Comment 1 for bug 1349491
Revision history for this message
| Julie Pichon (jpichon) wrote Re: Persistent XSS in the Host Aggregates interface | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Thank you for the bug report. I just reproduced on the master branch.
This is happening for the AZ name in the metadata column. This is caused by horizon using the 'unordered_list' django filter outside the context of a template, causing autoescaping not to be switched on and the input not to be sanitised. A quick check suggests this is the only file in the codebase where we're using this filter.
With regard to the impact, I think it is limited because only admins are allowed to create host aggregates and availability zones.
As indicated in the description Icehouse is likely affected too. The aggregates panel didn't exist in Havana. In Havana though, the 'unordered_list' filter was used when displaying availability zones in the System Info admin panel (read-only from the dashboard at the time). I'll test and backport the fix there too just to be safe.