yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1469147] Re: Can not delete container with XSS-injected name

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Doug Hellmann <doug@xxxxxxxxxxxxxxxx>
Date: Tue, 28 Jul 2015 19:59:53 -0000
Reply-to: Bug 1469147 <1469147@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: horizon
       Status: Fix Committed => Fix Released

** Changed in: horizon
    Milestone: None => liberty-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1469147

Title:
  Can not delete container with XSS-injected name

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  Steps:
  1. Login to Horizon Dashboard as admin user.
  2. Navigate to Project -> Object Store -> Containers page.
  3. Create Containers with names:
      3.1 '';!--"<XSS>=&{()}
      3.2 <IMG SRC="javascript:alert('XSS');">
      3.3 <IMG SRC=javascript:alert('XSS')>

  4. Try to delete these containers  ---  they can't be removed

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1469147/+subscriptions

References

[Bug 1469147] [NEW] Can not delete container with XSS-injected name
From: Vlad Okhrimenko, 2015-06-26