From cbe7f90e4bd286863e56bfe5b6ac182d69906155 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 30 2021 15:46:58 +0000 Subject: import python-lxml-4.2.3-4.module+el8.4.0+9319+a932af88 --- diff --git a/SOURCES/CVE-2020-27783.patch b/SOURCES/CVE-2020-27783.patch new file mode 100644 index 0000000..75e619a --- /dev/null +++ b/SOURCES/CVE-2020-27783.patch @@ -0,0 +1,147 @@ +From 725268a12dacbb153dacf9d8cc22cfe37ff230ff Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Wed, 6 Jan 2021 10:20:09 +0100 +Subject: [PATCH] CVE-2020-27783 + +--- + src/lxml/html/clean.py | 29 ++++++++++++++++++++--------- + src/lxml/html/tests/test_clean.py | 20 ++++++++++++++++++++ + src/lxml/html/tests/test_clean.txt | 12 ++++++++++-- + 3 files changed, 50 insertions(+), 11 deletions(-) + +diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py +index adc3f45..0492fca 100644 +--- a/src/lxml/html/clean.py ++++ b/src/lxml/html/clean.py +@@ -4,8 +4,9 @@ Removes unwanted tags and content. See the `Cleaner` class for + details. + """ + +-import re + import copy ++import re ++import sys + try: + from urlparse import urlsplit + except ImportError: +@@ -61,12 +62,16 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html', + + # This is an IE-specific construct you can have in a stylesheet to + # run some Javascript: +-_css_javascript_re = re.compile( +- r'expression\s*\(.*?\)', re.S|re.I) ++_replace_css_javascript = re.compile( ++ r'expression\s*\(.*?\)', re.S|re.I).sub + + # Do I have to worry about @\nimport? +-_css_import_re = re.compile( +- r'@\s*import', re.I) ++_replace_css_import = re.compile( ++ r'@\s*import', re.I).sub ++ ++_looks_like_tag_content = re.compile( ++ r'= 3 else ())).search + + # All kinds of schemes besides just javascript: that can cause + # execution: +@@ -292,8 +297,8 @@ class Cleaner(object): + if not self.inline_style: + for el in _find_styled_elements(doc): + old = el.get('style') +- new = _css_javascript_re.sub('', old) +- new = _css_import_re.sub('', new) ++ new = _replace_css_javascript('', old) ++ new = _replace_css_import('', new) + if self._has_sneaky_javascript(new): + # Something tricky is going on... + del el.attrib['style'] +@@ -305,9 +310,9 @@ class Cleaner(object): + el.drop_tree() + continue + old = el.text or '' +- new = _css_javascript_re.sub('', old) ++ new = _replace_css_javascript('', old) + # The imported CSS can do anything; we just can't allow: +- new = _css_import_re.sub('', old) ++ new = _replace_css_import('', new) + if self._has_sneaky_javascript(new): + # Something tricky is going on... + el.text = '/* deleted */' +@@ -509,6 +514,12 @@ class Cleaner(object): + return True + if 'expression(' in style: + return True ++ if '' ++ return True + return False + + def clean_html(self, html): +diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py +index 3bcaaf5..451eec2 100644 +--- a/src/lxml/html/tests/test_clean.py ++++ b/src/lxml/html/tests/test_clean.py +@@ -69,6 +69,26 @@ class CleanerTest(unittest.TestCase): + s = lxml.html.fromstring('child') + self.assertEqual('child', clean_html(s).text_content()) + ++ def test_sneaky_noscript_in_style(self): ++ # This gets parsed as through into the output. ++ html = '', ++ lxml.html.tostring(clean_html(s))) ++ ++ def test_sneaky_js_in_math_style(self): ++ # This gets parsed as -> ++ # thus passing any tag/script/whatever content through into the output. ++ html = '' ++ s = lxml.html.fragment_fromstring(html) ++ ++ self.assertEqual( ++ b'', ++ lxml.html.tostring(clean_html(s))) ++ + + def test_suite(): + suite = unittest.TestSuite() +diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt +index c78ab4f..c901871 100644 +--- a/src/lxml/html/tests/test_clean.txt ++++ b/src/lxml/html/tests/test_clean.txt +@@ -104,7 +104,11 @@ + >>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc)) + + +- ++ + + + a link +@@ -168,7 +172,11 @@ + + + +- ++ + + + a link +-- +2.29.2 + diff --git a/SPECS/python-lxml.spec b/SPECS/python-lxml.spec index 6477a83..51cb0a2 100644 --- a/SPECS/python-lxml.spec +++ b/SPECS/python-lxml.spec @@ -11,13 +11,22 @@ Name: python-%{modname} Version: 4.2.3 -Release: 3%{?dist} +Release: 4%{?dist} Summary: XML processing library combining libxml2/libxslt with the ElementTree API License: BSD URL: http://lxml.de Source0: http://lxml.de/files/%{modname}-%{version}.tgz +# Fix for CVE-2020-27783: mXSS due to the use of improper parser +# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1901633 +# Two upstream commits combined: +# Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e +# Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7 +# + one workaround for Python2, where `re.ASCII` is the default mode +# https://github.com/lxml/lxml/commit/4cb57362deb23bca0f70f41ab1efa13390fcdbb1 +Patch0: CVE-2020-27783.patch + BuildRequires: gcc BuildRequires: libxml2-devel BuildRequires: libxslt-devel @@ -64,7 +73,7 @@ Python 3 version. %endif # with python3 %prep -%autosetup -n %{modname}-%{version} +%autosetup -n %{modname}-%{version} -p1 %build export WITH_CYTHON=true @@ -109,6 +118,10 @@ export WITH_CYTHON=true %changelog +* Tue Dec 08 2020 Charalampos Stratakis - 4.2.3-4 +- Security fix for CVE-2020-27783: mXSS due to the use of improper parser +Resolves: rhbz#1901633 + * Thu Apr 25 2019 Tomas Orsava - 4.2.3-3 - Bumping due to problems with modular RPM upgrade path - Resolves: rhbz#1695587