7 changed files with 86 additions and 361 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/lxml-4.2.3.tgz
+SOURCES/lxml-4.6.5.tar.gz
--- a/.python-lxml.metadata
+++ b/.python-lxml.metadata
@ -1 +1 @@
-536c9ced5d03e8d871ebf21748ed36a2f7ddf668 SOURCES/lxml-4.2.3.tgz
+04a3ed4d33a511b5796880461b0edb6f3b144547 SOURCES/lxml-4.6.5.tar.gz
--- a/SOURCES/CVE-2020-27783.patch
+++ b/SOURCES/CVE-2020-27783.patch
@ -1,121 +0,0 @@
-diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
-index adc3f45..6f3f7de 100644
--- a/src/lxml/html/clean.py
-+++ b/src/lxml/html/clean.py
-@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
- 
- # This is an IE-specific construct you can have in a stylesheet to
- # run some Javascript:
-_css_javascript_re = re.compile(
-    r'expression\s*\(.*?\)', re.S|re.I)
-+_replace_css_javascript = re.compile(
-+    r'expression\s*\(.*?\)', re.S|re.I).sub
- 
- # Do I have to worry about @\nimport?
-_css_import_re = re.compile(
-    r'@\s*import', re.I)
-+_replace_css_import = re.compile(
-+    r'@\s*import', re.I).sub
-+
-+_looks_like_tag_content = re.compile(
-+    r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
- 
- # All kinds of schemes besides just javascript: that can cause
- # execution:
-@@ -292,8 +295,8 @@ class Cleaner(object):
-             if not self.inline_style:
-                 for el in _find_styled_elements(doc):
-                     old = el.get('style')
-                    new = _css_javascript_re.sub('', old)
-                    new = _css_import_re.sub('', new)
-+                    new = _replace_css_javascript('', old)
-+                    new = _replace_css_import('', new)
-                     if self._has_sneaky_javascript(new):
-                         # Something tricky is going on...
-                         del el.attrib['style']
-@@ -305,9 +308,9 @@ class Cleaner(object):
-                         el.drop_tree()
-                         continue
-                     old = el.text or ''
-                    new = _css_javascript_re.sub('', old)
-+                    new = _replace_css_javascript('', old)
-                     # The imported CSS can do anything; we just can't allow:
-                    new = _css_import_re.sub('', old)
-+                    new = _replace_css_import('', new)
-                     if self._has_sneaky_javascript(new):
-                         # Something tricky is going on...
-                         el.text = '/* deleted */'
-@@ -509,6 +512,12 @@ class Cleaner(object):
-             return True
-         if 'expression(' in style:
-             return True
-+        if '</noscript' in style:
-+            # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
-+            return True
-+        if _looks_like_tag_content(style):
-+            # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
-+            return True
-         return False
- 
-     def clean_html(self, html):
-diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
-index 3bcaaf5..451eec2 100644
--- a/src/lxml/html/tests/test_clean.py
-+++ b/src/lxml/html/tests/test_clean.py
-@@ -69,6 +69,26 @@ class CleanerTest(unittest.TestCase):
-         s = lxml.html.fromstring('<invalid tag>child</another>')
-         self.assertEqual('child', clean_html(s).text_content())
- 
-+    def test_sneaky_noscript_in_style(self):
-+        # This gets parsed as <noscript> -> <style>"...</noscript>..."</style>
-+        # thus passing the </noscript> through into the output.
-+        html = '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
-+        s = lxml.html.fragment_fromstring(html)
-+
-+        self.assertEqual(
-+            b'<noscript><style>/* deleted */</style></noscript>',
-+            lxml.html.tostring(clean_html(s)))
-+
-+    def test_sneaky_js_in_math_style(self):
-+        # This gets parsed as <math> -> <style>"..."</style>
-+        # thus passing any tag/script/whatever content through into the output.
-+        html = '<math><style><img src=x onerror=alert(1)></style></math>'
-+        s = lxml.html.fragment_fromstring(html)
-+
-+        self.assertEqual(
-+            b'<math><style>/* deleted */</style></math>',
-+            lxml.html.tostring(clean_html(s)))
-+
- 
- def test_suite():
-     suite = unittest.TestSuite()
-diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt
-index c78ab4f..c901871 100644
