Fix CVE-2021-28957

missing input sanitization for formaction HTML5 attributes may lead to XSS

Resolves: rhbz#1941535

0001-Avoid-globally-overriding-the-libxml2-external-entit.patch

@@ -1,7 +1,7 @@
-From fa1d856cad369d0ac64323ddec14b02281491706 Mon Sep 17 00:00:00 2001
+From b90f1ec15cfd26684ef54eb19b536b010d6a740b Mon Sep 17 00:00:00 2001
 From: Stefan Behnel <stefan_ml@behnel.de>
 Date: Sat, 23 May 2020 09:34:22 +0200
-Subject: [PATCH] Avoid globally overriding the libxml2 external entity
+Subject: [PATCH 1/2] Avoid globally overriding the libxml2 external entity
  resolver and instead set it for each parser run. This improves the
  interoperability with other users of libxml2 in the system, such as
  libxmlsec.
@@ -18,7 +18,7 @@ Subject: [PATCH] Avoid globally overriding the libxml2 external entity
  8 files changed, 62 insertions(+), 11 deletions(-)
 
 diff --git a/CHANGES.txt b/CHANGES.txt
-index 30e805997..07afb641b 100644
+index 30e80599..07afb641 100644
 --- a/CHANGES.txt
 +++ b/CHANGES.txt
 @@ -2,6 +2,17 @@
@@ -40,7 +40,7 @@ index 30e805997..07afb641b 100644
  ==================
  
 diff --git a/src/lxml/dtd.pxi b/src/lxml/dtd.pxi
-index 595296546..5dcb80c46 100644
+index 59529654..5dcb80c4 100644
 --- a/src/lxml/dtd.pxi
 +++ b/src/lxml/dtd.pxi
 @@ -277,14 +277,20 @@ cdef class DTD(_Validator):
@@ -65,7 +65,7 @@ index 595296546..5dcb80c46 100644
              raise DTDParseError, u"either filename or external ID required"
  
 diff --git a/src/lxml/parser.pxi b/src/lxml/parser.pxi
-index 22620373c..3ed223bd5 100644
+index 22620373..3ed223bd 100644
 --- a/src/lxml/parser.pxi
 +++ b/src/lxml/parser.pxi
 @@ -502,7 +502,15 @@ cdef xmlparser.xmlParserInput* _local_resolver(const_char* c_url, const_char* c_
@@ -181,7 +181,7 @@ index 22620373c..3ed223bd5 100644
                  c_data += buffer_len
  
 diff --git a/src/lxml/relaxng.pxi b/src/lxml/relaxng.pxi
-index d161ce46e..6a82a295f 100644
+index d161ce46..6a82a295 100644
 --- a/src/lxml/relaxng.pxi
 +++ b/src/lxml/relaxng.pxi
 @@ -64,7 +64,9 @@ cdef class RelaxNG(_Validator):
@@ -195,7 +195,7 @@ index d161ce46e..6a82a295f 100644
                  _require_rnc2rng()
                  rng_data_utf8 = _utf8(_rnc2rng.dumps(_rnc2rng.load(file)))
 diff --git a/src/lxml/schematron.pxi b/src/lxml/schematron.pxi
-index af4ba7f01..dfd2cc05f 100644
+index af4ba7f0..dfd2cc05 100644
 --- a/src/lxml/schematron.pxi
 +++ b/src/lxml/schematron.pxi
 @@ -95,7 +95,9 @@ cdef class Schematron(_Validator):
@@ -219,7 +219,7 @@ index af4ba7f01..dfd2cc05f 100644
              schematron.xmlSchematronFreeParserCtxt(parser_ctxt)
  
