horizon/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for www-apps/horizon
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.29 2014/06/16 03:39:52 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/ChangeLog,v 1.30 2014/07/08 16:09:14 prometheanfire Exp $
+
+*horizon-2014.1.1-r1 (08 Jul 2014)
+
+  08 Jul 2014; Matthew Thode <prometheanfire@gentoo.org>
+  +files/2014.1.1-CVE-2014-3473.patch, +horizon-2014.1.1-r1.ebuild,
+  -horizon-2014.1.1.ebuild:
+  fixing xss CVE-2014-3473 not vulnerable now, kthnx
 
 *horizon-2014.1.1 (16 Jun 2014)
 
diff --git a/www-apps/horizon/Manifest b/www-apps/horizon/Manifest
index 295657c41a99..5be52b075b1a 100644
--- a/www-apps/horizon/Manifest
+++ b/www-apps/horizon/Manifest
@@ -1,26 +1,27 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
+AUX 2014.1.1-CVE-2014-3473.patch 7832 SHA256 68cf6f47901b446db7bdcf7deb25b468033b91e196da259f2f5131c985eada9c SHA512 c1bffcefc8569115c3907742e11d05495d9e3e48c157256bf33b5330d3dd1ced27957b4a01c49cb0cf636a389d8492d74d45891770bd45f156a0257d90b7d5cb WHIRLPOOL 3acbcfda5b2c666e2fc6b708a820c25dea1ce491dc00e85cb734bad2f753b7886690d09a8dbcd0e7d2bdc58745dc4c7f469f4880b704520fdbdb4a5caf1c8990
 DIST horizon-2014.1.1.tar.gz 3215099 SHA256 e911d553462f38fa0b9d0dc1b31fea1175f984f9d8f422df60d31f4f483a298d SHA512 f7deda766c8f16c7447a205625525e90e0b4edd5b69bf715aaf1559f67c2688ab0dfb676d12e99e0cbb83a9a26254dc702eeaebe8b060bd68ca419255fd7fb50 WHIRLPOOL 6963d40f440b46a5e08a3cb173825ee3b01aa851afcbb598ca91d5579b4d200d3cacf8ddf6d7ded443e3fe2a8b3c8e6f27e62c4b7223240fd7865c79872baebf
-EBUILD horizon-2014.1.1.ebuild 2653 SHA256 b137dfe2b9a1165c76d24c6b04f18cbf7dda7ed5da57d8312ae87b1df04509ca SHA512 29fe4c2ab1abf4aa9c3e00ada6e8ae7d79f7e4028cb94191bba33c3de18b909b711be2fc34ddddb2d73f3f8993755945f2fd46495eb53db052520becfb923253 WHIRLPOOL 8927af923b9c92b73c80ef77a9830134f11cfcb2eae702870b7c6f4219828ac528557e7224bc7939e86ddba3eb178e0b1e1d169c17638565b47e62ea21502f41
+EBUILD horizon-2014.1.1-r1.ebuild 2761 SHA256 88c786131afd9a96cb2f1bf1e8dc74b21c3b7ab7a3d76a09fbf82bf8f68b3159 SHA512 eb87c632d1ae9e283189b8df553db62d5f08b2bc23f600f521cf5da91f360a61807f408d675c6258d1ffd87daba7ae414939d9cb99808e9e4859d9241c00a1df WHIRLPOOL d46dce2b93ce07419060a108a5ba3f914fe500048c34d2178ce0bfdf529d021b57be14d6e642bfd97341831ce2335d3e4f7ba10115f24322128dead46f86e6b6
