rpms/yelp-xsl
6
0
Fork 0
Code Issues Pull Requests Releases Activity
c8s
yelp-xsl/yelp-xsl-CVE-2025-3155.patch
David King a54d4e10d7 Fix CVE-2025-3155 (RHEL-85922) 
Resolves: RHEL-85922
2025-05-12 16:50:57 +01:00

94 lines
3.6 KiB
Diff
Raw Permalink Blame History

From 2ac7afdcb1bab54fb4e6d5dc9a719659fc9ad87e Mon Sep 17 00:00:00 2001
From: Shaun McCance <shaunm@redhat.com>
Date: Fri, 18 Apr 2025 11:31:18 -0400
Subject: [PATCH] Initial fix for CVE-2025-3155 from parrot409
https://gitlab.gnome.org/GNOME/yelp/-/issues/221
---
xslt/common/html.xsl | 41 +++++++++++++++++++++++++++++++++++++++--
1 file changed, 39 insertions(+), 2 deletions(-)
diff --git a/xslt/common/html.xsl b/xslt/common/html.xsl
index b59984aa..5d8e0d40 100644
--- a/xslt/common/html.xsl
+++ b/xslt/common/html.xsl
@@ -225,6 +225,17 @@ prefix the base file name itself.
<xsl:param name="html.output.prefix" select="''"/>
+<!--@@==========================================================================
+html.csp.nonce
+An optional CSP nonce string to allow the execution of scripts and styles.
+@revision[version=42.2 date=2025-02-22 status=final]
+
+This parameter takes a string value that will be added to the 'nonce' attribute
+of all 'style' and 'script' tags in the generated HTML output. This paramter is used
+to whitelist script and style tags that are allowed to be executed.
+-->
+<xsl:param name="html.csp.nonce" select="false()"/>
+
<!--**==========================================================================
html.output
Create an HTML output file.
@@ -819,6 +830,11 @@ dimensions. All parameters can be automatically computed if not provided.
</xsl:call-template>
</xsl:param>
<style type="text/css">
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if>
<xsl:call-template name="html.css.content">
<xsl:with-param name="node" select="$node"/>
<xsl:with-param name="direction" select="$direction"/>
@@ -2000,6 +2016,11 @@ copy, override this template and provide the necessary files.
<xsl:param name="node" select="."/>
<xsl:if test="$node//mml:*[1]">
<script type="text/javascript">
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if>
<xsl:attribute name="src">
<xsl:text>http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=MML_HTMLorMML</xsl:text>
</xsl:attribute>
@@ -2023,6 +2044,11 @@ result of *{html.js.content} to that file.
<xsl:template name="html.js.script">
<xsl:param name="node" select="."/>
<script type="text/javascript">
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if>
<xsl:call-template name="html.js.content">
<xsl:with-param name="node" select="$node"/>
</xsl:call-template>
@@ -2469,8 +2495,19 @@ on all #{code} elements with #{"syntax"} in the class value.
<xsl:template name="html.js.syntax">
<xsl:param name="node" select="."/>
<xsl:if test="$html.syntax.highlight">
- <script type="text/javascript" src="{$html.js.root}highlight.pack.js"></script>
- <script><![CDATA[
+ <script type="text/javascript" src="{$html.js.root}highlight.pack.js">
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if>
+ </script>
+ <script>
+ <xsl:if test="$html.csp.nonce">
+ <xsl:attribute name="nonce">
+ <xsl:value-of select="$html.csp.nonce" />
+ </xsl:attribute>
+ </xsl:if><![CDATA[
document.addEventListener('DOMContentLoaded', function() {
var matches = document.querySelectorAll('code.syntax')
for (var i = 0; i < matches.length; i++) {
--
2.49.0
Reference in New Issue View Git Blame Copy Permalink