OSSN/OSSN-0097
< OSSN
Contents
Horizon RC file generation does not escape special characters in project names
Summary
Horizon generates shell scripts for OpenStack RC file downloads with user-provided values in double-quoted strings without escaping shell metacharacters. A domain manager can set a project name containing $() or backtick sequences that execute arbitrary commands when a user sources the RC file.
Affected Services / Software
- horizon: >=8.0.0 <25.3.3, >=25.4.0 <25.5.3, >=25.6.0 <25.7.4
Discussion
A domain manager who can rename a project can inject commands that run in the shell of any user who downloads and sources the RC file for that project.
Recommended Actions
Upgrade to a version of horizon containing the fix. As a workaround, inspect downloaded RC files before sourcing them, or use clouds.yaml for CLI authentication instead.
Patches
The following reviews contain the fix for this issue:
- 2026.2/hibiscus (master): Gerrit 990661
- 2026.1/gazpacho: Gerrit 991038
- 2025.2/flamingo: Gerrit 991039
- 2025.1/epoxy: Gerrit 991040
Credits
Tim Shephard, roiai.ca
Contacts / References
- Authors: Goutham Pacha Ravi, Red Hat
- This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0097
- Original Launchpad bug: LP#2152240
- Mailing List: [security-sig] tag on openstack-discuss@lists.openstack.org
- OpenStack Security: https://security.openstack.org/
- CVE: CVE-2026-55748
