rpms/python-lxml
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import python-lxml-4.4.1-6.module+el8.5.0+10542+ba057329

Browse Source
This commit is contained in:
CentOS Sources 2021-03-31 04:53:03 +00:00 committed by Andrew Lukoshko
parent b5479557b5
commit 9cb20bee3e
2 changed files with 49 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
SOURCES/CVE-2021-28957.patch Normal file
View File

@ -0,0 +1,39 @@
diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
index caf6b21..ea3c016 100644
--- a/src/lxml/html/defs.py
+++ b/src/lxml/html/defs.py
@@ -21,6 +21,8 @@ link_attrs = frozenset([
'usemap',
# Not standard:
'dynsrc', 'lowsrc',
+ # HTML5 formaction
+ 'formaction'
])
# Not in the HTML 4 spec:
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
index 451eec2..e40cdad 100644
--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
@@ -89,6 +89,21 @@ class CleanerTest(unittest.TestCase):
b'<math><style>/* deleted */</style></math>',
lxml.html.tostring(clean_html(s)))
+ def test_formaction_attribute_in_button_input(self):
+ # The formaction attribute overrides the form's action and should be
+ # treated as a malicious link attribute
+ html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
+ '<button form="test" formaction="javascript:alert(1)">X</button>')
+ expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
+ '<button form="test" formaction="">X</button></div>')
+ cleaner = Cleaner(
+ forms=False,
+ safe_attrs_only=False,
+ )
+ self.assertEqual(
+ expected,
+ cleaner.clean_html(html))
+
def test_suite():
suite = unittest.TestSuite()

11
SPECS/python-lxml.spec
View File

@ -4,7 +4,7 @@
Name: python-%{modname} Name: python-%{modname}
Version: 4.4.1 Version: 4.4.1
Release: 5%{?dist} Release: 6%{?dist}
Summary: XML processing library combining libxml2/libxslt with the ElementTree API Summary: XML processing library combining libxml2/libxslt with the ElementTree API
License: BSD License: BSD
@ -18,6 +18,11 @@ Source0: https://lxml.de/files/%{modname}-%{version}.tgz
# Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7 # Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
Patch0: CVE-2020-27783.patch Patch0: CVE-2020-27783.patch
# Fix for CVE-2021-28957: missing input sanitization
# for formaction HTML5 attributes which may lead to XSS
# Fixed upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
Patch1: CVE-2021-28957.patch
# Exclude i686 arch. Due to a modularity issue it's being added to the # Exclude i686 arch. Due to a modularity issue it's being added to the
# x86_64 compose of CRB, but we don't want to ship it at all. # x86_64 compose of CRB, but we don't want to ship it at all.
# See: https://projects.engineering.redhat.com/browse/RCM-72605 # See: https://projects.engineering.redhat.com/browse/RCM-72605
@ -104,6 +109,10 @@ env WITH_CYTHON=true %py3_build
%{python3_sitearch}/%{modname}-*.egg-info/ %{python3_sitearch}/%{modname}-*.egg-info/
%changelog %changelog
* Wed Mar 24 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.4.1-6
- Security fix for CVE-2021-28957
Resolves: rhbz#1941534
* Thu Dec 03 2020 Lumír Balhar <lbalhar@redhat.com> - 4.4.1-5 * Thu Dec 03 2020 Lumír Balhar <lbalhar@redhat.com> - 4.4.1-5
- Security fix for CVE-2020-27783: mXSS due to the use of improper parser - Security fix for CVE-2020-27783: mXSS due to the use of improper parser
Resolves: rhbz#1901633 Resolves: rhbz#1901633