import python-lxml-4.6.2-3.module+el8.5.0+10536+a233b742

2021-11-09 04:47:47 -05:00 · 2021-11-09 04:47:47 -05:00 · 1f8a6271ca
commit 1f8a6271ca
parent 6e3a46ca3c
2 changed files with 49 additions and 1 deletions
--- a/SOURCES/CVE-2021-28957.patch
+++ b/SOURCES/CVE-2021-28957.patch
@ -0,0 +1,39 @@
+diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
+index caf6b21..ea3c016 100644
+--- a/src/lxml/html/defs.py
+++ b/src/lxml/html/defs.py
+@@ -21,6 +21,8 @@ link_attrs = frozenset([
+     'usemap',
+     # Not standard:
+     'dynsrc', 'lowsrc',
+    # HTML5 formaction
+    'formaction'
+     ])
+ 
+ # Not in the HTML 4 spec:
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index 451eec2..e40cdad 100644
+--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
+@@ -89,6 +89,21 @@ class CleanerTest(unittest.TestCase):
+             b'<math><style>/* deleted */</style></math>',
+             lxml.html.tostring(clean_html(s)))
+ 
+    def test_formaction_attribute_in_button_input(self):
+        # The formaction attribute overrides the form's action and should be
+        # treated as a malicious link attribute
+        html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
+        '<button form="test" formaction="javascript:alert(1)">X</button>')
+        expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
+        '<button form="test" formaction="">X</button></div>')
+        cleaner = Cleaner(
+            forms=False,
+            safe_attrs_only=False,
+        )
+        self.assertEqual(
+            expected,
+            cleaner.clean_html(html))
+
+ 
+ def test_suite():
+     suite = unittest.TestSuite()
--- a/SPECS/python-lxml.spec
+++ b/SPECS/python-lxml.spec
@ -2,13 +2,18 @@

 Name:           python-%{modname}
 Version:        4.6.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API

 License:        BSD
 URL:            https://github.com/lxml/lxml
 Source0:        %{pypi_source %{modname}}

+# Fix for CVE-2021-28957: missing input sanitization
+# for formaction HTML5 attributes which may lead to XSS
+# Fixed upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
+Patch1: CVE-2021-28957.patch
+
 # Exclude i686 arch. Due to a modularity issue it's being added to the
 # x86_64 compose of CRB, but we don't want to ship it at all.
 # See: https://projects.engineering.redhat.com/browse/RCM-72605
@ -67,6 +72,10 @@ env WITH_CYTHON=true %py3_build
 %{python3_sitearch}/%{modname}-*.egg-info/

 %changelog
+* Wed Mar 24 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.6.2-3
+- Security fix for CVE-2021-28957
+Resolves: rhbz#1941534
+
 * Mon Jan 18 2021 Tomas Orsava <torsava@redhat.com> - 4.6.2-2
 - Convert from Fedora to the python39 module in RHEL8
 - Resolves: rhbz#1877430