 EBUILD horizon-2014.1.9999.ebuild 2664 SHA256 bb372c0c027bd20ea98a7a033836d160ceeee4696b7f901f3c1bded061214648 SHA512 5900593848c43bcf52da3bf8d26008ff07dc3db4eb2ba723d2209abd838ed5a80fd0c043a95196788ef29db50c031248b18d5587f36856f7d89f1f11b3de790b WHIRLPOOL b5b21abe2ba6be8eca8ed213b57bb7a7b478e314fc70390bb0481dddfa0844fd4359019f1af4f61ed5b98638b6ce922b3b4e859c191840f65f866ac73fb17004
 EBUILD horizon-9999.ebuild 1765 SHA256 1a4317a6a01ed5bdc3cbdbf76157e8404a2f7feccc9426ac98a6784e550e1798 SHA512 67b6ef8663d7146a979c5211e2f427dea730d63c209560853f817a0a2a6422d97eaef00a39286f05eb8ce093e90a1dd7c758195062b95fbaa11d1e24d5d0b38e WHIRLPOOL 0b1291b7641f8edd19f70fbb6e9061137a49766546759e2b6371c7efe504f677814eed6dfc9c483d1f411f2f02f434994c2022bdb4c43ce788604f2ddaa5d366
-MISC ChangeLog 5320 SHA256 e458ad13af9f801b4f1009ad92af36975d7ed9bd200ea5faf9138f845685670e SHA512 94251ea82a4d2d566b5eea1d5fdd9633bfec2fa9ef77888caff2e5218cc246234697ee61928a52ff6b67059cec3618ec18752a1a5360a028921e0b2d2ab5bdf1 WHIRLPOOL 83264487fd0989b58775ad5e3cfb3169711996bf1cc83c0a23c8ee69aad4dc619ab5ddcc4729b6fe4d9494858656ee1ddc176f4feb58ddaeac7f56c767002444
+MISC ChangeLog 5563 SHA256 9210ab2a14248d9a0b76923385e7d77347a2c57c62c923082d68116f54d865fe SHA512 4735dbbc2bef1f4672ddebe64beeab36008f0cca2c2b2ce2e6f3d275534679ce28dc307bac6e5c7539ea5024a4bbb85cf81517c376c72bc37e1619376be94bee WHIRLPOOL 0bd422d46fd869f10e877218c10848a5885b49a5c17969d9dfcd1ece6e232176c0b4828a9298d495a7e994571173784b68d3de70116c8317276c765a11bfb885
 MISC metadata.xml 502 SHA256 8a64a12fb6d42791ddde4f06dbeb1e32359e41fafb25b69b16d773eabf18ad57 SHA512 35da4f1a5a38b64361e5003731e9a0bfc81498c3e43b9b9e5b152d6fad2d8157a3632b737a9987bcec726d1057c52b05ee73e4fc280d9353f4649fe20c0b5915 WHIRLPOOL 028f50558b926a576c36fa0da5dfce8cae2a948f0adb4cd71df2f17e806565caaa0698dc262a484012e8c5d9d8cc6d0f4ef77983ea6d79b6b8b3e03ec80b7ea1
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
-iQIcBAEBCAAGBQJTnmcWAAoJECRx6z5ArFrDjuEP/jv7eatcWn4mAhQGxv1tYzVu
-PlfD2QcHMk+Y8XNip/YtTzBJYNylm5TG87eaNR5R8PUaMEgRZ12H6E+4bNfQ/RPS
-F8yYg4ZyGepGREbj2xmbgtmcFAALjzafZasdLkxsoDMnu8G3yr6qg0/QMF28py7o
-vc0e0GqSR4lQEd00j4OayQIzMRXbYxb+OKtuVd8AS2NooO1ADiljYezXWJP+8YYs
-+FmeSwjT9RE+HD0ZZrUs3MK99BWBf1iO066iEV4E+UAuxhTIMjU0qXnj6msxwUwj
-oeZ8oaWQju2Qs5QbSciN9R1QLEUiJTapC5IjLDxN1UqfzXw2g5n/3Nzd+xtGHl1b
-n5egqc1BHSYnoGdN5dXxQY1K+2yfKa3DsvCVbXk30EKVUwYHMqgXl/u0D+vNwrVj
