openstack-manuals

openstackdocstheme contains minified javascript

Bug #1502806 reported by Thomas Goirand
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-manuals
Fix Released
Undecided
Ryan Selden

Bug Description

The openstackdocstheme Python module contains already minified javascripts. In most (if not all) downstream distributions, these files are considered non-free blobs. This is also a security issue. See this blog post:

https://zyan.scripts.mit.edu/blog/backdooring-js/

Please remove any minified javascript files from the projects. Also, it'd be nice if the package was using javascript files from the XStatic packages, without embedding them.

Tom Fifield (fifieldt)
tags: added: doc-builds doc-tools openstackdocstheme
Revision history for this message
Anne Gentle (annegentle) wrote :

I'm investigating. We included the source files, I thought, but https://github.com/openstack/openstackdocstheme/tree/master/original-design/js might already be minified. How do you know? Is jquery itself considered minified?

Anne Gentle (annegentle)
Changed in openstack-manuals:
status: New → Incomplete
Revision history for this message
Christian Berendt (berendt) wrote :

I think it makes sense to first remove the minified versions of all files (CSS as well as JS) and to replace them with the unminified versions. At the moment we mix them up and use minified versions, unminified versions and versions provided one some kind of CDN. Then we can have a look at the xstatic packages.

OpenStack Infra (hudson-openstack)
Changed in openstack-manuals:
assignee: nobody → Christian Berendt (berendt)
status: Incomplete → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstackdocstheme (master)

Reviewed: https://review.openstack.org/235203
Committed: https://git.openstack.org/cgit/openstack/openstackdocstheme/commit/?id=2190744a1779bfda3987066c6ab318ba18856d5d
Submitter: Jenkins
Branch: master

commit 2190744a1779bfda3987066c6ab318ba18856d5d
Author: Christian Berendt <email address hidden>
Date: Thu Oct 15 11:46:16 2015 +0200

    Remove the original-design directory

    Change-Id: Ie47dcd2b4f4488d9008616a3b0ea46209d2736e9
    Partial-bug: #1502806

Revision history for this message
Thomas Goirand (thomas-goirand) wrote :

Now that the above patch has been merged, we still have:

openstackdocstheme/theme/openstackdocs/static/js/bootstrap.min.js
openstackdocstheme/theme/openstackdocs/static/css/bootstrap.min.css
openstackdocstheme/theme/openstackdocs/static/js/jquery-1.11.3.js

that are minified and need to be replaced by sourcefull version.

I did a quick grep, and it looks like bootstrap.min.js and jquery are only included in the footer. So my question is: do we *really* need them, or is it only some nice decoration which we could get rid of?

Revision history for this message
Sean M. Collins (scollins) wrote :

bootstrap.min.js and jquery are required in order to make bootstrap work. Without them, the site will not render properly.

Revision history for this message
Ryan Selden (ryanx-seldon) wrote :

Fix proposed
https://review.openstack.org/#/c/333573/

Revision history for this message
Ryan Selden (ryanx-seldon) wrote :

Patch revised - updated these files to include the latest, not minified versions

https://review.openstack.org/#/c/333573/

Changed in openstack-manuals:
assignee: Christian Berendt (berendt) → Ryan Selden (ryanx-seldon)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstackdocstheme 1.6.0

This issue was fixed in the openstack/openstackdocstheme 1.6.0 release.

Alexandra Settle (alexandra-settle)
Changed in openstack-manuals:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.