Tree - rpms/rh-python38-python-lxml

rpms / rh-python38-python-lxml

Blame SOURCES/CVE-2020-27783.patch

Blob History Raw

		4055cc	`From db649273fd6a2e3a624545b6fd14e8d8029198f8 Mon Sep 17 00:00:00 2001`
		4055cc	`From: Lumir Balhar <lbalhar@redhat.com>`
		4055cc	`Date: Thu, 3 Dec 2020 11:53:15 +0100`
		4055cc	`Subject: [PATCH] CVE-2020-27783`
		4055cc
		4055cc	`Combines fixes for the CVE from two versions:`
		4055cc	`- Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e`
		4055cc	`- Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7`
		4055cc	`---`
		4055cc	`src/lxml/html/clean.py \| 25 +++++++++++++++++--------`
		4055cc	`src/lxml/html/tests/test_clean.py \| 21 +++++++++++++++++++++`
		4055cc	`src/lxml/html/tests/test_clean.txt \| 12 ++++++++++--`
		4055cc	`3 files changed, 48 insertions(+), 10 deletions(-)`
		4055cc
		4055cc	`diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py`
		4055cc	`index aa9fc57..15298b5 100644`
		4055cc	`--- a/src/lxml/html/clean.py`
		4055cc	`+++ b/src/lxml/html/clean.py`
		4055cc	`@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',`
		4055cc
		4055cc	`# This is an IE-specific construct you can have in a stylesheet to`
		4055cc	`# run some Javascript:`
		4055cc	`-_css_javascript_re = re.compile(`
		4055cc	`- r'expression\s\(.?\)', re.S\|re.I)`
		4055cc	`+_replace_css_javascript = re.compile(`
		4055cc	`+ r'expression\s\(.?\)', re.S\|re.I).sub`
		4055cc
		4055cc	`# Do I have to worry about @\nimport?`
		4055cc	`-_css_import_re = re.compile(`
		4055cc	`- r'@\s*import', re.I)`
		4055cc	`+_replace_css_import = re.compile(`
		4055cc	`+ r'@\s*import', re.I).sub`
		4055cc	`+`
		4055cc	`+_looks_like_tag_content = re.compile(`
		4055cc	`+ r'</?[a-zA-Z]+\|\son[a-zA-Z]+\s*=', re.ASCII).search`
		4055cc
		4055cc	`# All kinds of schemes besides just javascript: that can cause`
		4055cc	`# execution:`
		4055cc	`@@ -292,8 +295,8 @@ class Cleaner(object):`
		4055cc	`if not self.inline_style:`
		4055cc	`for el in _find_styled_elements(doc):`
		4055cc	`old = el.get('style')`
		4055cc	`- new = _css_javascript_re.sub('', old)`
		4055cc	`- new = _css_import_re.sub('', new)`
		4055cc	`+ new = _replace_css_javascript('', old)`
		4055cc	`+ new = _replace_css_import('', new)`
		4055cc	`if self._has_sneaky_javascript(new):`
		4055cc	`# Something tricky is going on...`
		4055cc	`del el.attrib['style']`
		4055cc	`@@ -305,9 +308,9 @@ class Cleaner(object):`
		4055cc	`el.drop_tree()`
		4055cc	`continue`
		4055cc	`old = el.text or ''`
		4055cc	`- new = _css_javascript_re.sub('', old)`
		4055cc	`+ new = _replace_css_javascript('', old)`
		4055cc	`# The imported CSS can do anything; we just can't allow:`
		4055cc	`- new = _css_import_re.sub('', old)`
		4055cc	`+ new = _replace_css_import('', new)`
		4055cc	`if self._has_sneaky_javascript(new):`
		4055cc	`# Something tricky is going on...`
		4055cc	`el.text = '/* deleted */'`
		4055cc	`@@ -509,6 +512,12 @@ class Cleaner(object):`
		4055cc	`return True`
		4055cc	`if 'expression(' in style:`
		4055cc	`return True`
		4055cc	`+ if '`
		4055cc	`+ # e.g. '">'`
		4055cc	`+ return True`
		4055cc	`+ if _looks_like_tag_content(style):`
		4055cc	`+ # e.g. '<math><style></style></math>'`
		4055cc	`+ return True`
		4055cc	`return False`
		4055cc
		4055cc	`def clean_html(self, html):`
		4055cc	`diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py`
		4055cc	`index a193d99..ea7487c 100644`
		4055cc	`--- a/src/lxml/html/tests/test_clean.py`
		4055cc	`+++ b/src/lxml/html/tests/test_clean.py`
		4055cc	`@@ -69,6 +69,27 @@ class CleanerTest(unittest.TestCase):`
		4055cc	`self.assertEqual('child', clean_html(s).text_content())`
		4055cc
		4055cc
		4055cc	`+ def test_sneaky_noscript_in_style(self):`
		4055cc	`+ # This gets parsed as ..."</style>`
		4055cc	`+ # thus passing the through into the output.`
		4055cc	`+ html = '">'`
		4055cc	`+ s = lxml.html.fragment_fromstring(html)`
		4055cc	`+`
		4055cc	`+ self.assertEqual(`
		4055cc	`+ b'',`
		4055cc	`+ lxml.html.tostring(clean_html(s)))`
		4055cc	`+`
		4055cc	`+ def test_sneaky_js_in_math_style(self):`
		4055cc	`+ # This gets parsed as <math> -> <style>"..."</style>`
		4055cc	`+ # thus passing any tag/script/whatever content through into the output.`
		4055cc	`+ html = '<math><style></style></math>'`
		4055cc	`+ s = lxml.html.fragment_fromstring(html)`
		4055cc	`+`
		4055cc	`+ self.assertEqual(`
		4055cc	`+ b'<math><style>/* deleted */</style></math>',`
		4055cc	`+ lxml.html.tostring(clean_html(s)))`
		4055cc	`+`
		4055cc	`+`
		4055cc	`def test_suite():`
		4055cc	`suite = unittest.TestSuite()`
		4055cc	`suite.addTests([make_doctest('test_clean.txt')])`
		4055cc	`diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt`
		4055cc	`index 2824f64..7df1f1d 100644`
		4055cc	`--- a/src/lxml/html/tests/test_clean.txt`
		4055cc	`+++ b/src/lxml/html/tests/test_clean.txt`
		4055cc	`@@ -104,7 +104,11 @@`
		4055cc	`>>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))`
		4055cc	`<html>`
		4055cc	`<head>`
		4055cc	`- <style>/* deleted */</style>`
		4055cc	`+ <style>`
		4055cc	`+ body {background-image: url()};`
		4055cc	`+ div {background-image: url()};`
		4055cc	`+ div {color: };`
		4055cc	`+ </style>`
		4055cc	`</head>`
		4055cc	`<body>`
		4055cc	`a link`
		4055cc	`@@ -168,7 +172,11 @@`
		4055cc	`<link rel="alternate" type="text/rss" src="evil-rss">`
		4055cc	`<link rel="alternate" type="text/rss" href="http://example.com">`
		4055cc	`<link rel="stylesheet" type="text/rss" href="http://example.com">`
		4055cc	`- <style>/* deleted */</style>`
		4055cc	`+ <style>`
		4055cc	`+ body {background-image: url()};`
		4055cc	`+ div {background-image: url()};`
		4055cc	`+ div {color: };`
		4055cc	`+ </style>`
		4055cc	`</head>`
		4055cc	`<body>`
		4055cc	`a link`
		4055cc	`--`
		4055cc	`2.28.0`
		4055cc

rpms / rh-python38-python-lxml

Source Code

Blame SOURCES/CVE-2020-27783.patch