Fix CVE-2021-28957
missing input sanitization for formaction HTML5 attributes may lead to XSS Resolves: rhbz#1941535
This commit is contained in:
parent
ae540ddc4b
commit
420dc55c3e
|
@ -0,0 +1,39 @@
|
||||||
|
diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
|
||||||
|
index b21a113..e40c808 100644
|
||||||
|
--- a/src/lxml/html/defs.py
|
||||||
|
+++ b/src/lxml/html/defs.py
|
||||||
|
@@ -21,6 +21,8 @@ link_attrs = frozenset([
|
||||||
|
'usemap',
|
||||||
|
# Not standard:
|
||||||
|
'dynsrc', 'lowsrc',
|
||||||
|
+ # HTML5 formaction
|
||||||
|
+ 'formaction'
|
||||||
|
])
|
||||||
|
|
||||||
|
# Not in the HTML 4 spec:
|
||||||
|
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
|
||||||
|
index a193d99..87b7220 100644
|
||||||
|
--- a/src/lxml/html/tests/test_clean.py
|
||||||
|
+++ b/src/lxml/html/tests/test_clean.py
|
||||||
|
@@ -68,6 +68,21 @@ class CleanerTest(unittest.TestCase):
|
||||||
|
s = lxml.html.fromstring('<invalid tag>child</another>')
|
||||||
|
self.assertEqual('child', clean_html(s).text_content())
|
||||||
|
|
||||||
|
+ def test_formaction_attribute_in_button_input(self):
|
||||||
|
+ # The formaction attribute overrides the form's action and should be
|
||||||
|
+ # treated as a malicious link attribute
|
||||||
|
+ html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
|
||||||
|
+ '<button form="test" formaction="javascript:alert(1)">X</button>')
|
||||||
|
+ expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
|
||||||
|
+ '<button form="test" formaction="">X</button></div>')
|
||||||
|
+ cleaner = Cleaner(
|
||||||
|
+ forms=False,
|
||||||
|
+ safe_attrs_only=False,
|
||||||
|
+ )
|
||||||
|
+ self.assertEqual(
|
||||||
|
+ expected,
|
||||||
|
+ cleaner.clean_html(html))
|
||||||
|
+
|
||||||
|
|
||||||
|
def test_suite():
|
||||||
|
suite = unittest.TestSuite()
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
Name: python-%{modname}
|
Name: python-%{modname}
|
||||||
Version: 4.5.1
|
Version: 4.5.1
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Summary: XML processing library combining libxml2/libxslt with the ElementTree API
|
Summary: XML processing library combining libxml2/libxslt with the ElementTree API
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
|
@ -11,6 +11,11 @@ Source0: https://lxml.de/files/%{modname}-%{version}.tgz
|
||||||
Patch0001: https://github.com/lxml/lxml/commit/fa1d856cad369d0ac64323ddec14b02281491706.patch#/0001-Avoid-globally-overriding-the-libxml2-external-entit.patch
|
Patch0001: https://github.com/lxml/lxml/commit/fa1d856cad369d0ac64323ddec14b02281491706.patch#/0001-Avoid-globally-overriding-the-libxml2-external-entit.patch
|
||||||
Patch0002: 0002-Fix-CVE-2020-27783-mXSS-due-to-the-use-of-improper-p.patch
|
Patch0002: 0002-Fix-CVE-2020-27783-mXSS-due-to-the-use-of-improper-p.patch
|
||||||
|
|
||||||
|
# Fix for CVE-2021-28957:
|
||||||
|
# missing input sanitization for formaction HTML5 attributes may lead to XSS
|
||||||
|
# Resolved upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
|
||||||
|
Patch0003: 0003-Fix-CVE-2021-28957.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: libxml2-devel
|
BuildRequires: libxml2-devel
|
||||||
BuildRequires: libxslt-devel
|
BuildRequires: libxslt-devel
|
||||||
|
@ -59,6 +64,10 @@ env WITH_CYTHON=true %py3_build
|
||||||
%{python3_sitearch}/%{modname}-*.egg-info/
|
%{python3_sitearch}/%{modname}-*.egg-info/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri May 21 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.5.1-4
|
||||||
|
- Fix CVE-2021-28957: missing input sanitization for formaction HTML5 attributes may lead to XSS
|
||||||
|
- Resolves: rhbz#1941535
|
||||||
|
|
||||||
* Fri Dec 18 2020 Mikolaj Izdebski <mizdebsk@redhat.com> - 4.5.1-3
|
* Fri Dec 18 2020 Mikolaj Izdebski <mizdebsk@redhat.com> - 4.5.1-3
|
||||||
- Fix mXSS vulnerability due to the use of improper parser
|
- Fix mXSS vulnerability due to the use of improper parser
|
||||||
- Resolves: CVE-2020-27783
|
- Resolves: CVE-2020-27783
|
||||||
|
|
Loading…
Reference in New Issue