-U8K4RVKkPZXWGk5GKQUUROjI7ZppjHkX3oEkv97uNU/gZKsjFNB9+r8PF2qLwRT6
-ySHKp2rkdswu6K8UQQyI1tJ9dgrfuUY3njmA2pKKtutAzjbAzGaZz06H2e8csv5W
-vvohim+rQzbpsduNA+zwjFjU5tlF+xRE3aZSuInA/n24unNOissBLkg4iRckYWQQ
-hasBAU9sUmdtMor5GSZDIVZx3tabt86v652+DYImIttahXZlQ1FFhKNkcOR3tPmK
-weSVK1NO3HdmjJe9zUcs
-=L15a
+iQIcBAEBCAAGBQJTvBe4AAoJECRx6z5ArFrDdYsQAMg/e340RuOHiDzJ6cd+Eq5C
+TKeT/iYqghRGvILSQn4hs3b7Sl4griOhX7Q0ocwwvfbizbxO5wYXSPN3JHatX8fq
+niAJDkwiAY8c5SYdXVrSDK1gqypENwRcOrquBvEaOZerSM7FOam7NMyh+ncJQFTy
+mBGhAk67Ind4V5UslHA6UQGegBqdhLD/EMEpQLxvlfBjK3BAUi1fsLKYEVwn0n2A
+EtVCNTsNbLKtGufjvtnUXZ7RCBCg5vdhjvqAwu+7FfWZfCE4Gq3sAHa3WUBrr1IN
+CCDKcjldJzkycfmJvMD0tHlOdvaklTR63qAR/nN3hO0ZeqLwa+E1G0FZj3nvz1Jz
+1BHTmdNpn1xHGLT2WJqSZgaWUsVzR+ryM/p/MjvFlYxzVWx6udFlqunqzIeABoal
+PjLih7YbqCRXcrjGEe4Jx/0GDWQ8c+liNy2Ah+VS5qfPk3iWrF8NGJ+sDANfRC0j
+8fioMoLhex9BKlFIWXOdz1CSrIwKIDwjTQM4fNgGRejZkZHhmlkS3ZE42bkzPjor
+WXAqM2ikbsp/cOC7H+M2gAvvdrjmKSBztCFxEUtyQjjTaHwqLl1yoCpokVrkwRJI
+JNOI+MGwhSm1hsCB6MzvlbNQU1sgnWPUKAtO9prOtFf6HtgD+w53sqNkW7cJUpi9
+/1s6e7QlhPy06uWJ5/az
+=SJB/
 -----END PGP SIGNATURE-----
diff --git a/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch b/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch
new file mode 100644
index 000000000000..7ab9bebb3364
--- /dev/null
+++ b/www-apps/horizon/files/2014.1.1-CVE-2014-3473.patch
@@ -0,0 +1,163 @@
+From 32a7b713468161282f2ea01d5e2faff980d924cd Mon Sep 17 00:00:00 2001
+From: Julie Pichon <jpichon@redhat.com>
+Date: Thu, 22 May 2014 16:45:03 +0100
+Subject: [PATCH] Fix multiple Cross-Site Scripting (XSS) vulnerabilities.
+
+ * Ensure user emails are properly escaped
+
+User emails in the Users and Groups panel are being passed through the
+urlize filter to transform them into clickable links. However, urlize
+expects input to be already escaped and safe. We should make sure to
+escape the strings first as email addresses are not validated and can
+contain any type of string.
+
+Closes-Bug: #1320235
+
+ * Ensure network names are properly escaped in the Launch Instance menu
+
+Closes-Bug: #1322197
+
+ * Escape the URLs generated for the Horizon tables
+
+When generating the Horizon tables, there was an assumption that only
+the anchor text needed to be escaped. However some URLs are generated
+based on user-provided data and should be escaped as well. Also escape
+the link attributes for good measure.
