MAAS

Merge lp:~julian-edwards/maas/1.4-xss-bug-1251336 into lp:maas/1.4

  1. 1.4-xss-bug-1251336
  2. Merge into 1.4
Proposed by Julian Edwards
Status: Merged
Approved by: Julian Edwards
Approved revision: no longer in the source branch.
Merged at revision: 1717
Proposed branch: lp:~julian-edwards/maas/1.4-xss-bug-1251336
Merge into: lp:maas/1.4
Diff against target: 71 lines (+17/-4)
4 files modified
src/maasserver/api_support.py (+2/-2)
src/maasserver/tests/test_api.py (+11/-0)
src/maasserver/tests/test_api_enlistment.py (+1/-1)
src/maasserver/views/combo.py (+3/-1)
To merge this branch: bzr merge lp:~julian-edwards/maas/1.4-xss-bug-1251336
Reviewer Review Type Date Requested Status
Julian Edwards (community) Approve
Review via email: mp+205072@code.launchpad.net

Commit message

Fix XSS in API calls that have no valid operation

To post a comment you must log in.
Revision history for this message
Julian Edwards (julian-edwards) wrote :

Selfing. Approved on trunk.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'src/maasserver/api_support.py'
2--- src/maasserver/api_support.py 2013-10-07 09:12:40 +0000
3+++ src/maasserver/api_support.py 2014-02-06 03:17:25 +0000
4@@ -19,7 +19,7 @@
5 ]
6
7 from django.core.exceptions import PermissionDenied
8-from django.http import HttpResponseBadRequest
9+from maasserver.exceptions import MAASAPIBadRequest
10 from piston.handler import (
11 AnonymousBaseHandler,
12 BaseHandler,
13@@ -141,7 +141,7 @@
14 signature = request.method.upper(), request.REQUEST.get("op")
15 function = self.exports.get(signature)
16 if function is None:
17- return HttpResponseBadRequest(
18+ raise MAASAPIBadRequest(
19 "Unrecognised signature: %s %s" % signature)
20 else:
21 return function(self, request, *args, **kwargs)
22
23=== modified file 'src/maasserver/tests/test_api.py'
24--- src/maasserver/tests/test_api.py 2013-10-07 09:12:40 +0000
25+++ src/maasserver/tests/test_api.py 2014-02-06 03:17:25 +0000
26@@ -101,6 +101,17 @@
27 self.assertThat(observed, MatchesListwise(expected))
28
29
30+class TestXSSBugs(MAASServerTestCase):
31+ """Tests for making sure we don't allow cross-site scripting bugs."""
32+
33+ def test_invalid_signature_response_is_textplain(self):
34+ response = self.client.get(
35+ reverse('nodes_handler'),
36+ {'op': '<script>alert(document.domain)</script>'})
37+ self.assertIn("text/plain", response.get("Content-Type"))
38+ self.assertNotIn("text/html", response.get("Content-Type"))
39+
40+
41 class TestStoreNodeParameters(MAASServerTestCase):
42 """Tests for `store_node_power_parameters`."""
43
44
45=== modified file 'src/maasserver/tests/test_api_enlistment.py'
46--- src/maasserver/tests/test_api_enlistment.py 2013-10-07 09:12:40 +0000
47+++ src/maasserver/tests/test_api_enlistment.py 2014-02-06 03:17:25 +0000
48@@ -254,7 +254,7 @@
49 })
50
51 self.assertEqual(httplib.BAD_REQUEST, response.status_code)
52- self.assertIn('text/html', response['Content-Type'])
53+ self.assertIn('text/plain', response['Content-Type'])
54 self.assertEqual(
55 "Unrecognised signature: POST None",
56 response.content)
57
58=== modified file 'src/maasserver/views/combo.py'
59--- src/maasserver/views/combo.py 2013-10-07 09:12:40 +0000
60+++ src/maasserver/views/combo.py 2014-02-06 03:17:25 +0000
61@@ -97,7 +97,9 @@
62 return HttpResponseRedirect(
63 "%s%s" % (default_redirect, fnames[0]))
64 else:
65- return HttpResponseBadRequest("Invalid file type requested.")
66+ return HttpResponseBadRequest(
67+ "Invalid file type requested.",
68+ content_type="text/plain; charset=UTF-8")
69 content = "".join(
70 [content.decode(encoding) for content in combine_files(
71 fnames, location, resource_prefix='/', rewrite_urls=True)])

Subscribers

People subscribed via source and target branches