Comment 4 for bug 1320235
Revision history for this message
| Julie Pichon (jpichon) wrote Re: Stored XSS for /admin/users/ | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
I can reproduce the problem and Horizon should be escaping the data. Havana and possibly previous versions are also affected.
With regard to the security impact, I think it depends on whether one is using an external system to manage users or has modified the default Keystone permissions. If I understand correctly, by default the Keystone policy doesn't allow users to modify their own email. User creation and update appear to require admin rights ("You are not authorized to perform the requested action, admin_required. (HTTP 403)").
In itself, the problem is due to the use of the "urlize" filter to make the email address clickable. urlize expects the data to already be escaped. It looks like the filter is used in 2 places across the codebase, for users and groups management. I'll propose a fix.