← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1667086] Re: XSS in federation mappings UI

 

Reviewed:  https://review.openstack.org/442277
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=a835dbfbaa2c70329c08d4b8429d49315dc6d651
Submitter: Jenkins
Branch:    master

commit a835dbfbaa2c70329c08d4b8429d49315dc6d651
Author: Richard Jones <r1chardj0n3s@xxxxxxxxx>
Date:   Tue Mar 7 16:55:39 2017 +1100

    Remove dangerous safestring declaration
    
    This declaration allows XSS content through the JSON and
    is unnecessary for correct rendering of the content anyway.
    
    Change-Id: I82355b37108609ae573237424e528aab86a24efc
    Closes-Bug: 1667086


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1667086

Title:
  XSS in federation mappings UI

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  Found in Mitaka

  Steps:
  - Setup federation in keystone and horizon
  - Launch and login to horizon as an admin
  - Click on the Federation->Mappings tab
  - Create or update a mapping with the following content that contains javascript

  [
      {
          "local": [
              {
                  "domain": {
                      "name": "Default"
                  },
                  "group": {
                      "domain": {
                          "name": "Default"
                      },
                      "name": "Federated Users"
                  },
                  "user": {
                      "name": "{<script>alert('test');</script>}",
                      "email": "{1}"
                  },
                  "groups": "{2}"
              }
          ],
          "remote": [
              {
                  "type": "REMOTE_USER"
              },
              {
                  "type": "MELLON_userEmail"
              },
              {
                  "type": "MELLON_groups"
              }
          ]
      }
  ]

  Now whenever this Federation->Mapping page is shown, the javascript
  will execute.

  It appears other pages in horizon protect against such attacks (such
  as Users, Groups, etc).  So I'm guessing that the rendering of this
  page just needs to be escaped to ignore tags.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1667086/+subscriptions