--- a/src/lxml/html/tests/test_clean.txt
-+++ b/src/lxml/html/tests/test_clean.txt
-@@ -104,7 +104,11 @@
- >>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))
- <html>
-   <head>
-    <style>/* deleted */</style>
-+    <style>
-+      body {background-image: url()};
-+      div {background-image: url()};
-+      div {color: };
-+    </style>
-   </head>
-   <body>
-     <a href="">a link</a>
-@@ -168,7 +172,11 @@
-     <link rel="alternate" type="text/rss" src="evil-rss">
-     <link rel="alternate" type="text/rss" href="http://example.com">
-     <link rel="stylesheet" type="text/rss" href="http://example.com">
-    <style>/* deleted */</style>
-+    <style>
-+      body {background-image: url()};
-+      div {background-image: url()};
-+      div {color: };
-+    </style>
-   </head>
-   <body>
-     <a href="">a link</a>
--- a/SOURCES/CVE-2021-28957.patch
+++ b/SOURCES/CVE-2021-28957.patch
@ -1,39 +0,0 @@
-diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
-index caf6b21..ea3c016 100644
--- a/src/lxml/html/defs.py
-+++ b/src/lxml/html/defs.py
-@@ -21,6 +21,8 @@ link_attrs = frozenset([
-     'usemap',
-     # Not standard:
-     'dynsrc', 'lowsrc',
-+    # HTML5 formaction
-+    'formaction'
-     ])
- 
- # Not in the HTML 4 spec:
-diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
-index 451eec2..e40cdad 100644
--- a/src/lxml/html/tests/test_clean.py
-+++ b/src/lxml/html/tests/test_clean.py
-@@ -89,6 +89,21 @@ class CleanerTest(unittest.TestCase):
-             b'<math><style>/* deleted */</style></math>',
-             lxml.html.tostring(clean_html(s)))
- 
-+    def test_formaction_attribute_in_button_input(self):
-+        # The formaction attribute overrides the form's action and should be
-+        # treated as a malicious link attribute
-+        html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
-+        '<button form="test" formaction="javascript:alert(1)">X</button>')
-+        expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
-+        '<button form="test" formaction="">X</button></div>')
-+        cleaner = Cleaner(
-+            forms=False,
-+            safe_attrs_only=False,
-+        )
-+        self.assertEqual(
-+            expected,
-+            cleaner.clean_html(html))
-+
- 
- def test_suite():
-     suite = unittest.TestSuite()
--- a/SOURCES/CVE-2021-43818.patch
+++ b/SOURCES/CVE-2021-43818.patch
@ -1,127 +0,0 @@
-diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
-index 6f3f7de..da5af16 100644
--- a/src/lxml/html/clean.py
-+++ b/src/lxml/html/clean.py
-@@ -73,18 +73,25 @@ _looks_like_tag_content = re.compile(
- 
- # All kinds of schemes besides just javascript: that can cause
- # execution:
-_is_image_dataurl = re.compile(
-    r'^data:image/.+;base64', re.I).search
-+_find_image_dataurls = re.compile(
-+    r'^data:image/(.+);base64,', re.I).findall
- _is_possibly_malicious_scheme = re.compile(
-    r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
-    re.I).search
-+    r'(javascript|jscript|livescript|vbscript|data|about|mocha):',
-+    re.I).findall
-+# SVG images can contain script content
-+_is_unsafe_image_type = re.compile(r"(xml|svg)", re.I).findall
-+
- def _is_javascript_scheme(s):
-    if _is_image_dataurl(s):
-        return None
-    return _is_possibly_malicious_scheme(s)
-+    is_image_url = False
-+    for image_type in _find_image_dataurls(s):
-+        is_image_url = True
-+        if _is_unsafe_image_type(image_type):
-+            return True
-+    if is_image_url:
-+        return False
-+    return bool(_is_possibly_malicious_scheme(s))
- 
- _substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
-# FIXME: should data: be blocked?
- 
- # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
- _conditional_comment_re = re.compile(
-@@ -512,6 +519,8 @@ class Cleaner(object):
-             return True
-         if 'expression(' in style:
-             return True
-+        if '@import' in style:
-+            return True
-         if '</noscript' in style:
-             # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
-             return True
-diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
-index e40cdad..ad9a598 100644
--- a/src/lxml/html/tests/test_clean.py
-+++ b/src/lxml/html/tests/test_clean.py
-@@ -1,3 +1,5 @@
-+import base64
-+import gzip
- import unittest, sys
