Tree - rpms/python-lxml - CentOS Git server

rpms / python-lxml

Blame SOURCES/CVE-2020-27783.patch

Blob History Raw

		cadca9	`From db649273fd6a2e3a624545b6fd14e8d8029198f8 Mon Sep 17 00:00:00 2001`
		cadca9	`From: Lumir Balhar <lbalhar@redhat.com>`
		cadca9	`Date: Thu, 3 Dec 2020 11:53:15 +0100`
		cadca9	`Subject: [PATCH] CVE-2020-27783`
		cadca9
		cadca9	`Combines fixes for the CVE from two versions:`
		cadca9	`- Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e`
		cadca9	`- Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7`
		cadca9	`---`
		cadca9	`src/lxml/html/clean.py \| 25 +++++++++++++++++--------`
		cadca9	`src/lxml/html/tests/test_clean.py \| 21 +++++++++++++++++++++`
		cadca9	`src/lxml/html/tests/test_clean.txt \| 12 ++++++++++--`
		cadca9	`3 files changed, 48 insertions(+), 10 deletions(-)`
		cadca9
		cadca9	`diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py`
		cadca9	`index aa9fc57..15298b5 100644`
		cadca9	`--- a/src/lxml/html/clean.py`
		cadca9	`+++ b/src/lxml/html/clean.py`
		cadca9	`@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',`
		cadca9
		cadca9	`# This is an IE-specific construct you can have in a stylesheet to`
		cadca9	`# run some Javascript:`
		cadca9	`-_css_javascript_re = re.compile(`
		cadca9	`- r'expression\s\(.?\)', re.S\|re.I)`
		cadca9	`+_replace_css_javascript = re.compile(`
		cadca9	`+ r'expression\s\(.?\)', re.S\|re.I).sub`
		cadca9
		cadca9	`# Do I have to worry about @\nimport?`
		cadca9	`-_css_import_re = re.compile(`
		cadca9	`- r'@\s*import', re.I)`
		cadca9	`+_replace_css_import = re.compile(`
		cadca9	`+ r'@\s*import', re.I).sub`
		cadca9	`+`
		cadca9	`+_looks_like_tag_content = re.compile(`
		cadca9	`+ r'</?[a-zA-Z]+\|\son[a-zA-Z]+\s*=', re.ASCII).search`
		cadca9
		cadca9	`# All kinds of schemes besides just javascript: that can cause`
		cadca9	`# execution:`
		cadca9	`@@ -292,8 +295,8 @@ class Cleaner(object):`
		cadca9	`if not self.inline_style:`
		cadca9	`for el in _find_styled_elements(doc):`
		cadca9	`old = el.get('style')`
		cadca9	`- new = _css_javascript_re.sub('', old)`
		cadca9	`- new = _css_import_re.sub('', new)`
		cadca9	`+ new = _replace_css_javascript('', old)`
		cadca9	`+ new = _replace_css_import('', new)`
		cadca9	`if self._has_sneaky_javascript(new):`
		cadca9	`# Something tricky is going on...`
		cadca9	`del el.attrib['style']`
		cadca9	`@@ -305,9 +308,9 @@ class Cleaner(object):`
		cadca9	`el.drop_tree()`
		cadca9	`continue`
		cadca9	`old = el.text or ''`
		cadca9	`- new = _css_javascript_re.sub('', old)`
		cadca9	`+ new = _replace_css_javascript('', old)`
		cadca9	`# The imported CSS can do anything; we just can't allow:`
		cadca9	`- new = _css_import_re.sub('', old)`
		cadca9	`+ new = _replace_css_import('', new)`
		cadca9	`if self._has_sneaky_javascript(new):`
		cadca9	`# Something tricky is going on...`
		cadca9	`el.text = '/* deleted */'`
		cadca9	`@@ -509,6 +512,12 @@ class Cleaner(object):`
		cadca9	`return True`
		cadca9	`if 'expression(' in style:`
		cadca9	`return True`
		cadca9	`+ if '`
		cadca9	`+ # e.g. '">'`
		cadca9	`+ return True`
		cadca9	`+ if _looks_like_tag_content(style):`
		cadca9	`+ # e.g. '<math><style></style></math>'`
		cadca9	`+ return True`
		cadca9	`return False`
		cadca9
		cadca9	`def clean_html(self, html):`
		cadca9	`diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py`
		cadca9	`index a193d99..ea7487c 100644`
		cadca9	`--- a/src/lxml/html/tests/test_clean.py`
		cadca9	`+++ b/src/lxml/html/tests/test_clean.py`
		cadca9	`@@ -69,6 +69,27 @@ class CleanerTest(unittest.TestCase):`
		cadca9	`self.assertEqual('child', clean_html(s).text_content())`
		cadca9
		cadca9
		cadca9	`+ def test_sneaky_noscript_in_style(self):`
		cadca9	`+ # This gets parsed as ..."</style>`
		cadca9	`+ # thus passing the through into the output.`
		cadca9	`+ html = '">'`
		cadca9	`+ s = lxml.html.fragment_fromstring(html)`
		cadca9	`+`
		cadca9	`+ self.assertEqual(`
		cadca9	`+ b'',`
		cadca9	`+ lxml.html.tostring(clean_html(s)))`
		cadca9	`+`
		cadca9	`+ def test_sneaky_js_in_math_style(self):`
		cadca9	`+ # This gets parsed as <math> -> <style>"..."</style>`
		cadca9	`+ # thus passing any tag/script/whatever content through into the output.`
		cadca9	`+ html = '<math><style></style></math>'`
		cadca9	`+ s = lxml.html.fragment_fromstring(html)`
		cadca9	`+`
		cadca9	`+ self.assertEqual(`
		cadca9	`+ b'<math><style>/* deleted */</style></math>',`
		cadca9	`+ lxml.html.tostring(clean_html(s)))`
		cadca9	`+`
		cadca9	`+`
		cadca9	`def test_suite():`
		cadca9	`suite = unittest.TestSuite()`
		cadca9	`suite.addTests([make_doctest('test_clean.txt')])`
		cadca9	`diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt`
		cadca9	`index 2824f64..7df1f1d 100644`
		cadca9	`--- a/src/lxml/html/tests/test_clean.txt`
		cadca9	`+++ b/src/lxml/html/tests/test_clean.txt`
		cadca9	`@@ -104,7 +104,11 @@`
		cadca9	`>>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))`
		cadca9	`<html>`
		cadca9	`<head>`
		cadca9	`- <style>/* deleted */</style>`
		cadca9	`+ <style>`
		cadca9	`+ body {background-image: url()};`
		cadca9	`+ div {background-image: url()};`
		cadca9	`+ div {color: };`
		cadca9	`+ </style>`
		cadca9	`</head>`
		cadca9	`<body>`
		cadca9	`a link`
		cadca9	`@@ -168,7 +172,11 @@`
		cadca9	`<link rel="alternate" type="text/rss" src="evil-rss">`
		cadca9	`<link rel="alternate" type="text/rss" href="http://example.com">`
		cadca9	`<link rel="stylesheet" type="text/rss" href="http://example.com">`
		cadca9	`- <style>/* deleted */</style>`
		cadca9	`+ <style>`
		cadca9	`+ body {background-image: url()};`
		cadca9	`+ div {background-image: url()};`
		cadca9	`+ div {color: };`
		cadca9	`+ </style>`
		cadca9	`</head>`
		cadca9	`<body>`
		cadca9	`a link`
		cadca9	`--`
		cadca9	`2.28.0`
		cadca9

rpms / python-lxml

Source Code

Blame SOURCES/CVE-2020-27783.patch