rpms
/
python-lxml
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import python-lxml-4.4.1-7.module_el8+613+9956a23f

Browse Source
i8c-stream-3.8_bootstrap changed/i8c-stream-3.8_bootstrap/python-lxml-4.4.1-7.module_el8+613+9956a23f
MSVSphere Packaging Team 9 months ago
commit b6c102aff4
6 changed files with 1939 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape View File

@ -0,0 +1 @@
SOURCES/lxml-4.4.1.tgz

1
.python-lxml.metadata
Unescape View File

@ -0,0 +1 @@
96e0239b6524cb376f4f4d440e84da82691d278a SOURCES/lxml-4.4.1.tgz

139
SOURCES/CVE-2020-27783.patch
Unescape View File

@ -0,0 +1,139 @@
From db649273fd6a2e3a624545b6fd14e8d8029198f8 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Thu, 3 Dec 2020 11:53:15 +0100
Subject: [PATCH] CVE-2020-27783
Combines fixes for the CVE from two versions:
- Version 4.6.1: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e
- Version 4.6.2: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7
---
src/lxml/html/clean.py | 25 +++++++++++++++++--------
src/lxml/html/tests/test_clean.py | 21 +++++++++++++++++++++
src/lxml/html/tests/test_clean.txt | 12 ++++++++++--
3 files changed, 48 insertions(+), 10 deletions(-)
diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
index aa9fc57..15298b5 100644
--- a/src/lxml/html/clean.py
+++ b/src/lxml/html/clean.py
@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
# This is an IE-specific construct you can have in a stylesheet to
# run some Javascript:
-_css_javascript_re = re.compile(
- r'expression\s*\(.*?\)', re.S|re.I)
+_replace_css_javascript = re.compile(
+ r'expression\s*\(.*?\)', re.S|re.I).sub
# Do I have to worry about @\nimport?
-_css_import_re = re.compile(
- r'@\s*import', re.I)
+_replace_css_import = re.compile(
+ r'@\s*import', re.I).sub
+
+_looks_like_tag_content = re.compile(
+ r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
# All kinds of schemes besides just javascript: that can cause
# execution:
@@ -292,8 +295,8 @@ class Cleaner(object):
if not self.inline_style:
for el in _find_styled_elements(doc):
old = el.get('style')
- new = _css_javascript_re.sub('', old)
- new = _css_import_re.sub('', new)
+ new = _replace_css_javascript('', old)
+ new = _replace_css_import('', new)
if self._has_sneaky_javascript(new):
# Something tricky is going on...
del el.attrib['style']
@@ -305,9 +308,9 @@ class Cleaner(object):
el.drop_tree()
continue
old = el.text or ''
- new = _css_javascript_re.sub('', old)
+ new = _replace_css_javascript('', old)
# The imported CSS can do anything; we just can't allow:
- new = _css_import_re.sub('', old)
+ new = _replace_css_import('', new)
if self._has_sneaky_javascript(new):
# Something tricky is going on...
el.text = '/* deleted */'
@@ -509,6 +512,12 @@ class Cleaner(object):
return True
if 'expression(' in style:
return True
+ if '</noscript' in style:
+ # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
+ return True
+ if _looks_like_tag_content(style):
+ # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
+ return True
return False
def clean_html(self, html):
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
index a193d99..ea7487c 100644
--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
@@ -69,6 +69,27 @@ class CleanerTest(unittest.TestCase):
self.assertEqual('child', clean_html(s).text_content())
+ def test_sneaky_noscript_in_style(self):
+ # This gets parsed as <noscript> -> <style>"...</noscript>..."</style>
+ # thus passing the </noscript> through into the output.
+ html = '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
+ s = lxml.html.fragment_fromstring(html)
+
+ self.assertEqual(
+ b'<noscript><style>/* deleted */</style></noscript>',
+ lxml.html.tostring(clean_html(s)))
+
+ def test_sneaky_js_in_math_style(self):
+ # This gets parsed as <math> -> <style>"..."</style>
+ # thus passing any tag/script/whatever content through into the output.
+ html = '<math><style><img src=x onerror=alert(1)></style></math>'
+ s = lxml.html.fragment_fromstring(html)
+
+ self.assertEqual(
+ b'<math><style>/* deleted */</style></math>',
+ lxml.html.tostring(clean_html(s)))
+
+
def test_suite():
suite = unittest.TestSuite()
suite.addTests([make_doctest('test_clean.txt')])
diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt
index 2824f64..7df1f1d 100644
--- a/src/lxml/html/tests/test_clean.txt
+++ b/src/lxml/html/tests/test_clean.txt
@@ -104,7 +104,11 @@
>>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))
<html>
<head>
- <style>/* deleted */</style>
+ <style>
+ body {background-image: url()};
+ div {background-image: url()};
+ div {color: };
+ </style>
</head>
<body>
<a href="">a link</a>
@@ -168,7 +172,11 @@
<link rel="alternate" type="text/rss" src="evil-rss">
<link rel="alternate" type="text/rss" href="http://example.com">
<link rel="stylesheet" type="text/rss" href="http://example.com">
- <style>/* deleted */</style>
+ <style>
+ body {background-image: url()};
+ div {background-image: url()};
+ div {color: };
+ </style>
</head>
<body>
<a href="">a link</a>
--
2.28.0