+
+ * Use 'reverse' to generate the Resource URLs in the stacks tables
+
+Closes-Bug: #1308727
+
+Change-Id: Ic8a92e69f66c2d265a802f350e30f091181aa42e
+---
+ horizon/static/horizon/js/horizon.instances.js          | 9 ++++++++-
+ horizon/tables/base.py                                  | 4 +++-
+ openstack_dashboard/dashboards/admin/groups/tables.py   | 3 ++-
+ openstack_dashboard/dashboards/admin/users/tables.py    | 4 +++-
+ openstack_dashboard/dashboards/project/stacks/tables.py | 9 +++++++--
+ openstack_dashboard/dashboards/project/stacks/tabs.py   | 6 ++++++
+ 6 files changed, 29 insertions(+), 6 deletions(-)
+
+diff --git a/horizon/static/horizon/js/horizon.instances.js b/horizon/static/horizon/js/horizon.instances.js
+index e8e9353..d4ef8a0 100644
+--- a/horizon/static/horizon/js/horizon.instances.js
++++ b/horizon/static/horizon/js/horizon.instances.js
+@@ -51,8 +51,15 @@ horizon.instances = {
+     $(this.get_network_element("")).each(function(){
+       var $this = $(this);
+       var $input = $this.children("input");
++      var name = $this.text().replace(/^\s+/,"")
++                             .replace(/&/g, '&amp;')
++                             .replace(/</g, '&lt;')
++                             .replace(/>/g, '&gt;')
++                             .replace(/"/g, '&quot;')
++                             .replace(/'/g, '&#x27;')
++                             .replace(/\//g, '&#x2F;');
+       var network_property = {
+-        name:$this.text().replace(/^\s+/,""),
++        name:name,
+         id:$input.attr("id"),
+         value:$input.attr("value")
+       };
+diff --git a/horizon/tables/base.py b/horizon/tables/base.py
+index 10aaa98..4aceb81 100644
+--- a/horizon/tables/base.py
++++ b/horizon/tables/base.py
+@@ -676,7 +676,9 @@ class Cell(html.HTMLElement):
+             link_classes = ' '.join(self.column.link_classes)
+             # Escape the data inside while allowing our HTML to render
+             data = mark_safe('<a href="%s" class="%s">%s</a>' %
+-                             (self.url, link_classes, escape(unicode(data))))
++                             (escape(self.url),
++                              escape(link_classes),
++                              escape(unicode(data))))
+         return data
+ 
+     @property
+diff --git a/openstack_dashboard/dashboards/admin/groups/tables.py b/openstack_dashboard/dashboards/admin/groups/tables.py
+index 1f32da2..286c22b 100644
+--- a/openstack_dashboard/dashboards/admin/groups/tables.py
++++ b/openstack_dashboard/dashboards/admin/groups/tables.py
+@@ -161,7 +161,8 @@ class AddMembersLink(tables.LinkAction):
+ class UsersTable(tables.DataTable):
+     name = tables.Column('name', verbose_name=_('User Name'))
+     email = tables.Column('email', verbose_name=_('Email'),
+-                          filters=[defaultfilters.urlize])
++                          filters=[defaultfilters.escape,
++                                   defaultfilters.urlize])
+     id = tables.Column('id', verbose_name=_('User ID'))
+     enabled = tables.Column('enabled', verbose_name=_('Enabled'),
+                             status=True,
+diff --git a/openstack_dashboard/dashboards/admin/users/tables.py b/openstack_dashboard/dashboards/admin/users/tables.py
+index b2032c4..9c6dc04 100644
+--- a/openstack_dashboard/dashboards/admin/users/tables.py
++++ b/openstack_dashboard/dashboards/admin/users/tables.py
+@@ -131,7 +131,9 @@ class UsersTable(tables.DataTable):
+     email = tables.Column('email', verbose_name=_('Email'),
+                           filters=(lambda v: defaultfilters
+                                    .default_if_none(v, ""),
+-                                   defaultfilters.urlize))
++                                   defaultfilters.escape,
++                                   defaultfilters.urlize)
++                          )
+     # Default tenant is not returned from Keystone currently.
