#1138845 OSSN-0097 Horizon RC file generation does not escape special characters in project #1138845
- Package:
- src:horizon
- Source:
- src:horizon
- Submitter:
- Thomas Goirand
- Date:
- 2026-06-17 18:43:02 UTC
- Severity:
- normal
- Tags:
Copying the security announce: OSSN-0097: Horizon RC file generation does not escape special characters in project names == Summary == Horizon generates shell scripts for OpenStack RC file downloads with user-provided values in double-quoted strings without escaping shell metacharacters. A domain manager can set a project name containing $() or backtick sequences that execute arbitrary commands when a user sources the RC file. == Affected Services / Software == - horizon: >=8.0.0 <25.3.3, >=25.4.0 <25.5.3, >=25.6.0 <25.7.4 == Discussion == A domain manager who can rename a project can inject commands that run in the shell of any user who downloads and sources the RC file for that project. == Recommended Actions == Upgrade to a version of horizon containing the fix. As a workaround, inspect downloaded RC files before sourcing them, or use clouds.yaml for CLI authentication instead. === Patches === The following reviews contain the fix for this issue: 2026.2/hibiscus (master): https://review.opendev.org/c/openstack/horizon/+/990661 2026.1/gazpacho: https://review.opendev.org/c/openstack/horizon/+/991038 2025.2/flamingo: https://review.opendev.org/c/openstack/horizon/+/991039 2025.1/epoxy: https://review.opendev.org/c/openstack/horizon/+/991040 == Credits == Tim Shephard, roiai.ca == Contacts / References == * Authors: Goutham Pacha Ravi, Red Hat * This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0097 * Original Launchpad bug: https://launchpad.net/bugs/2152240 * Mailing List : [security-sig] tag on openstack-discuss@lists.openstack.org * OpenStack Security : https://security.openstack.org/ * CVE: none
Hello, Bug #1138845 in horizon reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/horizon/-/commit/f0b88071c6557cf13e6043771123438bc89ec4c8 ------------------------------------------------------------------------ * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). * Refresh patches. ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138845
Hello, Bug #1138845 in horizon reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/horizon/-/commit/32942f2b574ae87d15f02d9c0df36caf815a718c ------------------------------------------------------------------------ * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138845
Hello, Bug #1138845 in horizon reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/horizon/-/commit/b566ab1d93809e99ef906f5cd21529fc33e52b48 ------------------------------------------------------------------------ * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138845
Hello, Bug #1138845 in horizon reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/horizon/-/commit/81a61f425b19c51b277915c324b996eec5a61c1b ------------------------------------------------------------------------ * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138845
Hello, Bug #1138845 in horizon reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/horizon/-/commit/7944e9349a750bb7f1a0dc9514a245519231e084 ------------------------------------------------------------------------ * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138845
Hello, Bug #1138845 in horizon reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/horizon/-/commit/645758591007b26ae720db036dd670fd73194ed3 ------------------------------------------------------------------------ * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138845
Hello, Bug #1138845 in horizon reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/horizon/-/commit/37f51c7fc6c14d7112043b4b5b19e0ab67c109d4 ------------------------------------------------------------------------ * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138845
Hello, Bug #1138845 in horizon reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/horizon/-/commit/1b37031b2ca8a085b3925cfc8d71d4735d51af3a ------------------------------------------------------------------------ * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138845
Hello, Bug #1138845 in horizon reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/horizon/-/commit/011137e1e545b516d8a1200ad853afe4f0381a7a ------------------------------------------------------------------------ * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138845
Hello, Bug #1138845 in horizon reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/horizon/-/commit/2902dba4f0d220eff22d287afc680b200bd6a7e0 ------------------------------------------------------------------------ * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138845
Hello, Bug #1138845 in horizon reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/horizon/-/commit/3caece1bdaa0c66246e5aaa75edec7703f7e4e76 ------------------------------------------------------------------------ * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138845
Hello, Bug #1138845 in horizon reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/horizon/-/commit/4f5a98c6abcc789291955effee064f01174bb7ef ------------------------------------------------------------------------ * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138845
Hello, Bug #1138845 in horizon reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/openstack-team/services/horizon/-/commit/b5748bd1d2a764260a437ed88df61b7e9affc6ae ------------------------------------------------------------------------ * OSSN-0097: Horizon RC file generation does not escape special characters in project. Applied upstream patch: "Escape $ character in shellfilter, and use it consistently" (Closes: #1138845). ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138845
We believe that the bug you reported is fixed in the latest version of
horizon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138845@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated horizon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 04 Jun 2026 23:29:18 +0200
Source: horizon
Architecture: source
Version: 3:25.7.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1138845
Changes:
horizon (3:25.7.3-2) unstable; urgency=medium
.