- from lxml.tests.common_imports import make_doctest
- from lxml.etree import LIBXML_VERSION
-@@ -89,6 +91,69 @@ class CleanerTest(unittest.TestCase):
-             b'<math><style>/* deleted */</style></math>',
-             lxml.html.tostring(clean_html(s)))
- 
-+    def test_sneaky_import_in_style(self):
-+        # Prevent "@@importimport" -> "@import" replacement.
-+        style_codes = [
-+            "@@importimport(extstyle.css)",
-+            "@ @  import import(extstyle.css)",
-+            "@ @ importimport(extstyle.css)",
-+            "@@  import import(extstyle.css)",
-+            "@ @import import(extstyle.css)",
-+            "@@importimport()",
-+        ]
-+        for style_code in style_codes:
-+            html = '<style>%s</style>' % style_code
-+            s = lxml.html.fragment_fromstring(html)
-+
-+            cleaned = lxml.html.tostring(clean_html(s))
-+            self.assertEqual(
-+                b'<style>/* deleted */</style>',
-+                cleaned,
-+                "%s  ->  %s" % (style_code, cleaned))
-+
-+    def test_svg_data_links(self):
-+        # Remove SVG images with potentially insecure content.
-+        svg = b'<svg onload="alert(123)" />'
-+        svgz = gzip.compress(svg)
-+        svg_b64 = base64.b64encode(svg).decode('ASCII')
-+        svgz_b64 = base64.b64encode(svgz).decode('ASCII')
-+        urls = [
-+            "data:image/svg+xml;base64," + svg_b64,
-+            "data:image/svg+xml-compressed;base64," + svgz_b64,
-+        ]
-+        for url in urls:
-+            html = '<img src="%s">' % url
-+            s = lxml.html.fragment_fromstring(html)
-+
-+            cleaned = lxml.html.tostring(clean_html(s))
-+            self.assertEqual(
-+                b'<img src="">',
-+                cleaned,
-+                "%s  ->  %s" % (url, cleaned))
-+
-+    def test_image_data_links(self):
-+        data = b'123'
-+        data_b64 = base64.b64encode(data).decode('ASCII')
-+        urls = [
-+            "data:image/jpeg;base64," + data_b64,
-+            "data:image/apng;base64," + data_b64,
-+            "data:image/png;base64," + data_b64,
-+            "data:image/gif;base64," + data_b64,
-+            "data:image/webp;base64," + data_b64,
-+            "data:image/bmp;base64," + data_b64,
-+            "data:image/tiff;base64," + data_b64,
-+            "data:image/x-icon;base64," + data_b64,
-+        ]
-+        for url in urls:
-+            html = '<img src="%s">' % url
-+            s = lxml.html.fragment_fromstring(html)
-+
-+            cleaned = lxml.html.tostring(clean_html(s))
-+            self.assertEqual(
-+                html.encode("UTF-8"),
-+                cleaned,
-+                "%s  ->  %s" % (url, cleaned))
-+
-     def test_formaction_attribute_in_button_input(self):
-         # The formaction attribute overrides the form's action and should be
-         # treated as a malicious link attribute
--- a/SOURCES/fix-threading-tests.patch
+++ b/SOURCES/fix-threading-tests.patch
@ -1,26 +0,0 @@
-diff --git a/src/lxml/tests/test_threading.py b/src/lxml/tests/test_threading.py
-index 8948c3e..5ede3f8 100644
--- a/src/lxml/tests/test_threading.py
-+++ b/src/lxml/tests/test_threading.py
-@@ -130,7 +130,7 @@ class ThreadingTestCase(HelperTestCase):
-     <xsl:template match="tag" />
-     <!-- extend time for parsing + transform -->
- ''' + '\n'.join('<xsl:template match="tag%x" />' % i for i in range(200)) + '''
-    <xsl:foo />
-+    <xsl:UnExpectedElement />
- </xsl:stylesheet>''')
-         self.assertRaises(etree.XSLTParseError,
-                           etree.XSLT, style)
-@@ -153,9 +153,10 @@ class ThreadingTestCase(HelperTestCase):
-             self.assertTrue(len(log))
-             if last_log is not None:
-                 self.assertEqual(len(last_log), len(log))
-            self.assertEqual(4, len(log))
-+            self.assertTrue(len(log) >= 2, len(log))
-             for error in log:
-                self.assertTrue(':ERROR:XSLT:' in str(error))
-+                self.assertTrue(':ERROR:XSLT:' in str(error), str(error))
-+            self.assertTrue(any('UnExpectedElement' in str(error) for error in log), log)
-             last_log = log
- 
-     def test_thread_xslt_apply_error_log(self):
--- a/SPECS/python-lxml.spec
+++ b/SPECS/python-lxml.spec
@ -1,36 +1,18 @@
 %global modname lxml

