rpms/python-lxml
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import python-lxml-4.2.3-6.module+el8.6.0+13959+8e368262

Browse Source
This commit is contained in:
CentOS Sources 2022-05-10 03:04:19 -04:00 committed by Stepan Oksanichenko
parent 19558bb49a
commit 0e7b80ef9d
3 changed files with 184 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
SOURCES/CVE-2021-43818.patch Normal file
View File

@ -0,0 +1,132 @@
diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
index 0492fca..5225a5e 100644
--- a/src/lxml/html/clean.py
+++ b/src/lxml/html/clean.py
@@ -75,18 +75,25 @@ _looks_like_tag_content = re.compile(
# All kinds of schemes besides just javascript: that can cause
# execution:
-_is_image_dataurl = re.compile(
- r'^data:image/.+;base64', re.I).search
+_find_image_dataurls = re.compile(
+ r'^data:image/(.+);base64,', re.I).findall
_is_possibly_malicious_scheme = re.compile(
- r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
- re.I).search
+ r'(javascript|jscript|livescript|vbscript|data|about|mocha):',
+ re.I).findall
+# SVG images can contain script content
+_is_unsafe_image_type = re.compile(r"(xml|svg)", re.I).findall
+
def _is_javascript_scheme(s):
- if _is_image_dataurl(s):
- return None
- return _is_possibly_malicious_scheme(s)
+ is_image_url = False
+ for image_type in _find_image_dataurls(s):
+ is_image_url = True
+ if _is_unsafe_image_type(image_type):
+ return True
+ if is_image_url:
+ return False
+ return bool(_is_possibly_malicious_scheme(s))
_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
-# FIXME: should data: be blocked?
# FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
_conditional_comment_re = re.compile(
@@ -514,6 +521,8 @@ class Cleaner(object):
return True
if 'expression(' in style:
return True
+ if '@import' in style:
+ return True
if '</noscript' in style:
# e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
return True
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
index e40cdad..4fab442 100644
--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
@@ -1,3 +1,6 @@
+import base64
+import gzip
+import io
import unittest, sys
from lxml.tests.common_imports import make_doctest
from lxml.etree import LIBXML_VERSION
@@ -89,6 +92,73 @@ class CleanerTest(unittest.TestCase):
b'<math><style>/* deleted */</style></math>',
lxml.html.tostring(clean_html(s)))
+ def test_sneaky_import_in_style(self):
+ # Prevent "@@importimport" -> "@import" replacement.
+ style_codes = [
+ "@@importimport(extstyle.css)",
+ "@ @ import import(extstyle.css)",
+ "@ @ importimport(extstyle.css)",
+ "@@ import import(extstyle.css)",
+ "@ @import import(extstyle.css)",
+ "@@importimport()",
+ ]
+ for style_code in style_codes:
+ html = '<style>%s</style>' % style_code
+ s = lxml.html.fragment_fromstring(html)
+
+ cleaned = lxml.html.tostring(clean_html(s))
+ self.assertEqual(
+ b'<style>/* deleted */</style>',
+ cleaned,
+ "%s -> %s" % (style_code, cleaned))
+
+ def test_svg_data_links(self):
+ # Remove SVG images with potentially insecure content.
+ svg = b'<svg onload="alert(123)" />'
+ gzout = io.BytesIO()
+ f = gzip.GzipFile(fileobj=gzout, mode='wb')
+ f.write(svg)
+ f.close()
+ svgz = gzout.getvalue()
+ svg_b64 = base64.b64encode(svg).decode('ASCII')
+ svgz_b64 = base64.b64encode(svgz).decode('ASCII')
+ urls = [
+ "data:image/svg+xml;base64," + svg_b64,
+ "data:image/svg+xml-compressed;base64," + svgz_b64,
+ ]
+ for url in urls:
+ html = '<img src="%s">' % url
+ s = lxml.html.fragment_fromstring(html)
+
+ cleaned = lxml.html.tostring(clean_html(s))
+ self.assertEqual(
+ b'<img src="">',
+ cleaned,
+ "%s -> %s" % (url, cleaned))
+
+ def test_image_data_links(self):
+ data = b'123'
+ data_b64 = base64.b64encode(data).decode('ASCII')
+ urls = [
+ "data:image/jpeg;base64," + data_b64,
+ "data:image/apng;base64," + data_b64,
+ "data:image/png;base64," + data_b64,
+ "data:image/gif;base64," + data_b64,
+ "data:image/webp;base64," + data_b64,
+ "data:image/bmp;base64," + data_b64,
+ "data:image/tiff;base64," + data_b64,
+ "data:image/x-icon;base64," + data_b64,
+ ]
+ for url in urls:
+ html = '<img src="%s">' % url
+ s = lxml.html.fragment_fromstring(html)
+
+ cleaned = lxml.html.tostring(clean_html(s))
+ self.assertEqual(
+ html.encode("UTF-8"),
+ cleaned,
+ "%s -> %s" % (url, cleaned))
+
def test_formaction_attribute_in_button_input(self):
# The formaction attribute overrides the form's action and should be
# treated as a malicious link attribute