* OSSN-0097: Horizon RC file generation does not escape special characters in
project. Applied upstream patch: "Escape $ character in shellfilter, and
use it consistently" (Closes: #1138845).
* Refresh patches.
Checksums-Sha1:
a4854f33bc122a863990bee0c568a12225449a8c 4361 horizon_25.7.3-2.dsc
9a73abd967c5a2b2ebdf0ac9aad659137a84200e 38124 horizon_25.7.3-2.debian.tar.xz
f4bec261b8101b9839c6bff1c76a15bd62a46436 18239 horizon_25.7.3-2_amd64.buildinfo
Checksums-Sha256:
864f4b9f60e30b02fe383d025033695e9cd178d72ee4072c48e7c31db6148550 4361 horizon_25.7.3-2.dsc
4cddce56bcb69b81b2bb16a42c6baec2ac4d1af3a2b6d750f52db13044bbeab7 38124 horizon_25.7.3-2.debian.tar.xz
5c1b6ab1e5c5640f3258064b05965952ac86f519848b3dbf700aa3e48fa3cdd4 18239 horizon_25.7.3-2_amd64.buildinfo
Files:
b89367ab5b8b117a5fbf63192183a6ab 4361 net optional horizon_25.7.3-2.dsc
0e64cb7d6294f6205b6f54ca53c96072 38124 net optional horizon_25.7.3-2.debian.tar.xz
1692c5d2ff1e3eed9036b69e549e8915 18239 net optional horizon_25.7.3-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmotZJUACgkQ1BatFaxr
Q/4z4Q//XorRLuHujv+fMjMgdSRdTpFrDIfINmy+vwoeqMBooswVKgSlt9qVOeu7
9BM4NOTFAAUeBFB/mO8MACdJ1fw82OxF2mRz7NUWfgzG4K/YPsSme1b1JjXcZ7Lg
0kdh/f+ve32M2NUmZUD0RAdNUA7Zi69QjiG/iFHuao8M6hwnPmhdoVURdQHEGUyK
pd5sT3jj35AzQh/yyZPrcdYSmrZLVnr5TTttl7BZnKophHFWBsk0H0V99yzwCQgZ
7MgrfZCrltvYVjt/ds8T1KZoxmKAzd+RafUtBSCh7adI7pTndtFYqB/V/1z/9R+g
zOvNDRhHCb7HHPgJ672iKqol+hnW1ZDY2pfeMwM6ka+pK1vpAVPUwcCwm1Xytzo9
jLR65EPbxaML2v1Gx3WcNl7fO9wbaWvCQtrfPURVh4fKDOPZ2UAIWoZX2pAEVRdE
tEzMbxbbUkBgLghggRnw/MLrOj78dsgcTeJPvZRcg3zCxqpnFpP6RB3SbqX12d0l
Xugc43/roUrfLvJfVVMqPJlK3gqXh1TxSIfO/wvdlwvOxzsxN/Q6CM+u+UrlByID
+iUGMNnqvrPneyTtG+/tfg+QEP7gsjRT0RTx9U7jJoU96JG9fLas9ZKA3PpjCQXC
TO2Woi2s8ma5zUvQkHd0CcvUbVb5bzcaC0HqPiMXl1Ryf0aNCPE=
=omZl
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
horizon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138845@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated horizon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 09 Jun 2026 10:38:23 +0200
Source: horizon
Architecture: source
Version: 3:23.0.0-5+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1138845
Changes:
horizon (3:23.0.0-5+deb12u2) bookworm; urgency=medium
.