39
SOURCES/CVE-2021-28957.patch
Unescape View File

@ -0,0 +1,39 @@
diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
index caf6b21..ea3c016 100644
--- a/src/lxml/html/defs.py
+++ b/src/lxml/html/defs.py
@@ -21,6 +21,8 @@ link_attrs = frozenset([
'usemap',
# Not standard:
'dynsrc', 'lowsrc',
+ # HTML5 formaction
+ 'formaction'
])
# Not in the HTML 4 spec:
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
index 451eec2..e40cdad 100644
--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
@@ -89,6 +89,21 @@ class CleanerTest(unittest.TestCase):
b'<math><style>/* deleted */</style></math>',
lxml.html.tostring(clean_html(s)))
+ def test_formaction_attribute_in_button_input(self):
+ # The formaction attribute overrides the form's action and should be
+ # treated as a malicious link attribute
+ html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
+ '<button form="test" formaction="javascript:alert(1)">X</button>')
+ expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
+ '<button form="test" formaction="">X</button></div>')
+ cleaner = Cleaner(
+ forms=False,
+ safe_attrs_only=False,
+ )
+ self.assertEqual(
+ expected,
+ cleaner.clean_html(html))
+
def test_suite():
suite = unittest.TestSuite()

127
SOURCES/CVE-2021-43818.patch
Unescape View File

@ -0,0 +1,127 @@
diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
index 15298b5..ee2f0f8 100644
--- a/src/lxml/html/clean.py
+++ b/src/lxml/html/clean.py
@@ -73,18 +73,25 @@ _looks_like_tag_content = re.compile(
# All kinds of schemes besides just javascript: that can cause
# execution:
-_is_image_dataurl = re.compile(
- r'^data:image/.+;base64', re.I).search
+_find_image_dataurls = re.compile(
+ r'^data:image/(.+);base64,', re.I).findall
_is_possibly_malicious_scheme = re.compile(
- r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
- re.I).search
+ r'(javascript|jscript|livescript|vbscript|data|about|mocha):',
+ re.I).findall
+# SVG images can contain script content
+_is_unsafe_image_type = re.compile(r"(xml|svg)", re.I).findall
+
def _is_javascript_scheme(s):
- if _is_image_dataurl(s):
- return None
- return _is_possibly_malicious_scheme(s)
+ is_image_url = False
+ for image_type in _find_image_dataurls(s):
+ is_image_url = True
+ if _is_unsafe_image_type(image_type):
+ return True
+ if is_image_url:
+ return False
+ return bool(_is_possibly_malicious_scheme(s))
_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
-# FIXME: should data: be blocked?
# FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
_conditional_comment_re = re.compile(
@@ -512,6 +519,8 @@ class Cleaner(object):
return True
if 'expression(' in style:
return True
+ if '@import' in style:
+ return True
if '</noscript' in style:
# e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
return True
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
index d8df527..7021e48 100644
--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
@@ -1,3 +1,5 @@
+import base64
+import gzip
import unittest
from lxml.tests.common_imports import make_doctest
@@ -89,6 +91,69 @@ class CleanerTest(unittest.TestCase):
b'<math><style>/* deleted */</style></math>',
lxml.html.tostring(clean_html(s)))
+ def test_sneaky_import_in_style(self):
+ # Prevent "@@importimport" -> "@import" replacement.
+ style_codes = [
+ "@@importimport(extstyle.css)",
+ "@ @ import import(extstyle.css)",
+ "@ @ importimport(extstyle.css)",
+ "@@ import import(extstyle.css)",
+ "@ @import import(extstyle.css)",
+ "@@importimport()",
+ ]
+ for style_code in style_codes:
+ html = '<style>%s</style>' % style_code
+ s = lxml.html.fragment_fromstring(html)
+
+ cleaned = lxml.html.tostring(clean_html(s))
+ self.assertEqual(
+ b'<style>/* deleted */</style>',
+ cleaned,
+ "%s -> %s" % (style_code, cleaned))
+
+ def test_svg_data_links(self):
+ # Remove SVG images with potentially insecure content.
+ svg = b'<svg onload="alert(123)" />'
+ svgz = gzip.compress(svg)
+ svg_b64 = base64.b64encode(svg).decode('ASCII')
+ svgz_b64 = base64.b64encode(svgz).decode('ASCII')
+ urls = [
+ "data:image/svg+xml;base64," + svg_b64,
+ "data:image/svg+xml-compressed;base64," + svgz_b64,
+ ]
+ for url in urls:
+ html = '<img src="%s">' % url
+ s = lxml.html.fragment_fromstring(html)
+
+ cleaned = lxml.html.tostring(clean_html(s))
+ self.assertEqual(
+ b'<img src="">',
+ cleaned,
+ "%s -> %s" % (url, cleaned))
+
+ def test_image_data_links(self):
+ data = b'123'
+ data_b64 = base64.b64encode(data).decode('ASCII')
+ urls = [
+ "data:image/jpeg;base64," + data_b64,
+ "data:image/apng;base64," + data_b64,
+ "data:image/png;base64," + data_b64,
+ "data:image/gif;base64," + data_b64,
+ "data:image/webp;base64," + data_b64,
+ "data:image/bmp;base64," + data_b64,
+ "data:image/tiff;base64," + data_b64,
+ "data:image/x-icon;base64," + data_b64,
+ ]
+ for url in urls:
+ html = '<img src="%s">' % url
+ s = lxml.html.fragment_fromstring(html)
+
+ cleaned = lxml.html.tostring(clean_html(s))
+ self.assertEqual(
+ html.encode("UTF-8"),
+ cleaned,
+ "%s -> %s" % (url, cleaned))
+
def test_formaction_attribute_in_button_input(self):
# The formaction attribute overrides the form's action and should be
# treated as a malicious link attribute

1632
SPECS/python-lxml.spec
View File

File diff suppressed because it is too large Load Diff
Write Preview
Loading…
Cancel
Save