Attachment 833694 Details for Bug 1034153 – cve-2013-6858-stable-havana.patch

[patch] cve-2013-6858-stable-havana.patch

cve-2013-6858-stable-havana.patch (text/plain), 3.44 KB, created by Kurt Seifried on 2013-12-06 17:39:38 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Kurt Seifried

Created: 2013-12-06 17:39:38 UTC

Size: 3.44 KB

patch

obsolete

>From: Rob Raymond <rob.raymond@hp.com>
>Date: Mon, 4 Nov 2013 19:12:40 +0000 (-0700)
>Subject: Fix bug by escaping strings from Nova before displaying them
>X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=6179f70290783e55b10bbd4b3b7ee74db3f8ef70
>
>Fix bug by escaping strings from Nova before displaying them
>
>Fixes bug #1247675
>
>(cherry-picked from commit b8ff480)
>Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101
>---
>
>diff --git a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
>index 17008f5..e5a3c69 100644
>--- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
>+++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
>@@ -15,6 +15,7 @@
> #    under the License.
> 
> from django.core.urlresolvers import reverse  # noqa
>+from django.utils import html
> from django.utils.http import urlencode  # noqa
> from django.utils import safestring
> from django.utils.translation import ugettext_lazy as _  # noqa
>@@ -66,6 +67,7 @@ class SnapshotVolumeNameColumn(tables.Column):
>         volume = snapshot._volume
>         if volume:
>             volume_name = volume.display_name or volume.id
>+            volume_name = html.escape(volume_name)
>         else:
>             volume_name = _("Unknown")
>         return safestring.mark_safe(volume_name)
>diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py
>index c84bf00..f993f18 100644
>--- a/openstack_dashboard/dashboards/project/volumes/tables.py
>+++ b/openstack_dashboard/dashboards/project/volumes/tables.py
>@@ -17,7 +17,7 @@
> from django.core.urlresolvers import NoReverseMatch  # noqa
> from django.core.urlresolvers import reverse  # noqa
> from django.template.defaultfilters import title  # noqa
>-from django.utils.html import strip_tags  # noqa
>+from django.utils import html
> from django.utils import safestring
> from django.utils.translation import string_concat  # noqa
> from django.utils.translation import ugettext_lazy as _  # noqa
>@@ -125,7 +125,7 @@ def get_attachment_name(request, attachment):
>                                          "attachment information."))
>     try:
>         url = reverse("horizon:project:instances:detail", args=(server_id,))
>-        instance = '<a href="%s">%s</a>' % (url, name)
>+        instance = '<a href="%s">%s</a>' % (url, html.escape(name))
>     except NoReverseMatch:
>         instance = name
>     return instance
>@@ -146,7 +146,7 @@ class AttachmentColumn(tables.Column):
>             # without the server name...
>             instance = get_attachment_name(request, attachment)
>             vals = {"instance": instance,
>-                    "dev": attachment["device"]}
>+                    "dev": html.escape(attachment["device"])}
>             attachments.append(link % vals)
>         return safestring.mark_safe(", ".join(attachments))
> 
>@@ -249,7 +249,7 @@ class AttachmentsTable(tables.DataTable):
>     def get_object_display(self, attachment):
>         instance_name = get_attachment_name(self.request, attachment)
>         vals = {"dev": attachment['device'],
>-                "instance_name": strip_tags(instance_name)}
>+                "instance_name": html.escape(instance_name)}
>         return _("%(dev)s on instance %(instance_name)s") % vals
> 
>     def get_object_by_id(self, obj_id):

Actions: View | Diff

Attachments on bug 1034153: 833693 | 833694 | 833696