[Yahoo-eng-team] [Bug 1449260] Re: Sanitation of metadata label
** Changed in: horizon
Status: Fix Released = Fix Committed
** Tags added: icehouse-backport-potential juno-backport-potential kilo-
backport-potential
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1449260
Title:
Sanitation of metadata label
Status in OpenStack Dashboard (Horizon):
Fix Committed
Status in OpenStack Security Advisories:
Triaged
Bug description:
1) Start up Horizon
2) Go to Images
3) Next to an image, pick Update Metadata
4) From the dropdown button, select Update Metadata
5) In the Custom box, enter a value with some HTML like
'/scriptscriptalert(1)/script//', click +
6) On the right-hand side, give it a value, like ee
7) Click Save
8) Pick Update Metadata for the image again, the page will fail to load,
and the JavaScript console says:
SyntaxError: invalid property id
var existing_metadata = {
An alternative is if you change the URL to update_metadata for the
image (for example,
http://192.168.122.239/admin/images/fa62ba27-e731-4ab9-8487-f31bac355b4c/update_metadata/),
it will actually display the alert box and a bunch of junk.
I'm not sure if update_metadata is actually a page, though... can't
figure out how to get to it other than typing it in.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1449260/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1449260] Re: Sanitation of metadata label
** Changed in: horizon
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1449260
Title:
Sanitation of metadata label
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Security Advisories:
Triaged
Bug description:
1) Start up Horizon
2) Go to Images
3) Next to an image, pick Update Metadata
4) From the dropdown button, select Update Metadata
5) In the Custom box, enter a value with some HTML like
'/scriptscriptalert(1)/script//', click +
6) On the right-hand side, give it a value, like ee
7) Click Save
8) Pick Update Metadata for the image again, the page will fail to load,
and the JavaScript console says:
SyntaxError: invalid property id
var existing_metadata = {
An alternative is if you change the URL to update_metadata for the
image (for example,
http://192.168.122.239/admin/images/fa62ba27-e731-4ab9-8487-f31bac355b4c/update_metadata/),
it will actually display the alert box and a bunch of junk.
I'm not sure if update_metadata is actually a page, though... can't
figure out how to get to it other than typing it in.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1449260/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
