16 changed files with 395 additions and 395 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -1 +0,0 @@
 1
--- a/.gitignore
+++ b/.gitignore
@ -1,68 +1 @@
-lxml-2.2.7.tar.gz
+SOURCES/lxml-4.2.3.tgz
 lxml-2.2.7.tar.gz.asc
 /lxml-2.2.8.tar.gz
 /lxml-2.2.8.tar.gz.asc
 /lxml-2.3.tar.gz
 /lxml-2.3.tar.gz.asc
 /lxml-2.3.1.tar.gz
 /lxml-2.3.1.tar.gz.asc
 /lxml-2.3.2.tar.gz
 /lxml-2.3.2.tar.gz.asc
 /lxml-2.3.3.tar.gz
 /lxml-2.3.3.tar.gz.asc
 /lxml-2.3.5.tar.gz
 /lxml-2.3.5.tar.gz.asc
 /lxml-3.0.tar.gz
 /lxml-3.0.tar.gz.asc
 /lxml-3.0.tgz
 /lxml-3.0.tgz.asc
 /lxml-3.0.1.tgz
 /lxml-3.0.1.tgz.asc
 /lxml-3.1.0.tgz
 /lxml-3.1.0.tgz.asc
 /lxml-3.2.0.tgz
 /lxml-3.2.0.tgz.asc
 /lxml-3.2.1.tgz
 /lxml-3.2.1.tgz.asc
 /lxml-3.2.3.tgz
 /lxml-3.2.3.tgz.asc
 /lxml-3.2.4.tgz
 /lxml-3.2.4.tgz.asc
 /lxml-3.3.0.tgz
 /lxml-3.3.0.tgz.asc
 /lxml-3.3.2.tgz
 /lxml-3.3.2.tgz.asc
 /lxml-3.3.3.tgz
 /lxml-3.3.3.tgz.asc
 /lxml-3.3.5.tgz
 /lxml-3.3.5.tgz.asc
 /lxml-3.3.6.tgz
 /lxml-3.3.6.tgz.asc
 /lxml-3.4.4.tgz
 /lxml-3.4.4.tgz.asc
 /lxml-3.6.4.tar.gz
 /lxml-3.7.0.tar.gz
 /lxml-3.7.1.tgz
 /lxml-3.7.2.tgz
 /lxml-3.8.0.tgz
 /lxml-4.0.0.tgz
 /lxml-4.1.1.tgz
 /lxml-4.2.1.tgz
 /lxml-4.2.3.tgz
 /lxml-4.2.4.tgz
 /lxml-4.2.5.tgz
 /lxml-4.4.0.tgz
 /lxml-4.4.1.tgz
 /lxml-4.5.1.tgz
 /lxml-4.6.2.tar.gz
 /lxml-4.6.3.tar.gz
 /lxml-4.7.1.tar.gz
 /lxml-4.9.1.tar.gz
 /lxml-4.9.2.tar.gz
 /lxml-4.9.2-no-isoschematron.tar.gz
 /lxml-4.9.2-no-isoschematron-rng.tar.gz
 /lxml-4.9.3-no-isoschematron-rng.tar.gz
 /lxml-4.9.4-no-isoschematron-rng.tar.gz
 /lxml-5.1.0-no-isoschematron-rng.tar.gz
 /lxml-5.2.0-no-isoschematron-rng.tar.gz
 /lxml-5.2.1-no-isoschematron-rng.tar.gz
--- a/.python-lxml.metadata
+++ b/.python-lxml.metadata
@ -0,0 +1 @@
 536c9ced5d03e8d871ebf21748ed36a2f7ddf668 SOURCES/lxml-4.2.3.tgz
--- a/417.patch
+++ b/417.patch
@ -1,40 +0,0 @@
 From f5f64df808b35969794ba3ea8c19079276aa0cb0 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Thu, 4 Apr 2024 11:11:38 +0200
 Subject: [PATCH] Skip test_feedparser_data if lxml_html_clean is not available
 This is useful mostly for distributors shipping lxml without
 lxml_html_clean.
 ---
 src/lxml/html/tests/test_feedparser_data.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)
 diff --git a/src/lxml/html/tests/test_feedparser_data.py b/src/lxml/html/tests/test_feedparser_data.py
 index 36fba1acb..264c0d4b5 100644
 --- a/src/lxml/html/tests/test_feedparser_data.py
 +++ b/src/lxml/html/tests/test_feedparser_data.py
@@ -9,7 +9,11 @@
 from lxml.tests.common_imports import doctest
 from lxml.doctestcompare import LHTMLOutputChecker
 -from lxml.html.clean import clean, Cleaner
 +try:
 +    from lxml.html.clean import clean, Cleaner
 +    html_clean_available = True
 +except ImportError:
 +    html_clean_available = False
 feed_dirs = [
     os.path.join(os.path.dirname(__file__), 'feedparser-data'),
@@ -80,6 +84,11 @@ def shortDescription(self):
 def test_suite():
     suite = unittest.TestSuite()
 +
 +    if not html_clean_available:
 +        print("Skipping tests in feedparser_data - external lxml_html_clean package is not installed")
 +        return suite
 +
     for dir in feed_dirs:
         for fn in os.listdir(dir):
             fn = os.path.join(dir, fn)
--- a/SOURCES/CVE-2020-27783.patch
+++ b/SOURCES/CVE-2020-27783.patch
@ -0,0 +1,121 @@
 diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
 index adc3f45..6f3f7de 100644
 --- a/src/lxml/html/clean.py
 +++ b/src/lxml/html/clean.py
@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
 # This is an IE-specific construct you can have in a stylesheet to
 # run some Javascript:
 -_css_javascript_re = re.compile(
 -    r'expression\s*\(.*?\)', re.S|re.I)
 +_replace_css_javascript = re.compile(
 +    r'expression\s*\(.*?\)', re.S|re.I).sub
 # Do I have to worry about @\nimport?
 -_css_import_re = re.compile(
 -    r'@\s*import', re.I)
 +_replace_css_import = re.compile(
 +    r'@\s*import', re.I).sub
 +
 +_looks_like_tag_content = re.compile(
 +    r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
 # All kinds of schemes besides just javascript: that can cause
 # execution:
@@ -292,8 +295,8 @@ class Cleaner(object):
             if not self.inline_style:
                 for el in _find_styled_elements(doc):
                     old = el.get('style')
 -                    new = _css_javascript_re.sub('', old)
 -                    new = _css_import_re.sub('', new)
 +                    new = _replace_css_javascript('', old)
 +                    new = _replace_css_import('', new)
                     if self._has_sneaky_javascript(new):
                         # Something tricky is going on...
                         del el.attrib['style']
@@ -305,9 +308,9 @@ class Cleaner(object):
                         el.drop_tree()
                         continue
                     old = el.text or ''
 -                    new = _css_javascript_re.sub('', old)
 +                    new = _replace_css_javascript('', old)
                     # The imported CSS can do anything; we just can't allow:
 -                    new = _css_import_re.sub('', old)
 +                    new = _replace_css_import('', new)
                     if self._has_sneaky_javascript(new):
                         # Something tricky is going on...
                         el.text = '/* deleted */'
@@ -509,6 +512,12 @@ class Cleaner(object):
             return True
         if 'expression(' in style:
             return True
 +        if '</noscript' in style:
 +            # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
 +            return True
 +        if _looks_like_tag_content(style):
 +            # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
 +            return True
         return False
     def clean_html(self, html):
 diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
 index 3bcaaf5..451eec2 100644
 --- a/src/lxml/html/tests/test_clean.py
 +++ b/src/lxml/html/tests/test_clean.py
@@ -69,6 +69,26 @@ class CleanerTest(unittest.TestCase):
         s = lxml.html.fromstring('<invalid tag>child</another>')
         self.assertEqual('child', clean_html(s).text_content())
 +    def test_sneaky_noscript_in_style(self):
 +        # This gets parsed as <noscript> -> <style>"...</noscript>..."</style>
 +        # thus passing the </noscript> through into the output.
 +        html = '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
 +        s = lxml.html.fragment_fromstring(html)
 +
 +        self.assertEqual(
 +            b'<noscript><style>/* deleted */</style></noscript>',
 +            lxml.html.tostring(clean_html(s)))
 +
 +    def test_sneaky_js_in_math_style(self):
 +        # This gets parsed as <math> -> <style>"..."</style>
 +        # thus passing any tag/script/whatever content through into the output.
 +        html = '<math><style><img src=x onerror=alert(1)></style></math>'
 +        s = lxml.html.fragment_fromstring(html)
 +
 +        self.assertEqual(
 +            b'<math><style>/* deleted */</style></math>',
 +            lxml.html.tostring(clean_html(s)))
 +
 def test_suite():
     suite = unittest.TestSuite()
 diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt
 index c78ab4f..c901871 100644
 --- a/src/lxml/html/tests/test_clean.txt
 +++ b/src/lxml/html/tests/test_clean.txt
@@ -104,7 +104,11 @@
 >>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))
 <html>
   <head>
 -    <style>/* deleted */</style>
 +    <style>
 +      body {background-image: url()};
 +      div {background-image: url()};
 +      div {color: };
 +    </style>
   </head>
   <body>
     <a href="">a link</a>
@@ -168,7 +172,11 @@
     <link rel="alternate" type="text/rss" src="evil-rss">
     <link rel="alternate" type="text/rss" href="http://example.com">
     <link rel="stylesheet" type="text/rss" href="http://example.com">
 -    <style>/* deleted */</style>
 +    <style>
 +      body {background-image: url()};
 +      div {background-image: url()};
 +      div {color: };
 +    </style>
   </head>
   <body>
     <a href="">a link</a>
--- a/SOURCES/CVE-2021-28957.patch
+++ b/SOURCES/CVE-2021-28957.patch
@ -0,0 +1,39 @@
 diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
 index caf6b21..ea3c016 100644
 --- a/src/lxml/html/defs.py
 +++ b/src/lxml/html/defs.py
@@ -21,6 +21,8 @@ link_attrs = frozenset([
     'usemap',
     # Not standard:
     'dynsrc', 'lowsrc',
 +    # HTML5 formaction
 +    'formaction'
     ])
 # Not in the HTML 4 spec:
 diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
 index 451eec2..e40cdad 100644
 --- a/src/lxml/html/tests/test_clean.py
 +++ b/src/lxml/html/tests/test_clean.py
@@ -89,6 +89,21 @@ class CleanerTest(unittest.TestCase):
             b'<math><style>/* deleted */</style></math>',
             lxml.html.tostring(clean_html(s)))
 +    def test_formaction_attribute_in_button_input(self):
 +        # The formaction attribute overrides the form's action and should be
 +        # treated as a malicious link attribute
 +        html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
 +        '<button form="test" formaction="javascript:alert(1)">X</button>')
 +        expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
 +        '<button form="test" formaction="">X</button></div>')
 +        cleaner = Cleaner(
 +            forms=False,
 +            safe_attrs_only=False,
 +        )
 +        self.assertEqual(
 +            expected,
 +            cleaner.clean_html(html))
 +
 def test_suite():
     suite = unittest.TestSuite()
--- a/SOURCES/CVE-2021-43818.patch
+++ b/SOURCES/CVE-2021-43818.patch
@ -0,0 +1,127 @@
 diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
 index 6f3f7de..da5af16 100644
 --- a/src/lxml/html/clean.py
 +++ b/src/lxml/html/clean.py
@@ -73,18 +73,25 @@ _looks_like_tag_content = re.compile(
 # All kinds of schemes besides just javascript: that can cause
 # execution:
 -_is_image_dataurl = re.compile(
 -    r'^data:image/.+;base64', re.I).search
 +_find_image_dataurls = re.compile(
 +    r'^data:image/(.+);base64,', re.I).findall
 _is_possibly_malicious_scheme = re.compile(
 -    r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
 -    re.I).search
 +    r'(javascript|jscript|livescript|vbscript|data|about|mocha):',
 +    re.I).findall
 +# SVG images can contain script content
 +_is_unsafe_image_type = re.compile(r"(xml|svg)", re.I).findall
 +
 def _is_javascript_scheme(s):
 -    if _is_image_dataurl(s):
 -        return None
 -    return _is_possibly_malicious_scheme(s)
 +    is_image_url = False
 +    for image_type in _find_image_dataurls(s):
 +        is_image_url = True
 +        if _is_unsafe_image_type(image_type):
 +            return True
 +    if is_image_url:
 +        return False
 +    return bool(_is_possibly_malicious_scheme(s))
 _substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
 -# FIXME: should data: be blocked?
 # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
 _conditional_comment_re = re.compile(
@@ -512,6 +519,8 @@ class Cleaner(object):
             return True
         if 'expression(' in style:
             return True
 +        if '@import' in style:
 +            return True
         if '</noscript' in style:
             # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
             return True
 diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
 index e40cdad..ad9a598 100644
 --- a/src/lxml/html/tests/test_clean.py
 +++ b/src/lxml/html/tests/test_clean.py
@@ -1,3 +1,5 @@
 +import base64
 +import gzip
 import unittest, sys
 from lxml.tests.common_imports import make_doctest
 from lxml.etree import LIBXML_VERSION
@@ -89,6 +91,69 @@ class CleanerTest(unittest.TestCase):
             b'<math><style>/* deleted */</style></math>',
             lxml.html.tostring(clean_html(s)))
 +    def test_sneaky_import_in_style(self):
 +        # Prevent "@@importimport" -> "@import" replacement.
 +        style_codes = [
 +            "@@importimport(extstyle.css)",
 +            "@ @  import import(extstyle.css)",
 +            "@ @ importimport(extstyle.css)",
 +            "@@  import import(extstyle.css)",
 +            "@ @import import(extstyle.css)",
 +            "@@importimport()",
 +        ]
 +        for style_code in style_codes:
 +            html = '<style>%s</style>' % style_code
 +            s = lxml.html.fragment_fromstring(html)
 +
 +            cleaned = lxml.html.tostring(clean_html(s))
 +            self.assertEqual(
 +                b'<style>/* deleted */</style>',
 +                cleaned,
 +                "%s  ->  %s" % (style_code, cleaned))
 +
 +    def test_svg_data_links(self):
 +        # Remove SVG images with potentially insecure content.
 +        svg = b'<svg onload="alert(123)" />'
 +        svgz = gzip.compress(svg)
 +        svg_b64 = base64.b64encode(svg).decode('ASCII')
 +        svgz_b64 = base64.b64encode(svgz).decode('ASCII')
 +        urls = [
 +            "data:image/svg+xml;base64," + svg_b64,
 +            "data:image/svg+xml-compressed;base64," + svgz_b64,
 +        ]
 +        for url in urls:
 +            html = '<img src="%s">' % url
 +            s = lxml.html.fragment_fromstring(html)
 +
 +            cleaned = lxml.html.tostring(clean_html(s))
 +            self.assertEqual(
 +                b'<img src="">',
 +                cleaned,
 +                "%s  ->  %s" % (url, cleaned))
 +
 +    def test_image_data_links(self):
 +        data = b'123'
 +        data_b64 = base64.b64encode(data).decode('ASCII')
 +        urls = [
 +            "data:image/jpeg;base64," + data_b64,
 +            "data:image/apng;base64," + data_b64,
 +            "data:image/png;base64," + data_b64,
 +            "data:image/gif;base64," + data_b64,
 +            "data:image/webp;base64," + data_b64,
 +            "data:image/bmp;base64," + data_b64,
 +            "data:image/tiff;base64," + data_b64,
 +            "data:image/x-icon;base64," + data_b64,
 +        ]
 +        for url in urls:
 +            html = '<img src="%s">' % url
 +            s = lxml.html.fragment_fromstring(html)
 +
 +            cleaned = lxml.html.tostring(clean_html(s))
 +            self.assertEqual(
 +                html.encode("UTF-8"),
 +                cleaned,
 +                "%s  ->  %s" % (url, cleaned))
 +
     def test_formaction_attribute_in_button_input(self):
         # The formaction attribute overrides the form's action and should be
         # treated as a malicious link attribute
--- a/SOURCES/fix-threading-tests.patch
+++ b/SOURCES/fix-threading-tests.patch
@ -0,0 +1,26 @@
 diff --git a/src/lxml/tests/test_threading.py b/src/lxml/tests/test_threading.py
 index 8948c3e..5ede3f8 100644
 --- a/src/lxml/tests/test_threading.py
 +++ b/src/lxml/tests/test_threading.py
@@ -130,7 +130,7 @@ class ThreadingTestCase(HelperTestCase):
     <xsl:template match="tag" />
     <!-- extend time for parsing + transform -->
 ''' + '\n'.join('<xsl:template match="tag%x" />' % i for i in range(200)) + '''
 -    <xsl:foo />
 +    <xsl:UnExpectedElement />
 </xsl:stylesheet>''')
         self.assertRaises(etree.XSLTParseError,
                           etree.XSLT, style)
@@ -153,9 +153,10 @@ class ThreadingTestCase(HelperTestCase):
             self.assertTrue(len(log))
             if last_log is not None:
                 self.assertEqual(len(last_log), len(log))
 -            self.assertEqual(4, len(log))
 +            self.assertTrue(len(log) >= 2, len(log))
             for error in log:
 -                self.assertTrue(':ERROR:XSLT:' in str(error))
 +                self.assertTrue(':ERROR:XSLT:' in str(error), str(error))
 +            self.assertTrue(any('UnExpectedElement' in str(error) for error in log), log)
             last_log = log
     def test_thread_xslt_apply_error_log(self):
--- a/SPECS/python-lxml.spec
+++ b/SPECS/python-lxml.spec
@ -1,160 +1,105 @@
-* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.0-2
+%global modname lxml
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-* Mon Jan 08 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.0-1
+Name:           python-%{modname}
- Update to 5.1.0 (rhbz#2256232)
+Version:        4.2.3
 Release:        4%{?dist}
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
-* Wed Dec 20 2023 Lumír Balhar <lbalhar@redhat.com> - 4.9.4-1
+License:        BSD
- Update to 4.9.4 (rhbz#2255267)
+URL:            http://lxml.de
 Source0:        http://lxml.de/files/%{modname}-%{version}.tgz
-* Sun Nov 26 2023 David King <amigadave@amigadave.com> - 4.9.3-4
+# Fix for CVE-2020-27783: mXSS due to the use of improper parser
- Fix building against libxml2 2.12.0
+# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1901633
- Resolves: rhbz#2250838
+# Two upstream commits combined:
 #   Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
 #   Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
 Patch0:         CVE-2020-27783.patch
-* Mon Oct 30 2023 Miro Hrončok <mhroncok@redhat.com> - 4.9.3-3
+# Fix for CVE-2021-28957: missing input sanitization
- Fix build with a future mock version
+# for formaction HTML5 attributes which may lead to XSS
 # Fixed upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
 Patch1: CVE-2021-28957.patch
-* Fri Jul 28 2023 Miro Hrončok <mhroncok@redhat.com> - 4.9.3-2
+# Fix for CVE-2021-43818: HTML Cleaner allows crafted
- Fix build with Cython 3
+# and SVG embedded scripts to pass through
 # Fixed upstream:
 # https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
 # https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
 Patch2: CVE-2021-43818.patch
-* Fri Jul 21 2023 Lumír Balhar <lbalhar@redhat.com> - 4.9.3-1
+# Make test more resilient against changes in latest libxslt releases
- Update to 4.9.3 (rhbz#2219811)
+# Fixed upstream: https://github.com/lxml/lxml/commit/acef361ca80ff9afd828d91c98ea91c92f9d09af
 Patch3: fix-threading-tests.patch
-* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.9.2-9
+BuildRequires:  gcc
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+BuildRequires:  libxml2-devel
 BuildRequires:  libxslt-devel
-* Fri Jul 14 2023 Miro Hrončok <mhroncok@redhat.com> - 4.9.2-8
+%global _description \
- Bring back the isoschematron submodule,
+lxml is a Pythonic, mature binding for the libxml2 and libxslt libraries. It\
-  but without the validation of the schema file itself
+provides safe and convenient access to these libraries using the ElementTree It\
 extends the ElementTree API significantly to offer support for XPath, RelaxNG,\
 XML Schema, XSLT, C14N and much more.To contact the project, go to the project\
 home page < or see our bug tracker at case you want to use the current ...
-* Fri Jun 16 2023 Python Maint <python-maint@redhat.com> - 4.9.2-7
+%description %{_description}
 - Rebuilt for Python 3.12
-* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 4.9.2-6
+%package -n     python3-%{modname}
- Bootstrap for Python 3.12
+Summary:        %{summary}
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
 BuildRequires:  python3-Cython
 Recommends:     python3-cssselect
 Recommends:     python3-html5lib
 Recommends:     python3-beautifulsoup4
 %{?python_provide:%python_provide python3-%{modname}}
-* Wed May 31 2023 Miro Hrončok <mhroncok@redhat.com> - 4.9.2-5
+%description -n python3-%{modname} %{_description}
 - Remove the isoschematron submodule
-* Tue May 30 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 4.9.2-4
+Python 3 version.
 - Disable extra subpackages in RHEL builds
-* Mon May 29 2023 Tomáš Hrnčiar <thrnciar@redhat.com> - 4.9.2-3
+%prep
- Skip failing test to avoid FTBFS
+%autosetup -n %{modname}-%{version} -p1
-* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.9.2-2
+%build
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+export WITH_CYTHON=true
 %py3_build
-* Wed Dec 14 2022 Lumír Balhar <lbalhar@redhat.com> - 4.9.2-1
+%install
- Update to 4.9.2 (rhbz#2153063)
+%py3_install
-* Wed Sep 14 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.9.1-1
+%check
- Update to 4.9.1
+# The tests assume inplace build, so we copy the built library to source-dir.
- Fix for CVE-2022-2309
+# If not done that, Python can either import the tests or the extension modules, but not both.
- Resolves: rhbz#2107571, rhbz#2110131
+cp -a build/lib.%{python3_platform}-%{python3_version}/* src/
 # The options are: verbose, unit, functional
 %{python3} test.py -vuf
-* Wed Aug 31 2022 Miro Hrončok <mhroncok@redhat.com> - 4.7.1-6
+%files -n python3-%{modname}
- Use SPDX license identifiers
+%license doc/licenses/ZopePublicLicense.txt LICENSES.txt
- The schematron files are not Zlib licensed, but MIT
+%doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
- Package the lxml[cssselect], lxml[html5] and lxml[htmlsoup] extras
+%{python3_sitearch}/%{modname}/
 %{python3_sitearch}/%{modname}-*.egg-info/
-* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.7.1-5
+%changelog
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+* Thu Jan 06 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-4
 - Security fix for CVE-2021-43818
 Resolves: rhbz#2032569
-* Wed Jun 22 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.7.1-4
+* Wed Mar 24 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-3
- Fix FTBFS with setuptools >= 62.1
+- Security fix for CVE-2021-28957
- Resolves: rhbz#2097102
+Resolves: rhbz#1941534
-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 4.7.1-3
+* Tue Dec 08 2020 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-2
- Rebuilt for Python 3.11
+- Security fix for CVE-2020-27783: mXSS due to the use of improper parser
 Resolves: rhbz#1901633
-* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.7.1-2
+* Thu Aug 02 2018 Sebastian Kisela <skisela@redhat.com> - 4.2.3-1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+- New upstream release 4.2.3
-* Thu Jan 06 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.7.1-1
+* Sun Jul 22 2018 Charalampos Stratakis <cstratak@redhat.com> - 4.1.1-3
- Update to 4.7.1
+- Conditionalize the python2 subpackage
 - Fixes CVE-2021-43818
 - Resolves: rhbz#2031686, rhbz#2032572
 * Fri Nov 26 2021 Miro Hrončok <mhroncok@redhat.com> - 4.6.3-5
 - Run the tests during build
 - Resolves: rhbz#2026941
 * Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.3-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Thu Jun 03 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.6.3-3
 - Update the license information
 * Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 4.6.3-2
 - Rebuilt for Python 3.10
 * Thu May 20 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.6.3-1
 - Update to 4.6.3
 - Fixes CVE-2021-28957
 - Fixes: rhbz#1941773
 - Fixes: rhbz#1941535
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Tue Dec 01 2020 Miro Hrončok <mhroncok@redhat.com> - 4.6.2-1
 - Update to 4.6.2
 - Fixes CVE-2020-27783 and another vulnerability in the HTML Cleaner
 - Fixes: rhbz#1855415
 - Fixes: rhbz#1901634
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.5.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Mon Jun 01 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 4.5.1-1
 - Update to 4.5.1
 * Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 4.4.1-5
 - Rebuilt for Python 3.9
 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Wed Nov 20 2019 Miro Hrončok <mhroncok@redhat.com> - 4.4.1-3
 - Subpackage python2-lxml has been removed
  See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
 * Sat Sep 07 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.4.1-2
 - Generate C files using py3 Cython
 * Sat Sep 07 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.4.1-1
 - Update to 4.4.1
 * Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 4.4.0-2
 - Rebuilt for Python 3.8
 * Sat Aug 03 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.4.0-1
 - Update to 4.4.0
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.5-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.5-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Tue Dec 18 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.2.5-1
 - Update to 4.2.5
 * Sun Sep 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.2.4-1
 - Update to 4.2.4
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Sat Jul 07 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.2.3-1
 - Update to 4.2.3
 * Sun Jun 17 2018 Miro Hrončok <mhroncok@redhat.com> - 4.2.1-2
 - Rebuilt for Python 3.7
 * Wed Apr 25 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.2.1-1
 - Update to 4.2.1
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
--- a/ci.fmf
+++ b/ci.fmf
@ -1 +0,0 @@
 resultsdb-testcase: separate
--- a/gating.yaml
+++ b/gating.yaml
@ -1,5 +0,0 @@
 --- !Policy
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/smoke.functional}
--- a/get-lxml-source.sh
+++ b/get-lxml-source.sh
@ -1,28 +0,0 @@
 #! /bin/bash -ex
 # Download a release of lxml (if missing) and remove the isoschematron module from it
 version=$1
 if [ -z "${version}" ]; then
    echo "Usage: $0 VERSION" >& 2
    echo "" >& 2
    echo "example: $0 4.9.2" >& 2
    exit 1
 fi
 versionedname=lxml-${version}
 orig_archive=${versionedname}.tar.gz
 new_archive=${versionedname}-no-isoschematron-rng.tar.gz
 if [ ! -e ${orig_archive} ]; then
    wget -N https://files.pythonhosted.org/packages/source/l/lxml/${orig_archive}
 fi
 deleted_directory=lxml-${version}/src/lxml/isoschematron/resources/rng
 # tar --delete does not operate on compressed archives, so do
 # gz decompression explicitly
 gzip --decompress ${orig_archive}
 tar -v --delete -f ${orig_archive//.gz} ${deleted_directory}
 gzip -cf ${orig_archive//.gz} > ${new_archive}
--- a/plans/etree-fromstring.py
+++ b/plans/etree-fromstring.py
@ -1,7 +0,0 @@
 import lxml.etree as et
 s = '<foo><bar baz="xyzzy">a<![CDATA[b]]>c</bar></foo>'
 x = et.fromstring(s)
 t = x.find('bar').text
 print(t)
 if t != 'abc':
    raise Exception()
--- a/plans/smoke.fmf
+++ b/plans/smoke.fmf
@ -1,12 +0,0 @@
 summary: Basic smoke test
 discover:
  how: shell
  tests:
    - name: /smoke/import-python-module
      test: |
        python3 -c 'import importlib as il; print(il.import_module("lxml"))'
    - name: /smoke/etree-fromstring
      test: |
        python3 plans/etree-fromstring.py
 execute:
  how: tmt
--- a/python-lxml.spec
+++ b/python-lxml.spec
@ -1,97 +0,0 @@
 Name:           python-lxml
 Version:        5.2.1
 Release:        %autorelease
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
 # The lxml project is licensed under BSD-3-Clause
 # Some code is derived from ElementTree and cElementTree
 # thus using the MIT-CMU elementtree license
 # .xsl schematron files are under the MIT license
 License:        BSD-3-Clause AND MIT-CMU AND MIT
 URL:            https://github.com/lxml/lxml
 # We use the get-lxml-source.sh script to generate the tarball
 # without the isoschematron RNG validation file under a problematic license.
 # See: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/154
 Source0:        lxml-%{version}-no-isoschematron-rng.tar.gz
 Source1:        get-lxml-source.sh
 # Skip some tests if lxml_html_clean is not available
 Patch:          https://github.com/lxml/lxml/pull/417.patch
 BuildRequires:  gcc
 BuildRequires:  libxml2-devel
 BuildRequires:  libxslt-devel
 BuildRequires:  python3-devel
 # Some of the extras create a build dependency loop.
 # - [cssselect] Requires cssselect BuildRequires lxml
 # - [html5] Requires html5lib BuildRequires lxml
 # - [htmlsoup] Requires beautifulsoup4 Requires lxml
 # - [html_clean] Requires lxml-html-clean Requires lxml
 # Hence we provide a bcond to disable the extras altogether.
 # By default, the extras are disabled in RHEL, to avoid dependencies.
 %bcond extras %{undefined rhel}
 %global _description \
 lxml is a Pythonic, mature binding for the libxml2 and libxslt libraries. It\
 provides safe and convenient access to these libraries using the ElementTree It\
 extends the ElementTree API significantly to offer support for XPath, RelaxNG,\
 XML Schema, XSLT, C14N and much more.
 %description %{_description}
 %package -n     python3-lxml
 Summary:        %{summary}
 %if %{with extras}
 Suggests:       python3-lxml+cssselect
 Suggests:       python3-lxml+html5
 Suggests:       python3-lxml+htmlsoup
 Suggests:       python3-lxml+html_clean
 %endif
 %description -n python3-lxml %{_description}
 Python 3 version.
 %if %{with extras}
 %pyproject_extras_subpkg -n python3-lxml cssselect html5 htmlsoup html_clean
 %endif
 %prep
 %autosetup -n lxml-%{version} -p1
 # Don't run html5lib tests --without extras
 %{!?without_extras:rm src/lxml/html/tests/test_html5parser.py}
 # Remove limit for version of Cython
 sed -i "s/Cython.*/Cython/" requirements.txt
 sed -i 's/"Cython.*",/"Cython",/' pyproject.toml
 %generate_buildrequires
 %pyproject_buildrequires -x source%{?with_extras:,cssselect,html5,htmlsoup,html_clean}
 %build
 # Remove pregenerated Cython C sources
 # We need to do this after %%pyproject_buildrequires because setup.py errors
 # without Cython and without the .c files.
 find -type f -name '*.c' -print -delete >&2
 export WITH_CYTHON=true
 %pyproject_wheel
 %install
 %pyproject_install
 %pyproject_save_files lxml
 %check
 # The tests assume inplace build, so we copy the built library to source-dir.
 # If not done that, Python can either import the tests or the extension modules, but not both.
 cp -a build/lib.%{python3_platform}-*/* src/
 # The options are: verbose, unit, functional
 %{python3} test.py -vuf
 %files -n python3-lxml -f %{pyproject_files}
 %license doc/licenses/BSD.txt doc/licenses/elementtree.txt
 %doc README.rst
 %changelog
 %autochangelog
--- a/1
+++ b/1
@ -1 +0,0 @@
 SHA512 (lxml-5.2.1-no-isoschematron-rng.tar.gz) = 7bfd9caf7e45157726e16c7286bdcb1b4dfa24df000df96d6571d65f59760ea5747e364da788cee3116977810b870ab90e451b519701f5cc26f1111a2528c996
		`@ -0,0 +1 @@`
							`536c9ced5d03e8d871ebf21748ed36a2f7ddf668 SOURCES/lxml-4.2.3.tgz`
		`@ -1 +0,0 @@`
			`SHA512 (lxml-5.2.1-no-isoschematron-rng.tar.gz) = 7bfd9caf7e45157726e16c7286bdcb1b4dfa24df000df96d6571d65f59760ea5747e364da788cee3116977810b870ab90e451b519701f5cc26f1111a2528c996`