Tree - rpms/python-lxml - CentOS Git server

rpms / python-lxml

Blame SOURCES/CVE-2021-43818.patch

Blob History Raw

		cb6cf7	`diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py`
		cb6cf7	`index 15298b5..ee2f0f8 100644`
		cb6cf7	`--- a/src/lxml/html/clean.py`
		cb6cf7	`+++ b/src/lxml/html/clean.py`
		cb6cf7	`@@ -73,18 +73,25 @@ _looks_like_tag_content = re.compile(`
		cb6cf7
		cb6cf7	`# All kinds of schemes besides just javascript: that can cause`
		cb6cf7	`# execution:`
		cb6cf7	`-_is_image_dataurl = re.compile(`
		cb6cf7	`- r'^data:image/.+;base64', re.I).search`
		cb6cf7	`+_find_image_dataurls = re.compile(`
		cb6cf7	`+ r'^data:image/(.+);base64,', re.I).findall`
		cb6cf7	`_is_possibly_malicious_scheme = re.compile(`
		cb6cf7	`- r'(?:javascript\|jscript\|livescript\|vbscript\|data\|about\|mocha):',`
		cb6cf7	`- re.I).search`
		cb6cf7	`+ r'(javascript\|jscript\|livescript\|vbscript\|data\|about\|mocha):',`
		cb6cf7	`+ re.I).findall`
		cb6cf7	`+# SVG images can contain script content`
		cb6cf7	`+_is_unsafe_image_type = re.compile(r"(xml\|svg)", re.I).findall`
		cb6cf7	`+`
		cb6cf7	`def _is_javascript_scheme(s):`
		cb6cf7	`- if _is_image_dataurl(s):`
		cb6cf7	`- return None`
		cb6cf7	`- return _is_possibly_malicious_scheme(s)`
		cb6cf7	`+ is_image_url = False`
		cb6cf7	`+ for image_type in _find_image_dataurls(s):`
		cb6cf7	`+ is_image_url = True`
		cb6cf7	`+ if _is_unsafe_image_type(image_type):`
		cb6cf7	`+ return True`
		cb6cf7	`+ if is_image_url:`
		cb6cf7	`+ return False`
		cb6cf7	`+ return bool(_is_possibly_malicious_scheme(s))`
		cb6cf7
		cb6cf7	`_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub`
		cb6cf7	`-# FIXME: should data: be blocked?`
		cb6cf7
		cb6cf7	`# FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx`
		cb6cf7	`_conditional_comment_re = re.compile(`
		cb6cf7	`@@ -512,6 +519,8 @@ class Cleaner(object):`
		cb6cf7	`return True`
		cb6cf7	`if 'expression(' in style:`
		cb6cf7	`return True`
		cb6cf7	`+ if '@import' in style:`
		cb6cf7	`+ return True`
		cb6cf7	`if '`
		cb6cf7	`# e.g. '">'`
		cb6cf7	`return True`
		cb6cf7	`diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py`
		cb6cf7	`index d8df527..7021e48 100644`
		cb6cf7	`--- a/src/lxml/html/tests/test_clean.py`
		cb6cf7	`+++ b/src/lxml/html/tests/test_clean.py`
		cb6cf7	`@@ -1,3 +1,5 @@`
		cb6cf7	`+import base64`
		cb6cf7	`+import gzip`
		cb6cf7	`import unittest`
		cb6cf7	`from lxml.tests.common_imports import make_doctest`
		cb6cf7
		cb6cf7	`@@ -89,6 +91,69 @@ class CleanerTest(unittest.TestCase):`
		cb6cf7	`b'<math><style>/* deleted */</style></math>',`
		cb6cf7	`lxml.html.tostring(clean_html(s)))`
		cb6cf7
		cb6cf7	`+ def test_sneaky_import_in_style(self):`
		cb6cf7	`+ # Prevent "@@importimport" -> "@import" replacement.`
		cb6cf7	`+ style_codes = [`
		cb6cf7	`+ "@@importimport(extstyle.css)",`
		cb6cf7	`+ "@ @ import import(extstyle.css)",`
		cb6cf7	`+ "@ @ importimport(extstyle.css)",`
		cb6cf7	`+ "@@ import import(extstyle.css)",`
		cb6cf7	`+ "@ @import import(extstyle.css)",`
		cb6cf7	`+ "@@importimport()",`
		cb6cf7	`+ ]`
		cb6cf7	`+ for style_code in style_codes:`
		cb6cf7	`+ html = '<style>%s</style>' % style_code`
		cb6cf7	`+ s = lxml.html.fragment_fromstring(html)`
		cb6cf7	`+`
		cb6cf7	`+ cleaned = lxml.html.tostring(clean_html(s))`
		cb6cf7	`+ self.assertEqual(`
		cb6cf7	`+ b'<style>/* deleted */</style>',`
		cb6cf7	`+ cleaned,`
		cb6cf7	`+ "%s -> %s" % (style_code, cleaned))`
		cb6cf7	`+`
		cb6cf7	`+ def test_svg_data_links(self):`
		cb6cf7	`+ # Remove SVG images with potentially insecure content.`
		cb6cf7	`+ svg = b'<svg onload="alert(123)" />'`
		cb6cf7	`+ svgz = gzip.compress(svg)`
		cb6cf7	`+ svg_b64 = base64.b64encode(svg).decode('ASCII')`
		cb6cf7	`+ svgz_b64 = base64.b64encode(svgz).decode('ASCII')`
		cb6cf7	`+ urls = [`
		cb6cf7	`+ "data:image/svg+xml;base64," + svg_b64,`
		cb6cf7	`+ "data:image/svg+xml-compressed;base64," + svgz_b64,`
		cb6cf7	`+ ]`
		cb6cf7	`+ for url in urls:`
		cb6cf7	`+ html = '' % url`
		cb6cf7	`+ s = lxml.html.fragment_fromstring(html)`
		cb6cf7	`+`
		cb6cf7	`+ cleaned = lxml.html.tostring(clean_html(s))`
		cb6cf7	`+ self.assertEqual(`
		cb6cf7	`+ b'',`
		cb6cf7	`+ cleaned,`
		cb6cf7	`+ "%s -> %s" % (url, cleaned))`
		cb6cf7	`+`
		cb6cf7	`+ def test_image_data_links(self):`
		cb6cf7	`+ data = b'123'`
		cb6cf7	`+ data_b64 = base64.b64encode(data).decode('ASCII')`
		cb6cf7	`+ urls = [`
		cb6cf7	`+ "data:image/jpeg;base64," + data_b64,`
		cb6cf7	`+ "data:image/apng;base64," + data_b64,`
		cb6cf7	`+ "data:image/png;base64," + data_b64,`
		cb6cf7	`+ "data:image/gif;base64," + data_b64,`
		cb6cf7	`+ "data:image/webp;base64," + data_b64,`
		cb6cf7	`+ "data:image/bmp;base64," + data_b64,`
		cb6cf7	`+ "data:image/tiff;base64," + data_b64,`
		cb6cf7	`+ "data:image/x-icon;base64," + data_b64,`
		cb6cf7	`+ ]`
		cb6cf7	`+ for url in urls:`
		cb6cf7	`+ html = '' % url`
		cb6cf7	`+ s = lxml.html.fragment_fromstring(html)`
		cb6cf7	`+`
		cb6cf7	`+ cleaned = lxml.html.tostring(clean_html(s))`
		cb6cf7	`+ self.assertEqual(`
		cb6cf7	`+ html.encode("UTF-8"),`
		cb6cf7	`+ cleaned,`
		cb6cf7	`+ "%s -> %s" % (url, cleaned))`
		cb6cf7	`+`
		cb6cf7	`def test_formaction_attribute_in_button_input(self):`
		cb6cf7	`# The formaction attribute overrides the form's action and should be`
		cb6cf7	`# treated as a malicious link attribute`

rpms / python-lxml

Source Code

Blame SOURCES/CVE-2021-43818.patch