import python-lxml-4.4.1-5.module+el8.4.0+9001+fc421f6c

2021-03-30 15:58:20 -04:00 · 2021-03-30 15:58:20 -04:00 · 1e8cdb67c1
commit 1e8cdb67c1
parent 18fdd85fe8
2 changed files with 152 additions and 2 deletions
--- a/SOURCES/CVE-2020-27783.patch
+++ b/SOURCES/CVE-2020-27783.patch
@ -0,0 +1,139 @@
 From db649273fd6a2e3a624545b6fd14e8d8029198f8 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Thu, 3 Dec 2020 11:53:15 +0100
 Subject: [PATCH] CVE-2020-27783
 Combines fixes for the CVE from two versions:
 - Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
 - Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
 ---
 src/lxml/html/clean.py             | 25 +++++++++++++++++--------
 src/lxml/html/tests/test_clean.py  | 21 +++++++++++++++++++++
 src/lxml/html/tests/test_clean.txt | 12 ++++++++++--
 3 files changed, 48 insertions(+), 10 deletions(-)
 diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
 index aa9fc57..15298b5 100644
 --- a/src/lxml/html/clean.py
 +++ b/src/lxml/html/clean.py
@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
 # This is an IE-specific construct you can have in a stylesheet to
 # run some Javascript:
 -_css_javascript_re = re.compile(
 -    r'expression\s*\(.*?\)', re.S|re.I)
 +_replace_css_javascript = re.compile(
 +    r'expression\s*\(.*?\)', re.S|re.I).sub
 # Do I have to worry about @\nimport?
 -_css_import_re = re.compile(
 -    r'@\s*import', re.I)
 +_replace_css_import = re.compile(
 +    r'@\s*import', re.I).sub
 +
 +_looks_like_tag_content = re.compile(
 +    r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
 # All kinds of schemes besides just javascript: that can cause
 # execution:
@@ -292,8 +295,8 @@ class Cleaner(object):
             if not self.inline_style:
                 for el in _find_styled_elements(doc):
                     old = el.get('style')
 -                    new = _css_javascript_re.sub('', old)
 -                    new = _css_import_re.sub('', new)
 +                    new = _replace_css_javascript('', old)
 +                    new = _replace_css_import('', new)
                     if self._has_sneaky_javascript(new):
                         # Something tricky is going on...
                         del el.attrib['style']
@@ -305,9 +308,9 @@ class Cleaner(object):
                         el.drop_tree()
                         continue
                     old = el.text or ''
 -                    new = _css_javascript_re.sub('', old)
 +                    new = _replace_css_javascript('', old)
                     # The imported CSS can do anything; we just can't allow:
 -                    new = _css_import_re.sub('', old)
 +                    new = _replace_css_import('', new)
                     if self._has_sneaky_javascript(new):
                         # Something tricky is going on...
                         el.text = '/* deleted */'
@@ -509,6 +512,12 @@ class Cleaner(object):
             return True
         if 'expression(' in style:
             return True
 +        if '</noscript' in style:
 +            # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
 +            return True
 +        if _looks_like_tag_content(style):
 +            # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
 +            return True
         return False
     def clean_html(self, html):
 diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
 index a193d99..ea7487c 100644
 --- a/src/lxml/html/tests/test_clean.py
 +++ b/src/lxml/html/tests/test_clean.py
@@ -69,6 +69,27 @@ class CleanerTest(unittest.TestCase):
         self.assertEqual('child', clean_html(s).text_content())
 +    def test_sneaky_noscript_in_style(self):
 +        # This gets parsed as <noscript> -> <style>"...</noscript>..."</style>
 +        # thus passing the </noscript> through into the output.
 +        html = '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
 +        s = lxml.html.fragment_fromstring(html)
 +
 +        self.assertEqual(
 +            b'<noscript><style>/* deleted */</style></noscript>',
 +            lxml.html.tostring(clean_html(s)))
 +
 +    def test_sneaky_js_in_math_style(self):
 +        # This gets parsed as <math> -> <style>"..."</style>
 +        # thus passing any tag/script/whatever content through into the output.
 +        html = '<math><style><img src=x onerror=alert(1)></style></math>'
 +        s = lxml.html.fragment_fromstring(html)
 +
 +        self.assertEqual(
 +            b'<math><style>/* deleted */</style></math>',
 +            lxml.html.tostring(clean_html(s)))
 +
 +
 def test_suite():
     suite = unittest.TestSuite()
     suite.addTests([make_doctest('test_clean.txt')])
 diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt
 index 2824f64..7df1f1d 100644
 --- a/src/lxml/html/tests/test_clean.txt
 +++ b/src/lxml/html/tests/test_clean.txt
@@ -104,7 +104,11 @@
 >>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))
 <html>
   <head>
 -    <style>/* deleted */</style>
 +    <style>
 +      body {background-image: url()};
 +      div {background-image: url()};
 +      div {color: };
 +    </style>
   </head>
   <body>
     <a href="">a link</a>
@@ -168,7 +172,11 @@
     <link rel="alternate" type="text/rss" src="evil-rss">
     <link rel="alternate" type="text/rss" href="http://example.com">
     <link rel="stylesheet" type="text/rss" href="http://example.com">
 -    <style>/* deleted */</style>
 +    <style>
 +      body {background-image: url()};
 +      div {background-image: url()};
 +      div {color: };
 +    </style>
   </head>
   <body>
     <a href="">a link</a>
 -- 
 2.28.0
--- a/SPECS/python-lxml.spec
+++ b/SPECS/python-lxml.spec
@ -4,13 +4,20 @@
 Name:           python-%{modname}
 Version:        4.4.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
 License:        BSD
 URL:            https://github.com/lxml/lxml
 Source0:        https://lxml.de/files/%{modname}-%{version}.tgz
 # Fix for CVE-2020-27783: mXSS due to the use of improper parser
 # Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1901633
 # Two upstream commits combined:
 #   Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
 #   Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
 Patch0:         CVE-2020-27783.patch
 # Exclude i686 arch. Due to a modularity issue it's being added to the
 # x86_64 compose of CRB, but we don't want to ship it at all.
 # See: https://projects.engineering.redhat.com/browse/RCM-72605
@ -60,7 +67,7 @@ Suggests:       python%{python3_version}dist(beautifulsoup4)
 Python 3 version.
 %prep
-%autosetup -n %{modname}-%{version}
+%autosetup -p1 -n %{modname}-%{version}
 # Remove pregenerated Cython C sources
 find -type f -name '*.c' -print -delete
@ -97,6 +104,10 @@ env WITH_CYTHON=true %py3_build
 %{python3_sitearch}/%{modname}-*.egg-info/
 %changelog
 * Thu Dec 03 2020 Lumír Balhar <lbalhar@redhat.com> - 4.4.1-5
 - Security fix for CVE-2020-27783: mXSS due to the use of improper parser
 Resolves: rhbz#1901633
 * Thu Dec 12 2019 Tomas Orsava <torsava@redhat.com> - 4.4.1-4
 - Exclude unsupported i686 arch