* OSSN-0097: Horizon RC file generation does not escape special characters in
project. Applied upstream patch: "Escape $ character in shellfilter, and
use it consistently" (Closes: #1138845).
Checksums-Sha1:
343018caf88671a0e78d621d1e11c61c5707214b 4569 horizon_23.0.0-5+deb12u2.dsc
a790adc0f5e0ec040b6b021aa3abdc9809939fbc 3292580 horizon_23.0.0.orig.tar.xz
4e336b0e25e55fbfb342c6c62048013ceb948df1 35640 horizon_23.0.0-5+deb12u2.debian.tar.xz
30b5f840fe06808fffb50a3f6c03c8e2f095adc8 18699 horizon_23.0.0-5+deb12u2_amd64.buildinfo
Checksums-Sha256:
dbc38ff0f51789ce8f88acf0cf5e7726acf0eb98fe295b3ee768d1d3991260aa 4569 horizon_23.0.0-5+deb12u2.dsc
a1e3b207b12e29dd8acead3c58a4439ee72563632c4c837d8b3e1d58a0b8df39 3292580 horizon_23.0.0.orig.tar.xz
96d2965a34e85045a02c42eaeb423da81e9dd7897d066a46008edb9724bf33b5 35640 horizon_23.0.0-5+deb12u2.debian.tar.xz
e84889d04a118213872df5c06d45927d530c51ad26b7c2353097bc622cf0208b 18699 horizon_23.0.0-5+deb12u2_amd64.buildinfo
Files:
001aa96dd4274d99ef8d739e6805832e 4569 net optional horizon_23.0.0-5+deb12u2.dsc
b843baf58d6930d71669bf72d2a0539d 3292580 net optional horizon_23.0.0.orig.tar.xz
8738335c126178806b416f28ec209427 35640 net optional horizon_23.0.0-5+deb12u2.debian.tar.xz
1ab45b6d9e7b91910666e5795353102c 18699 net optional horizon_23.0.0-5+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmovonYACgkQ1BatFaxr
Q/6HUw/+J0B3VK4KJzuNSdZPKxrI+ict3DM9WIVdjMKS+3RqvmWz/DRkBPaknNa1
4lROEbnejwOw6tdycNK8AYIM6rEKF/eMjKoAUPcX5LUcYe2fKq3U8jM3ovP2CfVD
g/1kE14QZzywnC6OCcigYGXcfFw+013i2+sKW01+HeZWzlZ/NgAqJqNLPpL1TKCY
TXNOIR5h4Y2ioZZXH5eA65ABSTmNjzOfGnIvjQ+Lm0Sm1v3d5kneQu/L0+PVRR4J
GVxkXUcexjikZ34Ygxt/x3VrhWymUUR3mUO1z50U4AnaoWdTLDljo0ClslxfpyOE
YXvNXYQh4mo1U3W+OhkIcodu+CziX+vYgQDuTnFuHUNHl87lt90XtMt7GzjFRV91
77JYcHDvB7JfgJrqEDgBRrPmOWA58T98FIVghpiDH+0/28NV81GLNmDBOMHonuK+
1rbipZjIOqlz7tnNLz4cESPXsJLjgy1+24JGZiT8baNzlJnse17HVozheEElGAgu
8XkVWtX4Mk+5+6GymAk8E3YEnaPiN5Wt7XrR6Tq2ejgclH1CPGDFgkFh2oCnaxCV
0y85F7UKHUs+5pYnx7uiLjM+IOV0HIaXsEqX/3UzJ47PAkKVAzTja5aU0PZwWtnL
NvwsPgzuohOL64U6F9m0z/9te/XnStOpHxF94uEKIXoH+d4C/p0=
=sXFQ
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
horizon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138845@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated horizon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 09 Jun 2026 10:20:14 +0200
Source: horizon
Architecture: source
Version: 3:25.3.0-3+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1138845
Changes:
horizon (3:25.3.0-3+deb13u1) trixie; urgency=medium
.
