This will need the VMT's attention, so please raise as an issue on launchpad and we can tag it as for the vmt members as a possible OSSA.
Apologies for top post, replying from phone. On 17 Nov 2017 12:34 pm, "Adam Heczko" <ahec...@mirantis.com> wrote: > Thanks TommyLike for this bug report. Sounds like Stored XSS [1]. > Could you please share more details, e.g. branch / release, APIs tested > etc.? > > [1] https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting > > On Fri, Nov 17, 2017 at 12:36 PM, Davanum Srinivas <dava...@gmail.com> > wrote: > >> Adding [api] to make sure the API (SIG?) sees this too >> >> On Fri, Nov 17, 2017 at 3:22 AM, TommyLike Hu <tommylik...@gmail.com> >> wrote: >> > Hey all, >> > Recently when we integrating and testing OpenStack services. We >> found >> > there is a potential script injection issue that some of our services >> accept >> > the input with special character [1] [2], for instance we can create an >> > instance or a volume with the name of '<script>script inside</script>'. >> One >> > of the possible solutions is add HTML encode/decode support in Horizon, >> but >> > it's not guaranteed every OpenStack user is using Horizon. So should we >> > apply more strict restriction on user's input? >> > Also, I found Google Cloud have a strict and explicit restrction >> in >> > their instance insert API document [3]. >> > >> > [1]: Nova: >> > https://github.com/openstack/nova/blob/master/nova/api/valid >> ation/parameter_types.py#L148 >> > [2]: Cinder: >> > https://github.com/openstack/cinder/blob/master/cinder/api/o >> penstack/wsgi.py#L1253 >> > [3]: Google Cloud: >> > https://cloud.google.com/compute/docs/reference/latest/instances/insert >> > >> > Thanks >> > TommyLike.Hu >> > >> > >> > >> > ____________________________________________________________ >> ______________ >> > OpenStack Development Mailing List (not for usage questions) >> > Unsubscribe: openstack-dev-requ...@lists.op >> enstack.org?subject:unsubscribe >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >> >> >> >> -- >> Davanum Srinivas :: https://twitter.com/dims >> >> ____________________________________________________________ >> ______________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib >> e >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > > -- > Adam Heczko > Security Engineer @ Mirantis Inc. > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev