Fix CVE-2021-28957

missing input sanitization for formaction HTML5 attributes may lead to XSS Resolves: rhbz#1941535
2021-05-21 14:31:06 +02:00 · 2021-05-21 14:31:06 +02:00 · 420dc55c3e
parent ae540ddc4b
commit 420dc55c3e
2 changed files with 49 additions and 1 deletions
--- a/0003-Fix-CVE-2021-28957.patch
+++ b/0003-Fix-CVE-2021-28957.patch
@ -0,0 +1,39 @@
+diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
+index b21a113..e40c808 100644
+--- a/src/lxml/html/defs.py
+++ b/src/lxml/html/defs.py
+@@ -21,6 +21,8 @@ link_attrs = frozenset([
+     'usemap',
+     # Not standard:
+     'dynsrc', 'lowsrc',
+    # HTML5 formaction
+    'formaction'
+     ])
+ 
+ # Not in the HTML 4 spec:
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index a193d99..87b7220 100644
+--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
+@@ -68,6 +68,21 @@ class CleanerTest(unittest.TestCase):
+         s = lxml.html.fromstring('<invalid tag>child</another>')
+         self.assertEqual('child', clean_html(s).text_content())
+ 
+    def test_formaction_attribute_in_button_input(self):
+        # The formaction attribute overrides the form's action and should be
+        # treated as a malicious link attribute
+        html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
+        '<button form="test" formaction="javascript:alert(1)">X</button>')
+        expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
+        '<button form="test" formaction="">X</button></div>')
+        cleaner = Cleaner(
+            forms=False,
+            safe_attrs_only=False,
+        )
+        self.assertEqual(
+            expected,
+            cleaner.clean_html(html))
+
+ 
+ def test_suite():
+     suite = unittest.TestSuite()
--- a/python-lxml.spec
+++ b/python-lxml.spec
@ -2,7 +2,7 @@

 Name:           python-%{modname}
 Version:        4.5.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API

 License:        BSD
@ -11,6 +11,11 @@ Source0:        https://lxml.de/files/%{modname}-%{version}.tgz
 Patch0001:      https://github.com/lxml/lxml/commit/fa1d856cad369d0ac64323ddec14b02281491706.patch#/0001-Avoid-globally-overriding-the-libxml2-external-entit.patch
 Patch0002:      0002-Fix-CVE-2020-27783-mXSS-due-to-the-use-of-improper-p.patch

+# Fix for CVE-2021-28957:
+# missing input sanitization for formaction HTML5 attributes may lead to XSS
+# Resolved upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
+Patch0003:      0003-Fix-CVE-2021-28957.patch
+
 BuildRequires:  gcc
 BuildRequires:  libxml2-devel
 BuildRequires:  libxslt-devel
@ -59,6 +64,10 @@ env WITH_CYTHON=true %py3_build
 %{python3_sitearch}/%{modname}-*.egg-info/

 %changelog
+* Fri May 21 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.5.1-4
+- Fix CVE-2021-28957: missing input sanitization for formaction HTML5 attributes may lead to XSS
+- Resolves: rhbz#1941535
+
 * Fri Dec 18 2020 Mikolaj Izdebski <mizdebsk@redhat.com> - 4.5.1-3
 - Fix mXSS vulnerability due to the use of improper parser
 - Resolves: CVE-2020-27783