import python-lxml-4.2.3-2.el8
This commit is contained in:
CentOS Sources
parent
a7762a72d3
commit
1b344a5ae2
121
SOURCES/CVE-2020-27783.patch
Normal file
121
SOURCES/CVE-2020-27783.patch
Normal file
@ -0,0 +1,121 @@
|
|||||||
|
diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
|
||||||
|
index adc3f45..6f3f7de 100644
|
||||||
|
--- a/src/lxml/html/clean.py
|
||||||
|
+++ b/src/lxml/html/clean.py
|
||||||
|
@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
|
||||||
|
|
||||||
|
# This is an IE-specific construct you can have in a stylesheet to
|
||||||
|
# run some Javascript:
|
||||||
|
-_css_javascript_re = re.compile(
|
||||||
|
- r'expression\s*\(.*?\)', re.S|re.I)
|
||||||
|
+_replace_css_javascript = re.compile(
|
||||||
|
+ r'expression\s*\(.*?\)', re.S|re.I).sub
|
||||||
|
|
||||||
|
# Do I have to worry about @\nimport?
|
||||||
|
-_css_import_re = re.compile(
|
||||||
|
- r'@\s*import', re.I)
|
||||||
|
+_replace_css_import = re.compile(
|
||||||
|
+ r'@\s*import', re.I).sub
|
||||||
|
+
|
||||||
|
+_looks_like_tag_content = re.compile(
|
||||||
|
+ r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
|
||||||
|
|
||||||
|
# All kinds of schemes besides just javascript: that can cause
|
||||||
|
# execution:
|
||||||
|
@@ -292,8 +295,8 @@ class Cleaner(object):
|
||||||
|
if not self.inline_style:
|
||||||
|
for el in _find_styled_elements(doc):
|
||||||
|
old = el.get('style')
|
||||||
|
- new = _css_javascript_re.sub('', old)
|
||||||
|
- new = _css_import_re.sub('', new)
|
||||||
|
+ new = _replace_css_javascript('', old)
|
||||||
|
+ new = _replace_css_import('', new)
|
||||||
|
if self._has_sneaky_javascript(new):
|
||||||
|
# Something tricky is going on...
|
||||||
|
del el.attrib['style']
|
||||||
|
@@ -305,9 +308,9 @@ class Cleaner(object):
|
||||||
|
el.drop_tree()
|
||||||
|
continue
|
||||||
|
old = el.text or ''
|
||||||
|
- new = _css_javascript_re.sub('', old)
|
||||||
|
+ new = _replace_css_javascript('', old)
|
||||||
|
# The imported CSS can do anything; we just can't allow:
|
||||||
|
- new = _css_import_re.sub('', old)
|
||||||
|
+ new = _replace_css_import('', new)
|
||||||
|
if self._has_sneaky_javascript(new):
|
||||||
|
# Something tricky is going on...
|
||||||
|
el.text = '/* deleted */'
|
||||||
|
@@ -509,6 +512,12 @@ class Cleaner(object):
|
||||||
|
return True
|
||||||
|
if 'expression(' in style:
|
||||||
|
return True
|
||||||
|
+ if '</noscript' in style:
|
||||||
|
+ # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
|
||||||
|
+ return True
|
||||||
|
+ if _looks_like_tag_content(style):
|
||||||
|
+ # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
|
||||||
|
+ return True
|
||||||
|
return False
|
||||||
|
|
||||||
|
def clean_html(self, html):
|
||||||
|
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
|
||||||
|
index 3bcaaf5..451eec2 100644
|
||||||
|
--- a/src/lxml/html/tests/test_clean.py
|
||||||
|
+++ b/src/lxml/html/tests/test_clean.py
|
||||||
|
@@ -69,6 +69,26 @@ class CleanerTest(unittest.TestCase):
|
||||||
|
s = lxml.html.fromstring('<invalid tag>child</another>')
|
||||||
|
self.assertEqual('child', clean_html(s).text_content())
|
||||||
|
|
||||||
|
+ def test_sneaky_noscript_in_style(self):
|
||||||
|
+ # This gets parsed as <noscript> -> <style>"...</noscript>..."</style>
|
||||||
|
+ # thus passing the </noscript> through into the output.
|
||||||
|
+ html = '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
|
||||||
|
+ s = lxml.html.fragment_fromstring(html)
|
||||||
|
+
|
||||||
|
+ self.assertEqual(
|
||||||
|
+ b'<noscript><style>/* deleted */</style></noscript>',
|
||||||
|
+ lxml.html.tostring(clean_html(s)))
|
||||||
|
+
|
||||||
|
+ def test_sneaky_js_in_math_style(self):
|
||||||
|
+ # This gets parsed as <math> -> <style>"..."</style>
|
||||||
|
+ # thus passing any tag/script/whatever content through into the output.
|
||||||
|
+ html = '<math><style><img src=x onerror=alert(1)></style></math>'
|
||||||
|
+ s = lxml.html.fragment_fromstring(html)
|
||||||
|
+
|
||||||
|
+ self.assertEqual(
|
||||||
|
+ b'<math><style>/* deleted */</style></math>',
|
||||||
|
+ lxml.html.tostring(clean_html(s)))
|
||||||
|
+
|
||||||
|
|
||||||
|
def test_suite():
|
||||||
|
suite = unittest.TestSuite()
|
||||||
|
diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt
|
||||||
|
index c78ab4f..c901871 100644
|
||||||
|
--- a/src/lxml/html/tests/test_clean.txt
|
||||||
|
+++ b/src/lxml/html/tests/test_clean.txt
|
||||||
|
@@ -104,7 +104,11 @@
|
||||||
|
>>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
- <style>/* deleted */</style>
|
||||||
|
+ <style>
|
||||||
|
+ body {background-image: url()};
|
||||||
|
+ div {background-image: url()};
|
||||||
|
+ div {color: };
|
||||||
|
+ </style>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<a href="">a link</a>
|
||||||
|
@@ -168,7 +172,11 @@
|
||||||
|
<link rel="alternate" type="text/rss" src="evil-rss">
|
||||||
|
<link rel="alternate" type="text/rss" href="http://example.com">
|
||||||
|
<link rel="stylesheet" type="text/rss" href="http://example.com">
|
||||||
|
- <style>/* deleted */</style>
|
||||||
|
+ <style>
|
||||||
|
+ body {background-image: url()};
|
||||||
|
+ div {background-image: url()};
|
||||||
|
+ div {color: };
|
||||||
|
+ </style>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<a href="">a link</a>
|
||||||
@ -9,13 +9,20 @@
|
|||||||
|
|
||||||
Name: python-%{modname}
|
Name: python-%{modname}
|
||||||
Version: 4.2.3
|
Version: 4.2.3
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: XML processing library combining libxml2/libxslt with the ElementTree API
|
Summary: XML processing library combining libxml2/libxslt with the ElementTree API
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: http://lxml.de
|
URL: http://lxml.de
|
||||||
Source0: http://lxml.de/files/%{modname}-%{version}.tgz
|
Source0: http://lxml.de/files/%{modname}-%{version}.tgz
|
||||||
|
|
||||||
|
# Fix for CVE-2020-27783: mXSS due to the use of improper parser
|
||||||
|
# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1901633
|
||||||
|
# Two upstream commits combined:
|
||||||
|
# Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
|
||||||
|
# Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
|
||||||
|
Patch0: CVE-2020-27783.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: libxml2-devel
|
BuildRequires: libxml2-devel
|
||||||
BuildRequires: libxslt-devel
|
BuildRequires: libxslt-devel
|
||||||
@ -60,7 +67,7 @@ Recommends: python3-beautifulsoup4
|
|||||||
Python 3 version.
|
Python 3 version.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -n %{modname}-%{version}
|
%autosetup -n %{modname}-%{version} -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export WITH_CYTHON=true
|
export WITH_CYTHON=true
|
||||||
@ -96,6 +103,10 @@ export WITH_CYTHON=true
|
|||||||
%{python3_sitearch}/%{modname}-*.egg-info/
|
%{python3_sitearch}/%{modname}-*.egg-info/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 08 2020 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-2
|
||||||
|
- Security fix for CVE-2020-27783: mXSS due to the use of improper parser
|
||||||
|
Resolves: rhbz#1901633
|
||||||
|
|
||||||
* Thu Aug 02 2018 Sebastian Kisela <skisela@redhat.com> - 4.2.3-1
|
* Thu Aug 02 2018 Sebastian Kisela <skisela@redhat.com> - 4.2.3-1
|
||||||
- New upstream release 4.2.3
|
- New upstream release 4.2.3
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user