openstack
/
horizon
Code Issues Proposed changes
horizon/openstack_dashboard/dashboards/admin/overview
History
Adam Harwell 70629916fe Use quoting for CSV Writing 
An attacker could create an instance with a malicious name beginning
with an equals sign (=) or at sign (‘@’).
These are both recognized in Excel as metacharacters for a formula. The
attacker can create an instance name that includes a payload that will
execute code such as:
=cmd|' /C calc'!A0
This payload opens the calculator program when the resulting CSV is
opened on a Windows machine with Microsoft Excel. An attacker could
easily substitute this payload with another that runs any arbitrary
shell commands.

Quote the CSV output so this is no longer a possibility.

Closes-Bug: #1842749
Change-Id: I937fa2a14bb483d87f057b3e8be219ecdc9363eb
 		2019-10-11 19:52:08 +00:00
..
templates/overview usage.html doesn't need such specific styles. 2015-12-03 16:17:46 +00:00
__init__.py Splits OpenStack Dashboard bits from framework app code. 2012-10-11 11:47:50 -07:00
panel.py Rework hardcoded policy in admin dash 2016-11-18 15:42:16 -07:00
tests.py Use quoting for CSV Writing 2019-10-11 19:52:08 +00:00
urls.py Update URLs to Django 1.8+ style 2016-03-28 11:03:08 +01:00
views.py Switch from django string_concat to format_lazy 2019-07-19 16:50:16 -04:00