26
SOURCES/fix-threading-tests.patch Normal file
View File

@ -0,0 +1,26 @@
diff --git a/src/lxml/tests/test_threading.py b/src/lxml/tests/test_threading.py
index 8948c3ec6..5ede3f805 100644
--- a/src/lxml/tests/test_threading.py
+++ b/src/lxml/tests/test_threading.py
@@ -130,7 +130,7 @@ def test_thread_xslt_parsing_error_log(self):
<xsl:template match="tag" />
<!-- extend time for parsing + transform -->
''' + '\n'.join('<xsl:template match="tag%x" />' % i for i in range(200)) + '''
- <xsl:foo />
+ <xsl:UnExpectedElement />
</xsl:stylesheet>''')
self.assertRaises(etree.XSLTParseError,
etree.XSLT, style)
@@ -153,9 +153,10 @@ def run_thread():
self.assertTrue(len(log))
if last_log is not None:
self.assertEqual(len(last_log), len(log))
- self.assertEqual(4, len(log))
+ self.assertTrue(len(log) >= 2, len(log))
for error in log:
- self.assertTrue(':ERROR:XSLT:' in str(error))
+ self.assertTrue(':ERROR:XSLT:' in str(error), str(error))
+ self.assertTrue(any('UnExpectedElement' in str(error) for error in log), log)
last_log = log
def test_thread_xslt_apply_error_log(self):

82
SPECS/python-lxml.spec
View File

@ -1,17 +1,8 @@
%bcond_without python3
%if 0%{?rhel} > 7
# Disable python2 build by default
%bcond_with python2
%else
%bcond_without python2
%endif
%global modname lxml
Name: python-%{modname}
Version: 4.2.3
Release: 5%{?dist}
Release: 6%{?dist}
Summary: XML processing library combining libxml2/libxslt with the ElementTree API
License: BSD
@ -30,7 +21,21 @@ Patch0: CVE-2020-27783.patch
# Fix for CVE-2021-28957: missing input sanitization
# for formaction HTML5 attributes which may lead to XSS
# Fixed upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
Patch1: CVE-2021-28957.patch
Patch1: CVE-2021-28957.patch
# Fix for CVE-2021-43818: HTML Cleaner allows crafted
# and SVG embedded scripts to pass through
# Fixed upstream:
# https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
# https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
# + the python2 specific fixes for the tests
# https://github.com/lxml/lxml/commit/a9611ba80bc5196c1dd07a0b1964fcb603695d63
Patch2: CVE-2021-43818.patch
# Fix the threading tests for the latest libxslt
# Fixed upstream:
# https://github.com/lxml/lxml/commit/acef361ca80ff9afd828d91c98ea91c92f9d09af
Patch3: fix-threading-tests.patch
BuildRequires: gcc
BuildRequires: libxml2-devel
@ -45,7 +50,6 @@ home page < or see our bug tracker at case you want to use the current ...
%description %{_description}
%if %{with python2}
%package -n python2-%{modname}
Summary: %{summary}
BuildRequires: python2-devel
@ -59,70 +63,36 @@ Recommends: python2-beautifulsoup4
%description -n python2-%{modname} %{_description}
Python 2 version.
%endif # with python2
%if %{with python3}
%package -n python3-%{modname}
Summary: %{summary}
BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: python3-Cython
Recommends: python3-cssselect
Recommends: python3-html5lib
Recommends: python3-beautifulsoup4
%{?python_provide:%python_provide python3-%{modname}}
%description -n python3-%{modname} %{_description}
Python 3 version.
%endif # with python3
%prep
%autosetup -n %{modname}-%{version} -p1
%build
export WITH_CYTHON=true
%if %{with python2}
%py2_build
%endif # with python2
%if %{with python3}
%py3_build
%endif # with python3
%install
%if %{with python2}
%py2_install
%endif # with python2
%if %{with python3}
%py3_install
%endif # with python3
%check
%if %{with python2}
%{__python2} setup.py test
%endif # with python2
%if %{with python3}
%{__python3} setup.py test
%endif # with python3
# The tests assume inplace build, so we copy the built library to source-dir.
# If not done that, Python can either import the tests or the extension modules, but not both.
cp -a build/lib.linux-*-%{python2_version}/* src/
# The options are: verbose, unit, functional
# We need the UTF-8 locale for the tests to work properly on python2
LANG=C.UTF-8 %{__python2} test.py -vuf
%if %{with python2}
%files -n python2-%{modname}
%license doc/licenses/ZopePublicLicense.txt LICENSES.txt
%doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
%{python2_sitearch}/%{modname}/
%{python2_sitearch}/%{modname}-*.egg-info/
%endif # with python2
%if %{with python3}
%files -n python3-%{modname}
%license doc/licenses/ZopePublicLicense.txt LICENSES.txt
%doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
%{python3_sitearch}/%{modname}/
%{python3_sitearch}/%{modname}-*.egg-info/
%endif # with python3
%changelog
* Thu Jan 06 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-6
- Security fix for CVE-2021-43818
Resolves: rhbz#2032569
* Wed Mar 24 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-5
- Security fix for CVE-2021-28957
Resolves: rhbz#1941534