* OSSN-0097: Horizon RC file generation does not escape special characters in
project. Applied upstream patch: "Escape $ character in shellfilter, and
use it consistently" (Closes: #1138845).
Checksums-Sha1:
c91770e13f3fc25e89c3e6218d6436dbf93f6fe0 4376 horizon_25.3.0-3+deb13u1.dsc
b0c1cadfa8b302cf2a9b95e60ebb898ef68570db 3378252 horizon_25.3.0.orig.tar.xz
15f6f1ecce06ebaf64248968166a5f798f6ba3d7 38796 horizon_25.3.0-3+deb13u1.debian.tar.xz
d7a94a7f77e7eda7de52f53da3b6749f846e8077 17583 horizon_25.3.0-3+deb13u1_amd64.buildinfo
Checksums-Sha256:
a7a76dce9aa0ed1373712be7d2b6338fd87c615a358d01008126e6050d9084f6 4376 horizon_25.3.0-3+deb13u1.dsc
85186d0da28fcdaef62b17b462dbaf0f8229c96686ae24e07b9e70b4b7751fdb 3378252 horizon_25.3.0.orig.tar.xz
f0c094b6fd447151a3ce82b86a198a37f5ba5280c91c8e0191e225f1320ab4de 38796 horizon_25.3.0-3+deb13u1.debian.tar.xz
a52fc5cb9894a6b9c285d460d8d1845ac9b65ec29ac32d5203703b60876e4330 17583 horizon_25.3.0-3+deb13u1_amd64.buildinfo
Files:
827df5ae9c622a713116e40ebba4a450 4376 net optional horizon_25.3.0-3+deb13u1.dsc
1c6790a8d9db87b1b1d290454b3e337d 3378252 net optional horizon_25.3.0.orig.tar.xz
9039901d20cec0da75b5f22f7850c556 38796 net optional horizon_25.3.0-3+deb13u1.debian.tar.xz
4afc3d0afe6b62f27ea2e0cbc41f946f 17583 net optional horizon_25.3.0-3+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmovoAUACgkQ1BatFaxr
Q/5/Gw/+JSjPkmNCZ74MSjn44sn5omFu8361k0f0uihYdfx0tNmB+vHdDtTySKpd
nFAFjKHCwhZiGT9dp7k7GVJYRCzxhfh/tXh1J3Ht37AQvJvkVHlH1qP2uZikJJEe
OrCj26tcj/HvzOntQtzlfgNplQ4rvs6Zm3ruxfGzElDY4mE/7rUjNV9uW8Eo48Yv
tob6QWJrBBEiZMDOYfM8L3k0oiUQvF6qPb5+3kIwoSYZtBIVdclUEAw6YslC71Bp
SD10CSaHnOkqgXjEeJn2LaHK4a02+8sy0APhxi6/l4Vwrh4GYfgJIYqkDkpla66R
TA1Lo3YGCAhEnJ+aP5gsf5MM0cEv8xjL5fseBHyOZIpXdnXmTSWt+ESI0dAVtTIC
tfD+Su5tMKp9kjAJUbG8vXTJlyYGe/BTXHE3WPQgRjALFwjpt5AxTCzseE7aV5fp
m7u7wBgiBDsK+m8SOf3GvGfu+F+Q7vwM9OeQB+2ydj4xl7uW3nhuugc/JvGHz0JX
3NtRLWuzKeaxAr2mkzreOaiB5W/cmEf9PrBqH2mv4YluekLYJIXOywlv7Jui1r2u
agLTdSe+vcfRCI8QtTXYBajYWY/PuTcBp9nzEU2BfweC8A5fhSYYN5fMHxJy5hhY
um8ggPXyhQLiAclOWsYb4EgyQh3mWKGf8W8wytQe5eq+sDhjVDU=
=+gwb
-----END PGP SIGNATURE-----