|
|
4055cc |
From db649273fd6a2e3a624545b6fd14e8d8029198f8 Mon Sep 17 00:00:00 2001
|
|
|
4055cc |
From: Lumir Balhar <lbalhar@redhat.com>
|
|
|
4055cc |
Date: Thu, 3 Dec 2020 11:53:15 +0100
|
|
|
4055cc |
Subject: [PATCH] CVE-2020-27783
|
|
|
4055cc |
|
|
|
4055cc |
Combines fixes for the CVE from two versions:
|
|
|
4055cc |
- Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
|
|
|
4055cc |
- Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
|
|
|
4055cc |
---
|
|
|
4055cc |
src/lxml/html/clean.py | 25 +++++++++++++++++--------
|
|
|
4055cc |
src/lxml/html/tests/test_clean.py | 21 +++++++++++++++++++++
|
|
|
4055cc |
src/lxml/html/tests/test_clean.txt | 12 ++++++++++--
|
|
|
4055cc |
3 files changed, 48 insertions(+), 10 deletions(-)
|
|
|
4055cc |
|
|
|
4055cc |
diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
|
|
|
4055cc |
index aa9fc57..15298b5 100644
|
|
|
4055cc |
--- a/src/lxml/html/clean.py
|
|
|
4055cc |
+++ b/src/lxml/html/clean.py
|
|
|
4055cc |
@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
|
|
|
4055cc |
|
|
|
4055cc |
# This is an IE-specific construct you can have in a stylesheet to
|
|
|
4055cc |
# run some Javascript:
|
|
|
4055cc |
-_css_javascript_re = re.compile(
|
|
|
4055cc |
- r'expression\s*\(.*?\)', re.S|re.I)
|
|
|
4055cc |
+_replace_css_javascript = re.compile(
|
|
|
4055cc |
+ r'expression\s*\(.*?\)', re.S|re.I).sub
|
|
|
4055cc |
|
|
|
4055cc |
# Do I have to worry about @\nimport?
|
|
|
4055cc |
-_css_import_re = re.compile(
|
|
|
4055cc |
- r'@\s*import', re.I)
|
|
|
4055cc |
+_replace_css_import = re.compile(
|
|
|
4055cc |
+ r'@\s*import', re.I).sub
|
|
|
4055cc |
+
|
|
|
4055cc |
+_looks_like_tag_content = re.compile(
|
|
|
4055cc |
+ r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
|
|
|
4055cc |
|
|
|
4055cc |
# All kinds of schemes besides just javascript: that can cause
|
|
|
4055cc |
# execution:
|
|
|
4055cc |
@@ -292,8 +295,8 @@ class Cleaner(object):
|
|
|
4055cc |
if not self.inline_style:
|
|
|
4055cc |
for el in _find_styled_elements(doc):
|
|
|
4055cc |
old = el.get('style')
|
|
|
4055cc |
- new = _css_javascript_re.sub('', old)
|
|
|
4055cc |
- new = _css_import_re.sub('', new)
|
|
|
4055cc |
+ new = _replace_css_javascript('', old)
|
|
|
4055cc |
+ new = _replace_css_import('', new)
|
|
|
4055cc |
if self._has_sneaky_javascript(new):
|
|
|
4055cc |
# Something tricky is going on...
|
|
|
4055cc |
del el.attrib['style']
|
|
|
4055cc |
@@ -305,9 +308,9 @@ class Cleaner(object):
|
|
|
4055cc |
el.drop_tree()
|
|
|
4055cc |
continue
|
|
|
4055cc |
old = el.text or ''
|
|
|
4055cc |
- new = _css_javascript_re.sub('', old)
|
|
|
4055cc |
+ new = _replace_css_javascript('', old)
|
|
|
4055cc |
# The imported CSS can do anything; we just can't allow:
|
|
|
4055cc |
- new = _css_import_re.sub('', old)
|
|
|
4055cc |
+ new = _replace_css_import('', new)
|
|
|
4055cc |
if self._has_sneaky_javascript(new):
