From 094a9fdcd96fce4becb652ea11c20b2f5ef9afe3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 18 2021 06:49:16 +0000 Subject: import python-lxml-4.2.3-2.el8 --- diff --git a/SOURCES/CVE-2020-27783.patch b/SOURCES/CVE-2020-27783.patch new file mode 100644 index 0000000..5d7baaf --- /dev/null +++ b/SOURCES/CVE-2020-27783.patch @@ -0,0 +1,121 @@ +diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py +index adc3f45..6f3f7de 100644 +--- a/src/lxml/html/clean.py ++++ b/src/lxml/html/clean.py +@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html', + + # This is an IE-specific construct you can have in a stylesheet to + # run some Javascript: +-_css_javascript_re = re.compile( +- r'expression\s*\(.*?\)', re.S|re.I) ++_replace_css_javascript = re.compile( ++ r'expression\s*\(.*?\)', re.S|re.I).sub + + # Do I have to worry about @\nimport? +-_css_import_re = re.compile( +- r'@\s*import', re.I) ++_replace_css_import = re.compile( ++ r'@\s*import', re.I).sub ++ ++_looks_like_tag_content = re.compile( ++ r'' ++ return True + return False + + def clean_html(self, html): +diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py +index 3bcaaf5..451eec2 100644 +--- a/src/lxml/html/tests/test_clean.py ++++ b/src/lxml/html/tests/test_clean.py +@@ -69,6 +69,26 @@ class CleanerTest(unittest.TestCase): + s = lxml.html.fromstring('child') + self.assertEqual('child', clean_html(s).text_content()) + ++ def test_sneaky_noscript_in_style(self): ++ # This gets parsed as through into the output. ++ html = '', ++ lxml.html.tostring(clean_html(s))) ++ ++ def test_sneaky_js_in_math_style(self): ++ # This gets parsed as -> ++ # thus passing any tag/script/whatever content through into the output. ++ html = '' ++ s = lxml.html.fragment_fromstring(html) ++ ++ self.assertEqual( ++ b'', ++ lxml.html.tostring(clean_html(s))) ++ + + def test_suite(): + suite = unittest.TestSuite() +diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt +index c78ab4f..c901871 100644 +--- a/src/lxml/html/tests/test_clean.txt ++++ b/src/lxml/html/tests/test_clean.txt +@@ -104,7 +104,11 @@ + >>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc)) + + +- ++ + + + a link +@@ -168,7 +172,11 @@ + + + +- ++ + + + a link diff --git a/SPECS/python-lxml.spec b/SPECS/python-lxml.spec index 97519a2..6754ad8 100644 --- a/SPECS/python-lxml.spec +++ b/SPECS/python-lxml.spec @@ -9,13 +9,20 @@ Name: python-%{modname} Version: 4.2.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: XML processing library combining libxml2/libxslt with the ElementTree API License: BSD URL: http://lxml.de Source0: http://lxml.de/files/%{modname}-%{version}.tgz +# Fix for CVE-2020-27783: mXSS due to the use of improper parser +# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1901633 +# Two upstream commits combined: +# Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e +# Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7 +Patch0: CVE-2020-27783.patch + BuildRequires: gcc BuildRequires: libxml2-devel BuildRequires: libxslt-devel @@ -60,7 +67,7 @@ Recommends: python3-beautifulsoup4 Python 3 version. %prep -%autosetup -n %{modname}-%{version} +%autosetup -n %{modname}-%{version} -p1 %build export WITH_CYTHON=true @@ -96,6 +103,10 @@ export WITH_CYTHON=true %{python3_sitearch}/%{modname}-*.egg-info/ %changelog +* Tue Dec 08 2020 Charalampos Stratakis - 4.2.3-2 +- Security fix for CVE-2020-27783: mXSS due to the use of improper parser +Resolves: rhbz#1901633 + * Thu Aug 02 2018 Sebastian Kisela - 4.2.3-1 - New upstream release 4.2.3