+     #default_tenant = tables.Column('default_tenant',
+     #                               verbose_name=_('Default Project'))
+diff --git a/openstack_dashboard/dashboards/project/stacks/tables.py b/openstack_dashboard/dashboards/project/stacks/tables.py
+index e5f829a..1174746 100644
+--- a/openstack_dashboard/dashboards/project/stacks/tables.py
++++ b/openstack_dashboard/dashboards/project/stacks/tables.py
+@@ -114,11 +114,16 @@ class StacksTable(tables.DataTable):
+                        ChangeStackTemplate)
+ 
+ 
++def get_resource_url(obj):
++    return urlresolvers.reverse('horizon:project:stacks:resource',
++                                args=(obj.stack_id, obj.resource_name))
++
++
+ class EventsTable(tables.DataTable):
+ 
+     logical_resource = tables.Column('resource_name',
+                                      verbose_name=_("Stack Resource"),
+-                                     link=lambda d: d.resource_name,)
++                                     link=get_resource_url)
+     physical_resource = tables.Column('physical_resource_id',
+                                       verbose_name=_("Resource"),
+                                       link=mappings.resource_to_url)
+@@ -163,7 +168,7 @@ class ResourcesTable(tables.DataTable):
+ 
+     logical_resource = tables.Column('resource_name',
+                                      verbose_name=_("Stack Resource"),
+-                                     link=lambda d: d.resource_name)
++                                     link=get_resource_url)
+     physical_resource = tables.Column('physical_resource_id',
+                                      verbose_name=_("Resource"),
+                                      link=mappings.resource_to_url)
+diff --git a/openstack_dashboard/dashboards/project/stacks/tabs.py b/openstack_dashboard/dashboards/project/stacks/tabs.py
+index c68464a..976541a 100644
+--- a/openstack_dashboard/dashboards/project/stacks/tabs.py
++++ b/openstack_dashboard/dashboards/project/stacks/tabs.py
+@@ -79,6 +79,9 @@ class StackEventsTab(tabs.Tab):
+             stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
+             events = api.heat.events_list(self.request, stack_identifier)
+             LOG.debug('got events %s' % events)
++            # The stack id is needed to generate the resource URL.
++            for event in events:
++                event.stack_id = stack.id
+         except Exception:
+             events = []
+             messages.error(request, _(
+@@ -99,6 +102,9 @@ class StackResourcesTab(tabs.Tab):
+             stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
+             resources = api.heat.resources_list(self.request, stack_identifier)
+             LOG.debug('got resources %s' % resources)
++            # The stack id is needed to generate the resource URL.
++            for r in resources:
++                r.stack_id = stack.id
+         except Exception:
+             resources = []
+             messages.error(request, _(
+-- 
+1.8.5.5
+
diff --git a/www-apps/horizon/horizon-2014.1.1.ebuild b/www-apps/horizon/horizon-2014.1.1-r1.ebuild
index c1f4be7e6f80..82cfcbfaaf03 100644
--- a/www-apps/horizon/horizon-2014.1.1.ebuild
+++ b/www-apps/horizon/horizon-2014.1.1-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2014.1.1.ebuild,v 1.1 2014/06/16 03:39:52 prometheanfire Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/horizon/horizon-2014.1.1-r1.ebuild,v 1.1 2014/07/08 16:09:14 prometheanfire Exp $
 
 EAPI=5
 PYTHON_COMPAT=( python2_7 )
@@ -41,6 +41,7 @@ RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}]
 		>=dev-python/django-compressor-1.3[${PYTHON_USEDEP}]
 		>=dev-python/django-openstack-auth-1.1.4[${PYTHON_USEDEP}]
 		>=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
+		>=dev-python/httplib2-0.7.5[${PYTHON_USEDEP}]
 		>=dev-python/iso8601-0.1.9[${PYTHON_USEDEP}]
 		>=dev-python/kombu-2.4.8[${PYTHON_USEDEP}]
 		>=dev-python/lesscpy-0.9j[${PYTHON_USEDEP}]
@@ -59,6 +60,10 @@ RDEPEND=">=dev-python/django-1.4[${PYTHON_USEDEP}]
 		>=dev-python/pytz-2010h[${PYTHON_USEDEP}]
 		>=dev-python/six-1.5.2[${PYTHON_USEDEP}]"
 
+PATCHES=(
+	"${FILESDIR}/2014.1.1-CVE-2014-3473.patch"
+)
+
 src_test() {
 	./run_tests.sh -N --coverage
 }