Tree - rpms/python-lxml - CentOS Git server

rpms / python-lxml

Blame SOURCES/CVE-2020-27783.patch

Blob History Raw

		ee1835	`From db649273fd6a2e3a624545b6fd14e8d8029198f8 Mon Sep 17 00:00:00 2001`
		ee1835	`From: Lumir Balhar <lbalhar@redhat.com>`
		ee1835	`Date: Thu, 3 Dec 2020 11:53:15 +0100`
		ee1835	`Subject: [PATCH] CVE-2020-27783`
		ee1835
		ee1835	`Combines fixes for the CVE from two versions:`
		ee1835	`- Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e`
		ee1835	`- Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7`
		ee1835	`---`
		ee1835	`src/lxml/html/clean.py \| 25 +++++++++++++++++--------`
		ee1835	`src/lxml/html/tests/test_clean.py \| 21 +++++++++++++++++++++`
		ee1835	`src/lxml/html/tests/test_clean.txt \| 12 ++++++++++--`
		ee1835	`3 files changed, 48 insertions(+), 10 deletions(-)`
		ee1835
		ee1835	`diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py`
		ee1835	`index aa9fc57..15298b5 100644`
		ee1835	`--- a/src/lxml/html/clean.py`
		ee1835	`+++ b/src/lxml/html/clean.py`
		ee1835	`@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',`
		ee1835
		ee1835	`# This is an IE-specific construct you can have in a stylesheet to`
		ee1835	`# run some Javascript:`
		ee1835	`-_css_javascript_re = re.compile(`
		ee1835	`- r'expression\s\(.?\)', re.S\|re.I)`
		ee1835	`+_replace_css_javascript = re.compile(`
		ee1835	`+ r'expression\s\(.?\)', re.S\|re.I).sub`
		ee1835
		ee1835	`# Do I have to worry about @\nimport?`
		ee1835	`-_css_import_re = re.compile(`
		ee1835	`- r'@\s*import', re.I)`
		ee1835	`+_replace_css_import = re.compile(`
		ee1835	`+ r'@\s*import', re.I).sub`
		ee1835	`+`
		ee1835	`+_looks_like_tag_content = re.compile(`
		ee1835	`+ r'</?[a-zA-Z]+\|\son[a-zA-Z]+\s*=', re.ASCII).search`
		ee1835
		ee1835	`# All kinds of schemes besides just javascript: that can cause`
		ee1835	`# execution:`
		ee1835	`@@ -292,8 +295,8 @@ class Cleaner(object):`
		ee1835	`if not self.inline_style:`
		ee1835	`for el in _find_styled_elements(doc):`
		ee1835	`old = el.get('style')`
		ee1835	`- new = _css_javascript_re.sub('', old)`
		ee1835	`- new = _css_import_re.sub('', new)`
		ee1835	`+ new = _replace_css_javascript('', old)`
		ee1835	`+ new = _replace_css_import('', new)`
		ee1835	`if self._has_sneaky_javascript(new):`
		ee1835	`# Something tricky is going on...`
		ee1835	`del el.attrib['style']`
		ee1835	`@@ -305,9 +308,9 @@ class Cleaner(object):`
		ee1835	`el.drop_tree()`
		ee1835	`continue`
		ee1835	`old = el.text or ''`
		ee1835	`- new = _css_javascript_re.sub('', old)`
		ee1835	`+ new = _replace_css_javascript('', old)`
		ee1835	`# The imported CSS can do anything; we just can't allow:`
		ee1835	`- new = _css_import_re.sub('', old)`
		ee1835	`+ new = _replace_css_import('', new)`
		ee1835	`if self._has_sneaky_javascript(new):`
		ee1835	`# Something tricky is going on...`
		ee1835	`el.text = '/* deleted */'`
		ee1835	`@@ -509,6 +512,12 @@ class Cleaner(object):`
		ee1835	`return True`
		ee1835	`if 'expression(' in style:`
		ee1835	`return True`
		ee1835	`+ if '`
		ee1835	`+ # e.g. '">'`
		ee1835	`+ return True`
		ee1835	`+ if _looks_like_tag_content(style):`
		ee1835	`+ # e.g. '<math><style></style></math>'`
		ee1835	`+ return True`
		ee1835	`return False`
		ee1835
		ee1835	`def clean_html(self, html):`
		ee1835	`diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py`
		ee1835	`index a193d99..ea7487c 100644`
		ee1835	`--- a/src/lxml/html/tests/test_clean.py`
		ee1835	`+++ b/src/lxml/html/tests/test_clean.py`
		ee1835	`@@ -69,6 +69,27 @@ class CleanerTest(unittest.TestCase):`
		ee1835	`self.assertEqual('child', clean_html(s).text_content())`
		ee1835
		ee1835
		ee1835	`+ def test_sneaky_noscript_in_style(self):`
		ee1835	`+ # This gets parsed as ..."</style>`
		ee1835	`+ # thus passing the through into the output.`
		ee1835	`+ html = '">'`
		ee1835	`+ s = lxml.html.fragment_fromstring(html)`
		ee1835	`+`
		ee1835	`+ self.assertEqual(`
		ee1835	`+ b'',`
		ee1835	`+ lxml.html.tostring(clean_html(s)))`
		ee1835	`+`
		ee1835	`+ def test_sneaky_js_in_math_style(self):`
		ee1835	`+ # This gets parsed as <math> -> <style>"..."</style>`
		ee1835	`+ # thus passing any tag/script/whatever content through into the output.`
		ee1835	`+ html = '<math><style></style></math>'`
		ee1835	`+ s = lxml.html.fragment_fromstring(html)`
		ee1835	`+`
		ee1835	`+ self.assertEqual(`
		ee1835	`+ b'<math><style>/* deleted */</style></math>',`
		ee1835	`+ lxml.html.tostring(clean_html(s)))`
		ee1835	`+`
		ee1835	`+`
		ee1835	`def test_suite():`
		ee1835	`suite = unittest.TestSuite()`
		ee1835	`suite.addTests([make_doctest('test_clean.txt')])`
		ee1835	`diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt`
		ee1835	`index 2824f64..7df1f1d 100644`
		ee1835	`--- a/src/lxml/html/tests/test_clean.txt`
		ee1835	`+++ b/src/lxml/html/tests/test_clean.txt`
		ee1835	`@@ -104,7 +104,11 @@`
		ee1835	`>>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))`
		ee1835	`<html>`
		ee1835	`<head>`
		ee1835	`- <style>/* deleted */</style>`
		ee1835	`+ <style>`
		ee1835	`+ body {background-image: url()};`
		ee1835	`+ div {background-image: url()};`
		ee1835	`+ div {color: };`
		ee1835	`+ </style>`
		ee1835	`</head>`
		ee1835	`<body>`
		ee1835	`a link`
		ee1835	`@@ -168,7 +172,11 @@`
		ee1835	`<link rel="alternate" type="text/rss" src="evil-rss">`
		ee1835	`<link rel="alternate" type="text/rss" href="http://example.com">`
		ee1835	`<link rel="stylesheet" type="text/rss" href="http://example.com">`
		ee1835	`- <style>/* deleted */</style>`
		ee1835	`+ <style>`
		ee1835	`+ body {background-image: url()};`
		ee1835	`+ div {background-image: url()};`
		ee1835	`+ div {color: };`
		ee1835	`+ </style>`
		ee1835	`</head>`
		ee1835	`<body>`
		ee1835	`a link`
		ee1835	`--`
		ee1835	`2.28.0`
		ee1835

rpms / python-lxml

Source Code

Blame SOURCES/CVE-2020-27783.patch