The special character is allowed in default, tested in nova's and cinder's master branch. And I guess most of the projects allow those characters as the community doesn't have a explicit red line for this :)
Adam Heczko <ahec...@mirantis.com>于2017年11月17日周五 下午8:33写道: > Thanks TommyLike for this bug report. Sounds like Stored XSS [1]. > Could you please share more details, e.g. branch / release, APIs tested > etc.? > > [1] https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting > > On Fri, Nov 17, 2017 at 12:36 PM, Davanum Srinivas <dava...@gmail.com> > wrote: > >> Adding [api] to make sure the API (SIG?) sees this too >> >> On Fri, Nov 17, 2017 at 3:22 AM, TommyLike Hu <tommylik...@gmail.com> >> wrote: >> > Hey all, >> > Recently when we integrating and testing OpenStack services. We >> found >> > there is a potential script injection issue that some of our services >> accept >> > the input with special character [1] [2], for instance we can create an >> > instance or a volume with the name of '<script>script inside</script>'. >> One >> > of the possible solutions is add HTML encode/decode support in Horizon, >> but >> > it's not guaranteed every OpenStack user is using Horizon. So should we >> > apply more strict restriction on user's input? >> > Also, I found Google Cloud have a strict and explicit restrction >> in >> > their instance insert API document [3]. >> > >> > [1]: Nova: >> > >> https://github.com/openstack/nova/blob/master/nova/api/validation/parameter_types.py#L148 >> > [2]: Cinder: >> > >> https://github.com/openstack/cinder/blob/master/cinder/api/openstack/wsgi.py#L1253 >> > [3]: Google Cloud: >> > https://cloud.google.com/compute/docs/reference/latest/instances/insert >> > >> > Thanks >> > TommyLike.Hu >> > >> > >> > >> > >> __________________________________________________________________________ >> > OpenStack Development Mailing List (not for usage questions) >> > Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >> >> >> >> -- >> Davanum Srinivas :: https://twitter.com/dims >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > > -- > Adam Heczko > Security Engineer @ Mirantis Inc. > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev