%if 0%{?rhel} > 7

# Disable python2 build by default

%bcond_with python2

%else

%bcond_without python2

%endif

%global modname lxml

Name:           python-%{modname}

Version:        4.2.3

Release:        3%{?dist}

Summary:        XML processing library combining libxml2/libxslt with the ElementTree API

License:        BSD

URL:            http://lxml.de

Source0:        http://lxml.de/files/%{modname}-%{version}.tgz

# Fix for CVE-2020-27783: mXSS due to the use of improper parser

# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1901633

# Two upstream commits combined:

#   Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e

#   Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7

Patch0:         CVE-2020-27783.patch

# Fix for CVE-2021-28957: missing input sanitization

# for formaction HTML5 attributes which may lead to XSS

# Fixed upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d

Patch1: CVE-2021-28957.patch

BuildRequires:  gcc

BuildRequires:  libxml2-devel

BuildRequires:  libxslt-devel

%global _description \

lxml is a Pythonic, mature binding for the libxml2 and libxslt libraries. It\

provides safe and convenient access to these libraries using the ElementTree It\

extends the ElementTree API significantly to offer support for XPath, RelaxNG,\

XML Schema, XSLT, C14N and much more.To contact the project, go to the project\

home page < or see our bug tracker at case you want to use the current ...

%description %{_description}

%if %{with python2}

%package -n     python2-%{modname}

Summary:        %{summary}

BuildRequires:  python2-devel

BuildRequires:  python2-setuptools

BuildRequires:  python2-Cython

Recommends:     python2-cssselect

Recommends:     python2-html5lib

Recommends:     python2-beautifulsoup4

%{?python_provide:%python_provide python2-%{modname}}

%description -n python2-%{modname} %{_description}

Python 2 version.

%endif # with python2

%package -n     python3-%{modname}

Summary:        %{summary}

BuildRequires:  python3-devel

BuildRequires:  python3-setuptools

BuildRequires:  python3-Cython

Recommends:     python3-cssselect

Recommends:     python3-html5lib

Recommends:     python3-beautifulsoup4

%{?python_provide:%python_provide python3-%{modname}}

%description -n python3-%{modname} %{_description}

Python 3 version.

%prep

%autosetup -n %{modname}-%{version} -p1

%build

export WITH_CYTHON=true

%if %{with python2}

%py2_build

%endif # with python2

%py3_build

%install

%if %{with python2}

%py2_install

%endif # with python2

%py3_install

%check

%if %{with python2}

%{__python2} setup.py test

%endif # with python2

%{__python3} setup.py test

%if %{with python2}

%files -n python2-%{modname}

%license doc/licenses/ZopePublicLicense.txt LICENSES.txt

%doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt

%{python2_sitearch}/%{modname}/

%{python2_sitearch}/%{modname}-*.egg-info/

%endif # with python2

%files -n python3-%{modname}

%license doc/licenses/ZopePublicLicense.txt LICENSES.txt

%doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt

%{python3_sitearch}/%{modname}/

%{python3_sitearch}/%{modname}-*.egg-info/

%changelog

* Wed Mar 24 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-3

- Security fix for CVE-2021-28957

Resolves: rhbz#1941534

* Tue Dec 08 2020 Charalampos Stratakis <cstratak@redhat.com> - 4.2.3-2

- Security fix for CVE-2020-27783: mXSS due to the use of improper parser

Resolves: rhbz#1901633

* Thu Aug 02 2018 Sebastian Kisela <skisela@redhat.com> - 4.2.3-1

- New upstream release 4.2.3

* Sun Jul 22 2018 Charalampos Stratakis <cstratak@redhat.com> - 4.1.1-3

- Conditionalize the python2 subpackage

* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Sun Nov 05 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.1.1-1

- Update to 4.1.1

* Tue Oct 10 2017 Mikolaj Izdebski <mizdebsk@redhat.com> - 4.0.0-2

- Conditionally allow building without Cython

* Thu Oct 05 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.0.0-1

- Update to 4.0.0

* Sat Aug 12 2017 Kevin Fenzi <kevin@scrye.com> - 3.8.0-1

- Update to 3.8.0. Fixes bug #1458529

* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.2-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.2-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.2-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Mon Jan 09 2017 Fabio Alessandro Locati <fale@fedoraproject.org> - 3.7.2-1

- Update to 3.7.2

* Sun Dec 25 2016 Fabio Alessandro Locati <fale@fedoraproject.org> - 3.7.1-1

- Update to 3.7.1

* Tue Dec 13 2016 Stratakis Charalampos <cstratak@redhat.com> - 3.7.0-2

- Rebuild for Python 3.6

* Sun Dec 11 2016 Fabio Alessandro Locati <fale@fedoraproject.org> - 3.7.0-1

- Update to 3.7.0

* Thu Sep 08 2016 Fabio Alessandro Locati <fale@fedoraproject.org> - 3.6.4-1

- Update to 3.6.4

* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.4.4-5

- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages

* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.4-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Thu Jan 21 2016 Dan Horák <dan[at]danny.cz> - 3.4.4-3

- fix conditional

* Fri Nov 06 2015 Robert Kuska <rkuska@redhat.com> - 3.4.4-2

- Rebuilt for Python3.5 rebuild

* Fri Aug 28 2015 Peter Robinson <pbrobinson@fedoraproject.org> 3.4.4-1

- Update to 3.4.4

- Use %%license, cleanup spec

* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.3.6-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Fri Aug 29 2014 Jeffrey C. Ollie <jeff@ocjtech.us> - 3.3.6-1

- 3.3.6 (2014-08-28)

- ==================

-

- Bugs fixed

- ----------

-

- * Prevent tree cycle creation when adding Elements as siblings.

-

- * LP#1361948: crash when deallocating Element siblings without parent.

-

- * LP#1354652: crash when traversing internally loaded documents in XSLT

-   extension functions.

* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org>

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.3.5-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Wed May 14 2014 Bohuslav Kabrda <bkabrda@redhat.com> - 3.3.5-2

- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4

* Mon Apr 28 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.5-1

- 3.3.5 (2014-04-18)

- ==================

-

- Bugs fixed

- ----------

-

- * HTML cleaning could fail to strip javascript links that mix control

-   characters into the link scheme.

* Mon Apr 28 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.4-1

- 3.3.4 (2014-04-03)

- ==================

-

- Features added

- --------------

-

- * Source line numbers above 65535 are available on Elements when

-   using libxml2 2.9 or later.

-

- Bugs fixed

- ----------

-

- * lxml.html.fragment_fromstring() failed for bytes input in Py3.

* Wed Mar 26 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-4

- Fix macro definition

* Wed Mar 26 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-3

- Add python3-cssselect to correct package

* Mon Mar 24 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-3

- python3-cssselect is not available on F19

* Mon Mar 24 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-2

- BZ#1075070  add requires and buildrequires for cssselect

* Tue Mar 11 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-1

- 3.3.3 (2014-03-04)

- ==================

-

- Bugs fixed

- ----------

-

- * LP#1287118: Crash when using Element subtypes with ``__slots__``.

-

- Other changes

- -------------

-

- * The internal classes ``_LogEntry`` and ``_Attrib`` can no longer be

-   subclassed from Python code.

* Tue Mar 11 2014 Alexander Todorov <atodorov@redhat.com> - 3.3.2-2

- Add check section #1075070

* Fri Feb 28 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.2-1

- 3.3.2 (2014-02-26)

- ==================

-

- Bugs fixed

- ----------

-

- * The properties ``resolvers`` and ``version``, as well as the methods

-   ``set_element_class_lookup()`` and ``makeelement()``, were lost from

-   ``iterparse`` objects.

-

- * LP#1222132: instances of ``XMLSchema``, ``Schematron`` and ``RelaxNG``

-   did not clear their local ``error_log`` before running a validation.

-

- * LP#1238500: lxml.doctestcompare mixed up "expected" and "actual" in

-   attribute values.

-

- * Some file I/O tests were failing in MS-Windows due to incorrect temp

-   file usage.  Initial patch by Gabi Davar.

-

- * LP#910014: duplicate IDs in a document were not reported by DTD

-   validation.

-

- * LP#1185332: ``tostring(method="html")`` did not use HTML serialisation

-   semantics for trailing tail text.  Initial patch by Sylvain Viollon.

-

- * LP#1281139: ``.attrib`` value of Comments lost its mutation methods

-   in 3.3.0.  Even though it is empty and immutable, it should still

-   provide the same interface as that returned for Elements.

* Fri Feb 28 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.2-1

- 3.3.1 (2014-02-12)

- ==================

-

- Bugs fixed

- ----------

-

- * LP#1014290: HTML documents parsed with ``parser.feed()`` failed to find

-   elements during tag iteration.

-

- * LP#1273709: Building in PyPy failed due to missing support for

-   ``PyUnicode_Compare()`` and ``PyByteArray_*()`` in PyPy's C-API.

-

- * LP#1274413: Compilation in MSVC failed due to missing "stdint.h" standard

-   header file.

-

- * LP#1274118: iterparse() failed to parse BOM prefixed files.

* Mon Jan 27 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.0-2

- Update Cython requirement to >= 0.20

* Mon Jan 27 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.0-1

- 3.3.0 (2014-01-26)

- ==================

-

- Features added

- --------------

-

- Bugs fixed

- ----------

-

- * The heuristic that distinguishes file paths from URLs was tightened

-   to produce less false negatives.

-

- Other changes

- -------------

-

-

- 3.3.0beta5 (2014-01-18)

- =======================

-

- Features added

- --------------

-

- * The PEP 393 unicode parsing support gained a fallback for wchar strings

-   which might still be somewhat common on Windows systems.

-

- Bugs fixed

- ----------

-

- * Several error handling problems were fixed throughout the code base that

-   could previously lead to exceptions being silently swallowed or not

-   properly reported.

-

- * The C-API function ``appendChild()`` is now deprecated as it does not

-   propagate exceptions (its return type is ``void``).  The new function

-   ``appendChildToElement()`` was added as a safe replacement.

-

- * Passing a string into ``fromstringlist()`` raises an exception instead of

-   parsing the string character by character.

-

- Other changes

- -------------

-

- * Document cleanup code was simplified using the new GC features in

-   Cython 0.20.

-

-

- 3.3.0beta4 (2014-01-12)

- =======================

-

- Features added

- --------------

-

- Bugs fixed

- ----------

-

- * The (empty) value returned by the ``attrib`` property of Entity and

-   Comment objects was mutable.

-

- * Element class lookup wasn't available for the new pull parsers or when

-   using a custom parser target.

-

- * Setting Element attributes on instantiation with both the ``attrib``

-   argument and keyword arguments could modify the mapping passed as

-   ``attrib``.

-

- * LP#1266171: DTDs instantiated from internal/external subsets (i.e.

-   through the docinfo property) lost their attribute declarations.

-

- Other changes

- -------------

-

- * Built with Cython 0.20pre (gitrev 012ae82eb) to prepare support for

-   Python 3.4.

-

-

- 3.3.0beta3 (2014-01-02)

- =======================

-

- Features added

- --------------

-

- * Unicode string parsing was optimised for Python 3.3 (PEP 393).

-

- Bugs fixed

- ----------

-

- * HTML parsing of Unicode strings could misdecode the input on some

-   platforms.

-

- * Crash in xmlfile() when closing open elements out of order in an error

-   case.

-

- Other changes

- -------------

-

-

- 3.3.0beta2 (2013-12-20)

- =======================

-

- Features added

- --------------

-

- * ``iterparse()`` supports the ``recover`` option.

-

- Bugs fixed

- ----------

-

- * Crash in ``iterparse()`` for HTML parsing.

-

- * Crash in target parsing with attributes.

-

- Other changes

- -------------

-

- * The safety check in the read-only tree implementation (e.g. used by

-   ``PythonElementClassLookup``) raises a more appropriate

-   ``ReferenceError`` for illegal access after tree disposal instead of

-   an ``AssertionError``. This should only impact test code that

-   specifically checks the original behaviour.

-

-

- 3.3.0beta1 (2013-12-12)

- =======================

-

- Features added

- --------------

-

- * New option ``handle_failures`` in ``make_links_absolute()`` and

-   ``resolve_base_href()`` (lxml.html) that enables ignoring or

-   discarding links that fail to parse as URLs.

-

- * New parser classes ``XMLPullParser`` and ``HTMLPullParser`` for

-   incremental parsing, as implemented for ElementTree in Python 3.4.

-

- * ``iterparse()`` enables recovery mode by default for HTML parsing

-   (``html=True``).

-

- Bugs fixed

- ----------

-

- * LP#1255132: crash when trying to run validation over non-Element (e.g.

-   comment or PI).

-

- * Error messages in the log and in exception messages that originated

-   from libxml2 could accidentally be picked up from preceding warnings

-   instead of the actual error.

-

- * The ``ElementMaker`` in lxml.objectify did not accept a dict as

-   argument for adding attributes to the element it's building. This

-   works as in lxml.builder now.

-

- * LP#1228881: ``repr(XSLTAccessControl)`` failed in Python 3.

-

- * Raise ``ValueError`` when trying to append an Element to itself or

-   to one of its own descendants, instead of running into an infinite

-   loop.

-

- * LP#1206077: htmldiff discarded whitespace from the output.

-

- * Compressed plain-text serialisation to file-like objects was broken.

-

- * lxml.html.formfill: Fix textarea form filling.

-   The textarea used to be cleared before the new content was set,

-   which removed the name attribute.

-

- Other changes

- -------------

-

- * Some basic API classes use freelists internally for faster

-   instantiation.  This can speed up some ``iterparse()`` scenarios,

-   for example.

-

- * ``iterparse()`` was rewritten to use the new ``*PullParser``

-   classes internally instead of being a parser itself.

* Mon Nov 11 2013 Jeffrey Ollie <jeff@ocjtech.us> - 3.2.4-1

- 3.2.4 (2013-11-07)

- ==================

-

- Bugs fixed

- ----------

-

- * Memory leak when creating an XPath evaluator in a thread.

-

- * LP#1228881: ``repr(XSLTAccessControl)`` failed in Python 3.

-

- * Raise ``ValueError`` when trying to append an Element to itself or

-   to one of its own descendants.

-

- * LP#1206077: htmldiff discarded whitespace from the output.

-

- * Compressed plain-text serialisation to file-like objects was broken.

* Wed Sep 18 2013 Jeffrey Ollie <jeff@ocjtech.us> - 3.2.3-2

- Add requirement for on python-cssselect for the python2 version

* Sun Jul 28 2013 Jeffrey Ollie <jeff@ocjtech.us> - 3.2.3-1

- and here's a version 3.2.3. The last release accidentally lost the ability

- to work on Python 2.4. There are no other changes over 3.2.2.

-

- 3.2.2 (2013-07-28)

- ==================

-

- Features added

- --------------

-

- Bugs fixed

- ----------

-

- * LP#1185701: spurious XMLSyntaxError after finishing iterparse().

-

- * Crash in lxml.objectify during xsi annotation.

-

- Other changes

- -------------

-

- * Return values of user provided element class lookup methods are now

-   validated against the type of the XML node they represent to prevent

-   API class mismatches.

* Sun May 12 2013 Jeffrey Ollie <jeff@ocjtech.us> - 3.2.1-1

- 3.2.1 (2013-05-11)

- ==================

-

- Features added

- --------------

-

- * The methods ``apply_templates()`` and ``process_children()`` of XSLT

-   extension elements have gained two new boolean options ``elements_only``

-   and ``remove_blank_text`` that discard either all strings or

-   whitespace-only strings from the result list.

-

- Bugs fixed

- ----------

-

- * When moving Elements to another tree, the namespace cleanup mechanism

-   no longer drops namespace prefixes from attributes for which it finds

-   a default namespace declaration, to prevent them from appearing as

-   unnamespaced attributes after serialisation.

-

- * Returning non-type objects from a custom class lookup method could lead

-   to a crash.

-

- * Instantiating and using subtypes of Comments and ProcessingInstructions

-   crashed.

* Fri May 10 2013 Jeffrey Ollie <jeff@ocjtech.us> - 3.2.0-1

- 3.2.0 (2013-04-28)

- ==================

-

- Features added

- --------------

-

- Bugs fixed

- ----------

-

- * LP#690319: Leading whitespace could change the behaviour of the string

-   parsing functions in ``lxml.html``.

-

- * LP#599318: The string parsing functions in ``lxml.html`` are more robust

-   in the face of uncommon HTML content like framesets or missing body tags.

-   Patch by Stefan Seelmann.

-

- * LP#712941: I/O errors while trying to access files with paths that

-   contain non-ASCII characters could raise ``UnicodeDecodeError`` instead

-   of properly reporting the ``IOError``.

-

- * LP#673205: Parsing from in-memory strings disabled network access in the

-   default parser and made subsequent attempts to parse from a URL fail.

-

- * LP#971754: lxml.html.clean appends 'nofollow' to 'rel' attributes instead

-   of overwriting the current value.

-

- * LP#715687: lxml.html.clean no longer discards scripts that are explicitly

-   allowed by the user provided whitelist.  Patch by Christine Koppelt.

-

- 3.1.2 (2013-04-12)

- ==================

-

- Bugs fixed

- ----------

-

- * LP#1136509: Passing attributes through the namespace-unaware API of

-   the sax bridge (i.e. the ``handler.startElement()`` method) failed

-   with a ``TypeError``.  Patch by Mike Bayer.

-

- * LP#1123074: Fix serialisation error in XSLT output when converting

-   the result tree to a Unicode string.

-

- * GH#105: Replace illegal usage of ``xmlBufLength()`` in libxml2 2.9.0

-   by properly exported API function ``xmlBufUse()``.

-

- 3.1.1 (2013-03-29)

- ==================

-

- Features added

- --------------

-

- Bugs fixed

- ----------

-

- * LP#1160386: Write access to ``lxml.html.FormElement.fields`` raised

-   an AttributeError in Py3.

-

- * Illegal memory access during cleanup in incremental xmlfile writer.

-

- Other changes

- -------------

-

- * The externally useless class ``lxml.etree._BaseParser`` was removed

-   from the module dict.

* Fri Mar  8 2013 Jeffrey Ollie <jeff@ocjtech.us> - 3.1.0-1

- 3.1.0 (2013-02-10)

- ==================

-

- Features added

- --------------

-

- * GH#89: lxml.html.clean allows overriding the set of attributes that it

-   considers 'safe'.  Patch by Francis Devereux.

-

- Bugs fixed

- ----------

-

- * LP#1104370: ``copy.copy(el.attrib)`` raised an exception.  It now returns

-   a copy of the attributes as a plain Python dict.

-

- * GH#95: When used with namespace prefixes, the  ``el.find*()`` methods

-   always used the first namespace mapping that was provided for each

-   path expression instead of using the one that was actually passed

-   in for the current run.

-

- * LP#1092521, GH#91: Fix undefined C symbol in Python runtimes compiled

-   without threading support.  Patch by Ulrich Seidl.

-

- Other changes

- -------------

-

-

- 3.1beta1 (2012-12-21)

- =====================

-

- Features added

- --------------

-

- * New build-time option ``--with-unicode-strings`` for Python 2 that

-   makes the API always return Unicode strings for names and text

-   instead of byte strings for plain ASCII content.

-

- * New incremental XML file writing API ``etree.xmlfile()``.

-

- * E factory in lxml.objectify is callable to simplify the creation of

-   tags with non-identifier names without having to resort to getattr().

-

- Bugs fixed

- ----------

-

- * When starting from a non-namespaced element in lxml.objectify, searching

-   for a child without explicitly specifying a namespace incorrectly found

-   namespaced elements with the requested local name, instead of restricting

-   the search to non-namespaced children.

-

- * GH#85: Deprecation warnings were fixed for Python 3.x.

-

- * GH#33: lxml.html.fromstring() failed to accept bytes input in Py3.

-

- * LP#1080792: Static build of libxml2 2.9.0 failed due to missing file.

-

- Other changes

- -------------

-

- * The externally useless class ``_ObjectifyElementMakerCaller`` was

-   removed from the module API of lxml.objectify.

-

- * LP#1075622: lxml.builder is faster for adding text to elements with

-   many children.  Patch by Anders Hammarquist.

* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0.1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Mon Oct 15 2012 Jeffrey Ollie <jeff@ocjtech.us> - 3.0.1-1

- 3.0.1 (2012-10-14)

- Bugs fixed

-

-  * LP#1065924: Element proxies could disappear during garbage collection

-    in PyPy without proper cleanup.

-  * GH#71: Failure to work with libxml2 2.6.x.

-  * LP#1065139: static MacOS-X build failed in Py3.

* Wed Oct 10 2012 Jeffrey Ollie <jeff@ocjtech.us> - 3.0-1

- 3.0 (2012-10-08)

- ================

-

- Features added

- --------------

-

- Bugs fixed

- ----------

-

- * End-of-file handling was incorrect in iterparse() when reading from

-   a low-level C file stream and failed in libxml2 2.9.0 due to its

-   improved consistency checks.

-

- Other changes

- -------------