OpenStack Dashboard (Horizon)

Image Create/Edit Description field cannot contain newlines

Bug #1370732 reported by Nicolas Simonds
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Medium
Nicolas Simonds
OpenStack Dashboard (Horizon) 2015.1.0 "kilo"
Juno
Fix Released
Medium
Matthias Runge
OpenStack Dashboard (Horizon) 2014.2.3

Bug Description

With the Glance v1 API, Horizon does no input sanitization on the Image Description field, so newlines in the Description will be sent along verbatim, breaking the session.

A simple test case to reproduce:

1. Stand up a Devstack, login to Horizon, and go to the Project » Images page
2. Edit an image
3. Set the description to "foo\n\nbar" (i.e., "foo", two newlines, then "bar")
4. Set the name to "foo bar"

Expected behaviour:

The name of the image changes to "foo bar", and the description (on the Detail page) changes to "foo\n\nbar"

Actual behaviour:

The name is unchanged, and the description is set to "foo" The glance-api session on Devstack will also report an HTTP 400 error.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/122257

Changed in horizon:
assignee: nobody → Nicolas Simonds (nicolas.simonds)
status: New → In Progress
Cindy Lu (clu-m)
Changed in horizon:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/122257
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=363ccf7b39bb14624e60ee1aa1f08f4e3f5f0642
Submitter: Jenkins
Branch: master

commit 363ccf7b39bb14624e60ee1aa1f08f4e3f5f0642
Author: Nicolas Simonds <email address hidden>
Date: Wed Sep 17 14:49:08 2014 -0700

    Make Image Description an input field instead of a textarea

    The glanceclient passes the value of the "Description" field as
    HTTP headers to the API, completely unmodified. If there are
    newlines in the content, it corrupts the headers and creates havoc.

    Encoding/decoding the results is not viable, since arbitrary (and
    not necessarily controlled by anyone) clients can retrieve the data. So as
    a dodge, use a normal <input> field for Description instead of
    <textarea> field, as newlines are not permitted in the former.

    Closes-Bug: 1370732
    Change-Id: I0231eaa693e7f36699fda6e011db8c976b639411

Changed in horizon:
status: In Progress → Fix Committed
Akihiro Motoki (amotoki)
Changed in horizon:
milestone: none → kilo-1
Thierry Carrez (ttx)
Changed in horizon:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/165067

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/165100

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/juno)

Reviewed: https://review.openstack.org/165067
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=04d07dab7fe15cf1b773326c662018ea9fa8ef75
Submitter: Jenkins
Branch: stable/juno

commit 04d07dab7fe15cf1b773326c662018ea9fa8ef75
Author: Nicolas Simonds <email address hidden>
Date: Wed Sep 17 14:49:08 2014 -0700

    Make Image Description an input field instead of a textarea

    The glanceclient passes the value of the "Description" field as
    HTTP headers to the API, completely unmodified. If there are
    newlines in the content, it corrupts the headers and creates havoc.

    Encoding/decoding the results is not viable, since arbitrary (and
    not necessarily controlled by anyone) clients can retrieve the data. So as
    a dodge, use a normal <input> field for Description instead of
    <textarea> field, as newlines are not permitted in the former.

    Closes-Bug: 1370732
    Change-Id: I0231eaa693e7f36699fda6e011db8c976b639411
    (cherry picked from commit 363ccf7b39bb14624e60ee1aa1f08f4e3f5f0642)

tags: added: in-stable-juno
Thierry Carrez (ttx)
Changed in horizon:
milestone: kilo-1 → 2015.1.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on horizon (stable/icehouse)

Change abandoned by Jeremy Stanley (<email address hidden>) on branch: stable/icehouse
Review: https://review.openstack.org/165100
Reason: This branch has reached end of life and is being deleted.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.