 Name:           python-%{modname}
-Version:        4.2.3
-Release:        4%{?dist}
+Version:        4.6.5
+Release:        1%{?dist}
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API

 License:        BSD
-URL:            http://lxml.de
-Source0:        http://lxml.de/files/%{modname}-%{version}.tgz
+URL:            https://github.com/lxml/lxml
+Source0:        %{pypi_source %{modname}}

-# Fix for CVE-2020-27783: mXSS due to the use of improper parser
-# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1901633
-# Two upstream commits combined:
-#   Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
-#   Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
-Patch0:         CVE-2020-27783.patch
-
-# Fix for CVE-2021-28957: missing input sanitization
-# for formaction HTML5 attributes which may lead to XSS
-# Fixed upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
-Patch1: CVE-2021-28957.patch
-
-# Fix for CVE-2021-43818: HTML Cleaner allows crafted
-# and SVG embedded scripts to pass through
-# Fixed upstream:
-# https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
-# https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
-Patch2: CVE-2021-43818.patch
-
-# Make test more resilient against changes in latest libxslt releases
-# Fixed upstream: https://github.com/lxml/lxml/commit/acef361ca80ff9afd828d91c98ea91c92f9d09af
-Patch3: fix-threading-tests.patch
+# Exclude i686 arch. Due to a modularity issue it's being added to the
+# x86_64 compose of CRB, but we don't want to ship it at all.
+# See: https://projects.engineering.redhat.com/browse/RCM-72605
+ExcludeArch: i686

 BuildRequires:  gcc
 BuildRequires:  libxml2-devel
@ -45,22 +27,25 @@ home page < or see our bug tracker at case you want to use the current ...

 %description %{_description}

-%package -n     python3-%{modname}
+%package -n     python%{python3_pkgversion}-%{modname}
 Summary:        %{summary}
-BuildRequires:  python3-devel
-BuildRequires:  python3-setuptools
-BuildRequires:  python3-Cython
-Recommends:     python3-cssselect
-Recommends:     python3-html5lib
-Recommends:     python3-beautifulsoup4
-%{?python_provide:%python_provide python3-%{modname}}
+BuildRequires:  python%{python3_pkgversion}-devel
+BuildRequires:  python%{python3_pkgversion}-rpm-macros
+BuildRequires:  python%{python3_pkgversion}-setuptools
+BuildRequires:  python%{python3_pkgversion}-Cython
+Suggests:       python%{python3_version}dist(cssselect) >= 0.7
+Suggests:       python%{python3_version}dist(html5lib)
+Suggests:       python%{python3_version}dist(beautifulsoup4)
+%{?python_provide:%python_provide python%{python3_pkgversion}-%{modname}}

-%description -n python3-%{modname} %{_description}
+%description -n python%{python3_pkgversion}-%{modname} %{_description}

 Python 3 version.

 %prep
 %autosetup -n %{modname}-%{version} -p1
+# Remove pregenerated Cython C sources
+find -type f -name '*.c' -print -delete

 %build
 export WITH_CYTHON=true
@ -76,30 +61,83 @@ cp -a build/lib.%{python3_platform}-%{python3_version}/* src/
 # The options are: verbose, unit, functional
 %{python3} test.py -vuf

-%files -n python3-%{modname}
-%license doc/licenses/ZopePublicLicense.txt LICENSES.txt
+%files -n python%{python3_pkgversion}-%{modname}
+%license LICENSES.txt
 %doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
 %{python3_sitearch}/%{modname}/
 %{python3_sitearch}/%{modname}-*.egg-info/

 %changelog
-* Thu Jan 06 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-4
+* Thu Jan 06 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.6.5-1
+- Update to 4.6.5
 - Security fix for CVE-2021-43818
 Resolves: rhbz#2032569

-* Wed Mar 24 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-3
+* Wed Mar 24 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.6.2-3
 - Security fix for CVE-2021-28957
 Resolves: rhbz#1941534

-* Tue Dec 08 2020 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-2
- Security fix for CVE-2020-27783: mXSS due to the use of improper parser
-Resolves: rhbz#1901633
+* Mon Jan 18 2021 Tomas Orsava <torsava@redhat.com> - 4.6.2-2
+- Convert from Fedora to the python39 module in RHEL8
+- Resolves: rhbz#1877430

-* Thu Aug 02 2018 Sebastian Kisela <skisela@redhat.com> - 4.2.3-1
- New upstream release 4.2.3
+* Tue Dec 01 2020 Miro Hrončok <mhroncok@redhat.com> - 4.6.2-1
+- Update to 4.6.2
+- Fixes CVE-2020-27783 and another vulnerability in the HTML Cleaner
+- Fixes: rhbz#1855415
+- Fixes: rhbz#1901634

-* Sun Jul 22 2018 Charalampos Stratakis <cstratak@redhat.com> - 4.1.1-3
- Conditionalize the python2 subpackage
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.5.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jun 01 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 4.5.1-1
+- Update to 4.5.1
+
+* Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 4.4.1-5
+- Rebuilt for Python 3.9
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Nov 20 2019 Miro Hrončok <mhroncok@redhat.com> - 4.4.1-3
+- Subpackage python2-lxml has been removed
+  See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
+
+* Sat Sep 07 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.4.1-2
+- Generate C files using py3 Cython
+
+* Sat Sep 07 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.4.1-1
+- Update to 4.4.1
+
+* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 4.4.0-2
+- Rebuilt for Python 3.8
+
+* Sat Aug 03 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.4.0-1
+- Update to 4.4.0
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Dec 18 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.2.5-1
+- Update to 4.2.5
+
+* Sun Sep 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.2.4-1
+- Update to 4.2.4
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Sat Jul 07 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.2.3-1
+- Update to 4.2.3
+
+* Sun Jun 17 2018 Miro Hrončok <mhroncok@redhat.com> - 4.2.1-2
+- Rebuilt for Python 3.7
+
+* Wed Apr 25 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.2.1-1
+- Update to 4.2.1

 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild