rpms/python-markdown
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2025-69534 (RHEL-153747)

Browse Source 
Resolves: RHEL-153747
This commit is contained in:
David King 2026-03-30 16:26:49 +01:00
parent decf3776c0
commit ddbf35dacc
2 changed files with 518 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

512
python-markdown-3.3.4-fix-CVE-2025-69534.patch Normal file
View File

@ -0,0 +1,512 @@
From 3cc003e8693e50112189e9cd1b3116aa4c9003c4 Mon Sep 17 00:00:00 2001
From: Waylan Limberg <waylan.limberg@icloud.com>
Date: Wed, 18 Jun 2025 10:29:03 -0400
Subject: [PATCH 1/3] Ensure incomplete markup declaration in raw HTML doesn't
crash parser.
See Python bug report at gh-77057 for details. Until we drop support for
Python < 3.13 (where this was fixed upstream), we need to avoid the
unwanted error by checking for it explicitly. Fixes #1534.
---
markdown/extensions/md_in_html.py | 4 ++++
markdown/htmlparser.py | 4 ++++
tests/test_syntax/blocks/test_html_blocks.py | 7 +++++++
3 files changed, 15 insertions(+)
diff --git a/markdown/extensions/md_in_html.py b/markdown/extensions/md_in_html.py
index 86cf00d..f95406e 100644
--- a/markdown/extensions/md_in_html.py
+++ b/markdown/extensions/md_in_html.py
@@ -218,6 +218,10 @@ class HTMLExtractorExtra(HTMLExtractor):
def parse_html_declaration(self, i):
if self.at_line_start() or self.intail or self.mdstack:
+ if self.rawdata[i:i+3] == '<![' and not self.rawdata[i:i+9] == '<![CDATA[':
+ # We have encountered the bug in #1534 (Python bug `gh-77057`).
+ # Provide an override until we drop support for Python < 3.13.
+ return self.parse_bogus_comment(i)
# The same override exists in HTMLExtractor without the check
# for mdstack. Therefore, use HTMLExtractor's parent instead.
return super(HTMLExtractor, self).parse_html_declaration(i)
diff --git a/markdown/htmlparser.py b/markdown/htmlparser.py
index c08856a..431505c 100644
--- a/markdown/htmlparser.py
+++ b/markdown/htmlparser.py
@@ -256,6 +256,10 @@ class HTMLExtractor(htmlparser.HTMLParser):
def parse_html_declaration(self, i):
if self.at_line_start() or self.intail:
+ if self.rawdata[i:i+3] == '<![' and not self.rawdata[i:i+9] == '<![CDATA[':
+ # We have encountered the bug in #1534 (Python bug `gh-77057`).
+ # Provide an override until we drop support for Python < 3.13.
+ return self.parse_bogus_comment(i)
return super().parse_html_declaration(i)
# This is not the beginning of a raw block so treat as plain data
# and avoid consuming any tags which may follow (see #1066).
diff --git a/tests/test_syntax/blocks/test_html_blocks.py b/tests/test_syntax/blocks/test_html_blocks.py
index 0ee47b6..76d21af 100644
--- a/tests/test_syntax/blocks/test_html_blocks.py
+++ b/tests/test_syntax/blocks/test_html_blocks.py
@@ -1275,6 +1275,13 @@ class TestHTMLBlocks(TestCase):
)
)
+ def test_not_actually_cdata(self):
+ # Ensure bug reported in #1534 is avoided.
+ self.assertMarkdownRenders(
+ '<![',
+ '<p>&lt;![</p>'
+ )
+
def test_raw_cdata_code_span(self):
self.assertMarkdownRenders(
self.dedent(
--
2.54.0
From 1cc3f662b7bafe526e1a2fe72fff1bb7f784e346 Mon Sep 17 00:00:00 2001
From: Isaac Muse <faceless.shop@gmail.com>
Date: Thu, 19 Jun 2025 09:46:13 -0600
Subject: [PATCH 2/3] Fixes for Python 3.14
- Fix codecs deprecation
- Fix issue with unclosed `<![`
- Fix issue with unclosed HTML tag `<foo`
- Fix issue with unclosed comments
- Add tests which run on the Python 3.14 beta which should automatically update after release
Fixes #1537
---
markdown/__main__.py | 3 +--
markdown/core.py | 2 +-
markdown/extensions/md_in_html.py | 10 +++++++---
markdown/htmlparser.py | 26 +++++++++++++++++++++++---
6 files changed, 50 insertions(+), 16 deletions(-)
diff --git a/markdown/__main__.py b/markdown/__main__.py
index 7d78b7e..64e3d58 100644
--- a/markdown/__main__.py
+++ b/markdown/__main__.py
@@ -21,7 +21,6 @@ License: BSD (see LICENSE.md for details).
import sys
import optparse
-import codecs
import warnings
import markdown
try:
@@ -100,7 +99,7 @@ def parse_options(args=None, values=None):
extension_configs = {}
if options.configfile:
- with codecs.open(
+ with open(
options.configfile, mode="r", encoding=options.encoding
) as fp:
try:
diff --git a/markdown/core.py b/markdown/core.py
index 2f7f2d5..f86fd87 100644
--- a/markdown/core.py
+++ b/markdown/core.py
@@ -318,7 +318,7 @@ class Markdown:
# Read the source
if input:
if isinstance(input, str):
- input_file = codecs.open(input, mode="r", encoding=encoding)
+ input_file = open(input, mode="r", encoding=encoding)
else:
input_file = codecs.getreader(encoding)(input)
text = input_file.read()
diff --git a/markdown/extensions/md_in_html.py b/markdown/extensions/md_in_html.py
index f95406e..4514836 100644
--- a/markdown/extensions/md_in_html.py
+++ b/markdown/extensions/md_in_html.py
@@ -221,9 +221,13 @@ class HTMLExtractorExtra(HTMLExtractor):
if self.rawdata[i:i+3] == '<![' and not self.rawdata[i:i+9] == '<![CDATA[':
# We have encountered the bug in #1534 (Python bug `gh-77057`).
# Provide an override until we drop support for Python < 3.13.
- return self.parse_bogus_comment(i)
- # The same override exists in HTMLExtractor without the check
- # for mdstack. Therefore, use HTMLExtractor's parent instead.
+ result = self.parse_bogus_comment(i)
+ if result == -1:
+ self.handle_data(self.rawdata[i:i + 1])
+ return i + 1
+ return result
+ # The same override exists in `HTMLExtractor` without the check
+ # for `mdstack`. Therefore, use parent of `HTMLExtractor` instead.
return super(HTMLExtractor, self).parse_html_declaration(i)
# This is not the beginning of a raw block so treat as plain data
# and avoid consuming any tags which may follow (see #1066).
diff --git a/markdown/htmlparser.py b/markdown/htmlparser.py
index 431505c..e9fe1e4 100644
--- a/markdown/htmlparser.py
+++ b/markdown/htmlparser.py
@@ -76,6 +76,8 @@ class HTMLExtractor(htmlparser.HTMLParser):
# Block tags that should contain no content (self closing)
self.empty_tags = set(['hr'])
+ self.override_comment_update = False
+
# This calls self.reset
super().__init__(*args, **kwargs)
self.md = md
@@ -233,9 +235,22 @@ class HTMLExtractor(htmlparser.HTMLParser):
def handle_entityref(self, name):
self.handle_empty_tag('&{};'.format(name), is_block=False)
- def handle_comment(self, data):
+ def handle_comment(self, data: str):
+ # Check if the comment is unclosed, if so, we need to override position
+ i = self.line_offset + self.offset + len(data) + 4
+ if self.rawdata[i:i + 3] != '-->':
+ self.handle_data('<')
+ self.override_comment_update = True
+ return
self.handle_empty_tag('<!--{}-->'.format(data), is_block=True)
+ def updatepos(self, i: int, j: int) -> int:
+ if self.override_comment_update:
+ self.override_comment_update = False
+ i = 0
+ j = 1
+ return super().updatepos(i, j)
+
def handle_decl(self, data):
self.handle_empty_tag('<!{}>'.format(data), is_block=True)
@@ -259,7 +274,11 @@ class HTMLExtractor(htmlparser.HTMLParser):
if self.rawdata[i:i+3] == '<![' and not self.rawdata[i:i+9] == '<![CDATA[':
# We have encountered the bug in #1534 (Python bug `gh-77057`).
# Provide an override until we drop support for Python < 3.13.
- return self.parse_bogus_comment(i)
+ result = self.parse_bogus_comment(i)
+ if result == -1:
+ self.handle_data(self.rawdata[i:i + 1])
+ return i + 1
+ return result
return super().parse_html_declaration(i)
# This is not the beginning of a raw block so treat as plain data
# and avoid consuming any tags which may follow (see #1066).
@@ -280,7 +299,8 @@ class HTMLExtractor(htmlparser.HTMLParser):
self.__starttag_text = None
endpos = self.check_for_whole_start_tag(i)
if endpos < 0:
- return endpos
+ self.handle_data(self.rawdata[i:i + 1])
+ return i + 1
rawdata = self.rawdata
self.__starttag_text = rawdata[i:endpos]
--
2.54.0
From 3ed20571a3b27f865c181419eb0f50b15e142927 Mon Sep 17 00:00:00 2001
From: David King <dking@redhat.com>
Date: Tue, 28 Apr 2026 16:57:49 +0100
Subject: [PATCH 3/3] Backport upstream 3.10.1 to 3.10.2 fixes
---
markdown/htmlparser.py | 92 +++++++++++++++----
markdown/inlinepatterns.py | 8 +-
tests/test_syntax/blocks/test_html_blocks.py | 97 ++++++++++++++++++--
3 files changed, 172 insertions(+), 25 deletions(-)
diff --git a/markdown/htmlparser.py b/markdown/htmlparser.py
index e9fe1e4..9cdc05f 100644
--- a/markdown/htmlparser.py
+++ b/markdown/htmlparser.py
@@ -24,6 +24,9 @@ import importlib
import sys
+# Included for versions which do not have current comment fix
+commentclose = re.compile(r'--!?>')
+
# Import a copy of the html.parser lib as `htmlparser` so we can monkeypatch it.
# Users can still do `from html import parser` and get the default behavior.
spec = importlib.util.find_spec('html.parser')
@@ -31,6 +34,12 @@ htmlparser = importlib.util.module_from_spec(spec)
spec.loader.exec_module(htmlparser)
sys.modules['htmlparser'] = htmlparser
+# This is a hack. We are sneaking in `</>` so we can capture it without the HTML parser
+# throwing it away. When we see it, we will process it as data.
+htmlparser.starttagopen = re.compile('<[a-zA-Z]|</>')
+
+htmlparser.endtagopen = re.compile('</[a-zA-Z]?')
+
# Monkeypatch HTMLParser to only accept `?>` to close Processing Instructions.
htmlparser.piclose = re.compile(r'\?>')
# Monkeypatch HTMLParser to only recognize entity references with a closing semicolon.
@@ -55,12 +64,52 @@ htmlparser.locatestarttagend_tolerant = re.compile(r"""
)?
\s* # trailing whitespace
""", re.VERBOSE)
+# Monkeypatch `locatetagend` if it exists (Python 3.14+) to also reject backticks.
+if hasattr(htmlparser, 'locatetagend'):
+ htmlparser.locatetagend = re.compile(r"""
+ [a-zA-Z][^`\t\n\r\f />\x00]* # tag name <= added backtick here
+ [\t\n\r\f /]* # optional whitespace before attribute name
+ (?:(?<=['"\t\n\r\f /])[^`\t\n\r\f />][^`\t\n\r\f /=>]* # attribute name <= added backtick here
+ (?:[\t\n\r\f ]*=[\t\n\r\f ]* # value indicator
+ (?:'[^']*' # LITA-enclosed value
+ |"[^"]*" # LIT-enclosed value
+ |(?!['"])[^`>\t\n\r\f ]* # bare value <= added backtick here
+ )
+ )?
+ [\t\n\r\f /]* # possibly followed by a space
+ )*
+ >?
+ """, re.VERBOSE)
# Match a blank line at the start of a block of text (two newlines).
# The newlines may be preceded by additional whitespace.
blank_line_re = re.compile(r'^([ ]*\n){2}')
+class _HTMLParser(htmlparser.HTMLParser):
+ """Handle special start and end tags."""
+
+ def parse_endtag(self, i):
+ start = self.rawdata[i:i+3]
+ c = ord(start[-1])
+ if len(start) < 3 or not (65 <= c <= 90 or 97 <= c <= 122):
+ self.handle_data(self.rawdata[i:i + 2])
+ return i + 2
+ return super().parse_endtag(i)
+
+ def parse_starttag(self, i): # pragma: no cover
+ # Treat `</>` as normal data as it is not a real tag.
+ if self.rawdata[i:i + 3] == '</>':
+ self.handle_data(self.rawdata[i:i + 3])
+ return i + 3
+
+ return super().parse_starttag(i)
+
+
+# Overwrite our custom one for people like MkDocs that pull it in
+htmlparser.HTMLParser = _HTMLParser
+
+
class HTMLExtractor(htmlparser.HTMLParser):
"""
Extract raw HTML from text.
@@ -76,8 +125,6 @@ class HTMLExtractor(htmlparser.HTMLParser):
# Block tags that should contain no content (self closing)
self.empty_tags = set(['hr'])
- self.override_comment_update = False
-
# This calls self.reset
super().__init__(*args, **kwargs)
self.md = md
@@ -235,22 +282,9 @@ class HTMLExtractor(htmlparser.HTMLParser):
def handle_entityref(self, name):
self.handle_empty_tag('&{};'.format(name), is_block=False)
- def handle_comment(self, data: str):
- # Check if the comment is unclosed, if so, we need to override position
- i = self.line_offset + self.offset + len(data) + 4
- if self.rawdata[i:i + 3] != '-->':
- self.handle_data('<')
- self.override_comment_update = True
- return
+ def handle_comment(self, data):
self.handle_empty_tag('<!--{}-->'.format(data), is_block=True)
- def updatepos(self, i: int, j: int) -> int:
- if self.override_comment_update:
- self.override_comment_update = False
- i = 0
- j = 1
- return super().updatepos(i, j)
-
def handle_decl(self, data):
self.handle_empty_tag('<!{}>'.format(data), is_block=True)
@@ -269,6 +303,18 @@ class HTMLExtractor(htmlparser.HTMLParser):
self.handle_data('<?')
return i + 2
+ def parse_comment(self, i, report=True):
+ rawdata = self.rawdata
+ assert rawdata.startswith('<!--', i), 'unexpected call to parse_comment()'
+ match = commentclose.search(rawdata, i+4)
+ if not match:
+ self.handle_data('<')
+ return i + 1
+ if report:
+ j = match.start()
+ self.handle_comment(rawdata[i+4: j])
+ return match.end()
+
def parse_html_declaration(self, i):
if self.at_line_start() or self.intail:
if self.rawdata[i:i+3] == '<![' and not self.rawdata[i:i+9] == '<![CDATA[':
@@ -285,6 +331,15 @@ class HTMLExtractor(htmlparser.HTMLParser):
self.handle_data('<!')
return i + 2
+ def parse_bogus_comment(self, i, report=0):
+ # Override the default behavior so that bogus comments get passed
+ # through unaltered by setting `report` to `0` (see #1425).
+ pos = super().parse_bogus_comment(i, report)
+ if pos == -1: # pragma: no cover
+ return -1
+ self.handle_empty_tag(self.rawdata[i:pos], is_block=False)
+ return pos
+
# The rest has been copied from base class in standard lib to address #1036.
# As __startag_text is private, all references to it must be in this subclass.
# The last few lines of parse_starttag are reversed so that handle_starttag
@@ -296,6 +351,11 @@ class HTMLExtractor(htmlparser.HTMLParser):
return self.__starttag_text
def parse_starttag(self, i): # pragma: no cover
+ # Treat `</>` as normal data as it is not a real tag.
+ if self.rawdata[i:i + 3] == '</>':
+ self.handle_data(self.rawdata[i:i + 3])
+ return i + 3
+
self.__starttag_text = None
endpos = self.check_for_whole_start_tag(i)
if endpos < 0:
diff --git a/markdown/inlinepatterns.py b/markdown/inlinepatterns.py
index b0621a8..66a59d3 100644
--- a/markdown/inlinepatterns.py
+++ b/markdown/inlinepatterns.py
@@ -163,7 +163,13 @@ AUTOLINK_RE = r'<((?:[Ff]|[Hh][Tt])[Tt][Pp][Ss]?://[^<>]*)>'
AUTOMAIL_RE = r'<([^<> !]*@[^@<> ]*)>'
# <...>
-HTML_RE = r'(<([a-zA-Z/][^<>]*|!--(?:(?!<!--|-->).)*--)>)'
+HTML_RE = (
+ r'(<(\/?[a-zA-Z][^<>@ ]*( [^<>]*)?|'
+ r'!--(?:(?!<!--|-->).)*--|'
+ r'[?](?:(?!<[?]|[?]>).)*[?]|'
+ r'!\[CDATA\[(?:(?!<!\[CDATA\[|\]\]>).)*\]\]'
+ ')>)'
+)
# "&#38;" (decimal) or "&#x26;" (hex) or "&amp;" (named)
ENTITY_RE = r'(&(?:\#[0-9]+|\#x[0-9a-fA-F]+|[a-zA-Z0-9]+);)'
diff --git a/tests/test_syntax/blocks/test_html_blocks.py b/tests/test_syntax/blocks/test_html_blocks.py
index 76d21af..2a5d5f4 100644
--- a/tests/test_syntax/blocks/test_html_blocks.py
+++ b/tests/test_syntax/blocks/test_html_blocks.py
@@ -782,16 +782,10 @@ class TestHTMLBlocks(TestCase):
'<!-- *foo* -->'
)
- # Note: this is a change in behavior for Python-Markdown, which does *not* match the reference
- # implementation. However, it does match the HTML5 spec. Declarations must start with either
- # `<!DOCTYPE` or `<![`. Anything else that starts with `<!` is a comment. According to the
- # HTML5 spec, a comment without the hyphens is a "bogus comment", but a comment nonetheless.
- # See https://www.w3.org/TR/html52/syntax.html#markup-declaration-open-state.
- # If we wanted to change this behavior, we could override `HTMLParser.parse_bogus_comment()`.
def test_bogus_comment(self):
self.assertMarkdownRenders(
- '<!*foo*>',
- '<!--*foo*-->'
+ '<!invalid>',
+ '<p>&lt;!invalid&gt;</p>'
)
def test_raw_multiline_comment(self):
@@ -1624,3 +1618,90 @@ class TestHTMLBlocks(TestCase):
placeholder = md.htmlStash.get_placeholder(md.htmlStash.html_counter + 1)
result = md.postprocessors['raw_html'].run(placeholder)
self.assertEqual(placeholder, result)
+
+ def test_bogus_comment_endtag(self):
+ self.assertMarkdownRenders(
+ '</#invalid>',
+ '<p>&lt;/#invalid&gt;</p>'
+ )
+
+ def test_issue_1590(self):
+ """Test case with comments in table for issue #1590."""
+
+ self.assertMarkdownRenders(
+ self.dedent(
+ '''
+ <table>
+ <!--[if mso]>-->
+ <td>foo</td>
+ <!--<!endif]-->
+ <td>bar</td>
+ </table>
+ '''
+ ),
+ self.dedent(
+ '''
+ <table>
+ <!--[if mso]>-->
+ <td>foo</td>
+ <!--<!endif]-->
+ <td>bar</td>
+ </table>
+ '''
+ )
+ )
+
+ def test_stress_comment_handling(self):
+ """Stress test the comment handling."""
+
+ self.assertMarkdownRenders(
+ self.dedent(
+ '''
+ `</` <!-- `<!--[if mso]>` and <!-- </> and `<!--[if mso]>`
+
+ <!-- and <!-- `<!--[if mso]>` and </> `</` and `<!--[if mso]>`
+
+ <!-- Real comment -->
+
+ `<!--[if mso]>` `</` `<!--[if mso]>` and </> <!-- and <!--
+
+ </> `<!--[if mso]>` `</` <!-- and <!-- and `<!--[if mso]>`
+ '''
+ ),
+ self.dedent(
+ '''
+ <p><code>&lt;/</code> &lt;!-- <code>&lt;!--[if mso]&gt;</code> and &lt;!-- &lt;/&gt; and <code>&lt;!--[if mso]&gt;</code></p>
+ <p>&lt;!-- and &lt;!-- <code>&lt;!--[if mso]&gt;</code> and &lt;/&gt; <code>&lt;/</code> and <code>&lt;!--[if mso]&gt;</code></p>
+ <!-- Real comment -->
+ <p><code>&lt;!--[if mso]&gt;</code> <code>&lt;/</code> <code>&lt;!--[if mso]&gt;</code> and &lt;/&gt; &lt;!-- and &lt;!--</p>
+ <p>&lt;/&gt; <code>&lt;!--[if mso]&gt;</code> <code>&lt;/</code> &lt;!-- and &lt;!-- and <code>&lt;!--[if mso]&gt;</code></p>
+ ''' # noqa: E501
+ )
+ )
+
+ def test_unclosed_endtag(self):
+ """Ensure unclosed end tag does not have side effects."""
+
+ self.assertMarkdownRenders(
+ self.dedent(
+ '''
+ `</`
+
+ <div>
+ <!--[if mso]>-->
+ <p>foo</p>
+ <!--<!endif]-->
+ </div>
+ '''
+ ),
+ self.dedent(
+ '''
+ <p><code>&lt;/</code></p>
+ <div>
+ <!--[if mso]>-->
+ <p>foo</p>
+ <!--<!endif]-->
+ </div>
+ '''
+ )
+ )
--
2.54.0

7
python-markdown.spec
View File

@ -3,11 +3,13 @@
Name: python-%{pkgname}
Version: 3.3.4
Release: 4%{?dist}
Release: 5%{?dist}
Summary: Markdown implementation in Python
License: BSD
URL: https://python-markdown.github.io/
Source0: %{pypi_source}
# https://redhat.atlassian.net/browse/RHEL-153747
Patch0: python-markdown-3.3.4-fix-CVE-2025-69534.patch
BuildArch: noarch
%description
@ -65,6 +67,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} \
%changelog
* Mon Mar 30 2026 David King <dking@redhat.com> - 3.3.4-5
- Fix CVE-2025-69534 (RHEL-153747)
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.3.4-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688