yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1469147] [NEW] Can not delete container with XSS-injected name

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Vlad Okhrimenko <vokhrimenko@xxxxxxxxxxxx>
Date: Fri, 26 Jun 2015 12:26:47 -0000
Reply-to: Bug 1469147 <1469147@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Steps:
1. Login to Horizon Dashboard as admin user.
2. Navigate to Project -> Object Store -> Containers page.
3. Create Containers with names:
    3.1 '';!--"<XSS>=&{()}
    3.2 <IMG SRC="javascript:alert('XSS');">
    3.3 <IMG SRC=javascript:alert('XSS')>

4. Try to delete these containers  ---  they can't be removed

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1469147

Title:
  Can not delete container with XSS-injected name

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  Steps:
  1. Login to Horizon Dashboard as admin user.
  2. Navigate to Project -> Object Store -> Containers page.
  3. Create Containers with names:
      3.1 '';!--"<XSS>=&{()}
      3.2 <IMG SRC="javascript:alert('XSS');">
      3.3 <IMG SRC=javascript:alert('XSS')>

  4. Try to delete these containers  ---  they can't be removed

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1469147/+subscriptions

Follow ups

[Bug 1469147] Re: Can not delete container with XSS-injected name
From: Doug Hellmann, 2015-07-28
[Bug 1469147] [NEW] Can not delete container with XSS-injected name
From: Vlad Okhrimenko, 2015-06-26

References

[Bug 1469147] [NEW] Can not delete container with XSS-injected name
From: Vlad Okhrimenko, 2015-06-26