import python-lxml-4.2.3-4.module+el8.4.0+9319+a932af88

2021-05-18 02:49:53 -04:00 · 2021-05-18 02:49:53 -04:00 · 25a5521533
commit 25a5521533
parent 7a086df5b4
2 changed files with 162 additions and 2 deletions
--- a/SOURCES/CVE-2020-27783.patch
+++ b/SOURCES/CVE-2020-27783.patch
@ -0,0 +1,147 @@
+From 725268a12dacbb153dacf9d8cc22cfe37ff230ff Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Wed, 6 Jan 2021 10:20:09 +0100
+Subject: [PATCH] CVE-2020-27783
+
+---
+ src/lxml/html/clean.py             | 29 ++++++++++++++++++++---------
+ src/lxml/html/tests/test_clean.py  | 20 ++++++++++++++++++++
+ src/lxml/html/tests/test_clean.txt | 12 ++++++++++--
+ 3 files changed, 50 insertions(+), 11 deletions(-)
+
+diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
+index adc3f45..0492fca 100644
+--- a/src/lxml/html/clean.py
+++ b/src/lxml/html/clean.py
+@@ -4,8 +4,9 @@ Removes unwanted tags and content.  See the `Cleaner` class for
+ details.
+ """
+ 
+-import re
+ import copy
+import re
+import sys
+ try:
+     from urlparse import urlsplit
+ except ImportError:
+@@ -61,12 +62,16 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
+ 
+ # This is an IE-specific construct you can have in a stylesheet to
+ # run some Javascript:
+-_css_javascript_re = re.compile(
+-    r'expression\s*\(.*?\)', re.S|re.I)
+_replace_css_javascript = re.compile(
+    r'expression\s*\(.*?\)', re.S|re.I).sub
+ 
+ # Do I have to worry about @\nimport?
+-_css_import_re = re.compile(
+-    r'@\s*import', re.I)
+_replace_css_import = re.compile(
+    r'@\s*import', re.I).sub
+
+_looks_like_tag_content = re.compile(
+    r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=',
+    *((re.ASCII,) if sys.version_info[0] >= 3 else ())).search
+ 
+ # All kinds of schemes besides just javascript: that can cause
+ # execution:
+@@ -292,8 +297,8 @@ class Cleaner(object):
+             if not self.inline_style:
+                 for el in _find_styled_elements(doc):
+                     old = el.get('style')
+-                    new = _css_javascript_re.sub('', old)
+-                    new = _css_import_re.sub('', new)
+                    new = _replace_css_javascript('', old)
+                    new = _replace_css_import('', new)
+                     if self._has_sneaky_javascript(new):
+                         # Something tricky is going on...
+                         del el.attrib['style']
+@@ -305,9 +310,9 @@ class Cleaner(object):
+                         el.drop_tree()
+                         continue
+                     old = el.text or ''
+-                    new = _css_javascript_re.sub('', old)
+                    new = _replace_css_javascript('', old)
+                     # The imported CSS can do anything; we just can't allow:
+-                    new = _css_import_re.sub('', old)
+                    new = _replace_css_import('', new)
+                     if self._has_sneaky_javascript(new):
+                         # Something tricky is going on...
+                         el.text = '/* deleted */'
+@@ -509,6 +514,12 @@ class Cleaner(object):
+             return True
+         if 'expression(' in style:
+             return True
+        if '</noscript' in style:
+            # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
+            return True
+        if _looks_like_tag_content(style):
+            # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
+            return True
+         return False
+ 
+     def clean_html(self, html):
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index 3bcaaf5..451eec2 100644
+--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
+@@ -69,6 +69,26 @@ class CleanerTest(unittest.TestCase):
+         s = lxml.html.fromstring('<invalid tag>child</another>')
+         self.assertEqual('child', clean_html(s).text_content())
+ 
+    def test_sneaky_noscript_in_style(self):
+        # This gets parsed as <noscript> -> <style>"...</noscript>..."</style>
+        # thus passing the </noscript> through into the output.
+        html = '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
+        s = lxml.html.fragment_fromstring(html)
+
+        self.assertEqual(
+            b'<noscript><style>/* deleted */</style></noscript>',
+            lxml.html.tostring(clean_html(s)))
+
+    def test_sneaky_js_in_math_style(self):
+        # This gets parsed as <math> -> <style>"..."</style>
+        # thus passing any tag/script/whatever content through into the output.
+        html = '<math><style><img src=x onerror=alert(1)></style></math>'
+        s = lxml.html.fragment_fromstring(html)
+
+        self.assertEqual(
+            b'<math><style>/* deleted */</style></math>',
+            lxml.html.tostring(clean_html(s)))
+
+ 
+ def test_suite():
+     suite = unittest.TestSuite()
+diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt
+index c78ab4f..c901871 100644
+--- a/src/lxml/html/tests/test_clean.txt
+++ b/src/lxml/html/tests/test_clean.txt
+@@ -104,7 +104,11 @@
+ >>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))
+ <html>
+   <head>
+-    <style>/* deleted */</style>
+    <style>
+      body {background-image: url()};
+      div {background-image: url()};
+      div {color: };
+    </style>
+   </head>
+   <body>
+     <a href="">a link</a>
+@@ -168,7 +172,11 @@
+     <link rel="alternate" type="text/rss" src="evil-rss">
+     <link rel="alternate" type="text/rss" href="http://example.com">
+     <link rel="stylesheet" type="text/rss" href="http://example.com">
+-    <style>/* deleted */</style>
+    <style>
+      body {background-image: url()};
+      div {background-image: url()};
+      div {color: };
+    </style>
+   </head>
+   <body>
+     <a href="">a link</a>
+-- 
+2.29.2
+
--- a/SPECS/python-lxml.spec
+++ b/SPECS/python-lxml.spec
@ -11,13 +11,22 @@

 Name:           python-%{modname}
 Version:        4.2.3
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API

 License:        BSD
 URL:            http://lxml.de
 Source0:        http://lxml.de/files/%{modname}-%{version}.tgz

+# Fix for CVE-2020-27783: mXSS due to the use of improper parser
+# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1901633
+# Two upstream commits combined:
+#   Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
+#   Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
+# + one workaround for Python2, where `re.ASCII` is the default mode
+#   https://github.com/lxml/lxml/commit/4cb57362deb23bca0f70f41ab1efa13390fcdbb1
+Patch0:         CVE-2020-27783.patch
+
 BuildRequires:  gcc
 BuildRequires:  libxml2-devel
 BuildRequires:  libxslt-devel
@ -64,7 +73,7 @@ Python 3 version.
 %endif # with python3

 %prep
-%autosetup -n %{modname}-%{version}
+%autosetup -n %{modname}-%{version} -p1

 %build
 export WITH_CYTHON=true
@ -109,6 +118,10 @@ export WITH_CYTHON=true


 %changelog
+* Tue Dec 08 2020 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-4
+- Security fix for CVE-2020-27783: mXSS due to the use of improper parser
+Resolves: rhbz#1901633
+
 * Thu Apr 25 2019 Tomas Orsava <torsava@redhat.com> - 4.2.3-3
 - Bumping due to problems with modular RPM upgrade path
 - Resolves: rhbz#1695587