|
|
|
4055cc |
# Something tricky is going on...
|
|
|
4055cc |
el.text = '/* deleted */'
|
|
|
4055cc |
@@ -509,6 +512,12 @@ class Cleaner(object):
|
|
|
4055cc |
return True
|
|
|
4055cc |
if 'expression(' in style:
|
|
|
4055cc |
return True
|
|
|
4055cc |
+ if '
|
|
|
4055cc |
+ # e.g. '">'
|
|
|
4055cc |
+ return True
|
|
|
4055cc |
+ if _looks_like_tag_content(style):
|
|
|
4055cc |
+ # e.g. '<math><style></style></math>'
|
|
|
4055cc |
+ return True
|
|
|
4055cc |
return False
|
|
|
4055cc |
|
|
|
4055cc |
def clean_html(self, html):
|
|
|
4055cc |
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
|
|
|
4055cc |
index a193d99..ea7487c 100644
|
|
|
4055cc |
--- a/src/lxml/html/tests/test_clean.py
|
|
|
4055cc |
+++ b/src/lxml/html/tests/test_clean.py
|
|
|
4055cc |
@@ -69,6 +69,27 @@ class CleanerTest(unittest.TestCase):
|
|
|
4055cc |
self.assertEqual('child', clean_html(s).text_content())
|
|
|
4055cc |
|
|
|
4055cc |
|
|
|
4055cc |
+ def test_sneaky_noscript_in_style(self):
|
|
|
4055cc |
+ # This gets parsed as ..."</style>
|
|
|
4055cc |
+ # thus passing the through into the output.
|
|
|
4055cc |
+ html = '">'
|
|
|
4055cc |
+ s = lxml.html.fragment_fromstring(html)
|
|
|
4055cc |
+
|
|
|
4055cc |
+ self.assertEqual(
|
|
|
4055cc |
+ b'',
|
|
|
4055cc |
+ lxml.html.tostring(clean_html(s)))
|
|
|
4055cc |
+
|
|
|
4055cc |
+ def test_sneaky_js_in_math_style(self):
|
|
|
4055cc |
+ # This gets parsed as <math> -> <style>"..."</style>
|
|
|
4055cc |
+ # thus passing any tag/script/whatever content through into the output.
|
|
|
4055cc |
+ html = '<math><style></style></math>'
|
|
|
4055cc |
+ s = lxml.html.fragment_fromstring(html)
|
|
|
4055cc |
+
|
|
|
4055cc |
+ self.assertEqual(
|
|
|
4055cc |
+ b'<math><style>/* deleted */</style></math>',
|
|
|
4055cc |
+ lxml.html.tostring(clean_html(s)))
|
|
|
4055cc |
+
|
|
|
4055cc |
+
|
|
|
4055cc |
def test_suite():
|
|
|
4055cc |
suite = unittest.TestSuite()
|
|
|
4055cc |
suite.addTests([make_doctest('test_clean.txt')])
|
|
|
4055cc |
diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt
|
|
|
4055cc |
index 2824f64..7df1f1d 100644
|
|
|
4055cc |
--- a/src/lxml/html/tests/test_clean.txt
|
|
|
4055cc |
+++ b/src/lxml/html/tests/test_clean.txt
|
|
|
4055cc |
@@ -104,7 +104,11 @@
|
|
|
4055cc |
>>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))
|
|
|
4055cc |
<html>
|
|
|
4055cc |
<head>
|
|
|
4055cc |
- <style>/* deleted */</style>
|
|
|
4055cc |
+ <style>
|
|
|
4055cc |
+ body {background-image: url()};
|
|
|
4055cc |
+ div {background-image: url()};
|
|
|
4055cc |
+ div {color: };
|
|
|
4055cc |
+ </style>
|
|
|
4055cc |
</head>
|
|
|
4055cc |
<body>
|
|
|
4055cc |
a link
|
|
|
4055cc |
@@ -168,7 +172,11 @@
|
|
|
4055cc |
<link rel="alternate" type="text/rss" src="evil-rss">
|
|
|
4055cc |
<link rel="alternate" type="text/rss" href="http://example.com">
|
|
|
4055cc |
<link rel="stylesheet" type="text/rss" href="http://example.com">
|
|
|
4055cc |
- <style>/* deleted */</style>
|
|
|
4055cc |
+ <style>
|
|
|
4055cc |
+ body {background-image: url()};
|
|
|
4055cc |
+ div {background-image: url()};
|
|
|
4055cc |
+ div {color: };
|
|
|
4055cc |
+ </style>
|
|
|
4055cc |
</head>
|
|
|
4055cc |
<body>
|
|
|
4055cc |
a link
|
|
|
4055cc |
--
|
|
|
4055cc |
2.28.0
|
|
|
4055cc |
|