 diff --git a/src/lxml/xinclude.pxi b/src/lxml/xinclude.pxi
-index f73afee61..6bac82923 100644
+index f73afee6..6bac8292 100644
 --- a/src/lxml/xinclude.pxi
 +++ b/src/lxml/xinclude.pxi
 @@ -49,11 +49,13 @@ cdef class XInclude:
@@ -237,7 +237,7 @@ index f73afee61..6bac82923 100644
              __GLOBAL_PARSER_CONTEXT.popImpliedContext()
          self._error_log.disconnect()
 diff --git a/src/lxml/xmlschema.pxi b/src/lxml/xmlschema.pxi
-index cc2c1928d..ab26d935e 100644
+index cc2c1928..ab26d935 100644
 --- a/src/lxml/xmlschema.pxi
 +++ b/src/lxml/xmlschema.pxi
 @@ -77,7 +77,9 @@ cdef class XMLSchema(_Validator):
@@ -251,7 +251,7 @@ index cc2c1928d..ab26d935e 100644
              __GLOBAL_PARSER_CONTEXT.popImpliedContext()
          xmlschema.xmlSchemaFreeParserCtxt(parser_ctxt)
 diff --git a/src/lxml/xslt.pxi b/src/lxml/xslt.pxi
-index e7b49600c..d483cfa30 100644
+index e7b49600..d483cfa3 100644
 --- a/src/lxml/xslt.pxi
 +++ b/src/lxml/xslt.pxi
 @@ -397,7 +397,9 @@ cdef class XSLT:
@@ -275,3 +275,6 @@ index e7b49600c..d483cfa30 100644
          return c_result
  
  
+-- 
+2.26.2
+

0002-Fix-CVE-2020-27783-mXSS-due-to-the-use-of-improper-p.patch

@@ -0,0 +1,75 @@
+From 06fbba68024e0287b8e8f6da85ce840ffbfec3bc Mon Sep 17 00:00:00 2001
+From: Mikolaj Izdebski <mizdebsk@redhat.com>
+Date: Fri, 18 Dec 2020 16:08:43 +0100
+Subject: [PATCH 2/2] Fix CVE-2020-27783: mXSS due to the use of improper
+ parser
+
+Backported from upstream commits 89e7aad6e7ff9ecd88678ff25f885988b184b26e
+and a105ab8dc262ec6735977c25c13f0bdfcdec72a7
+---
+ src/lxml/html/clean.py | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
+index da1f8706..c4fbfaa3 100644
+--- a/src/lxml/html/clean.py
++++ b/src/lxml/html/clean.py
+@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
+ 
+ # This is an IE-specific construct you can have in a stylesheet to
+ # run some Javascript:
+-_css_javascript_re = re.compile(
+-    r'expression\s*\(.*?\)', re.S|re.I)
++_replace_css_javascript = re.compile(
++    r'expression\s*\(.*?\)', re.S|re.I).sub
+ 
+ # Do I have to worry about @\nimport?
+-_css_import_re = re.compile(
+-    r'@\s*import', re.I)
++_replace_css_import = re.compile(
++    r'@\s*import', re.I).sub
++
++_looks_like_tag_content = re.compile(
++    r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
+ 
+ # All kinds of schemes besides just javascript: that can cause
+ # execution:
+@@ -292,8 +295,8 @@ class Cleaner(object):
+             if not self.inline_style:
+                 for el in _find_styled_elements(doc):
+                     old = el.get('style')
+-                    new = _css_javascript_re.sub('', old)
+-                    new = _css_import_re.sub('', new)
++                    new = _replace_css_javascript('', old)
++                    new = _replace_css_import('', new)
+                     if self._has_sneaky_javascript(new):
+                         # Something tricky is going on...
+                         del el.attrib['style']
+@@ -305,9 +308,9 @@ class Cleaner(object):
+                         el.drop_tree()
+                         continue
+                     old = el.text or ''
+-                    new = _css_javascript_re.sub('', old)
++                    new = _replace_css_javascript('', old)
+                     # The imported CSS can do anything; we just can't allow:
+-                    new = _css_import_re.sub('', old)
++                    new = _replace_css_import('', new)
+                     if self._has_sneaky_javascript(new):
+                         # Something tricky is going on...
+                         el.text = '/* deleted */'
+@@ -522,6 +525,12 @@ class Cleaner(object):
+             return True
+         if 'expression(' in style:
+             return True
++        if '</noscript' in style:
++            # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
++            return True
++        if _looks_like_tag_content(style):
++            # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
++            return True
+         return False
+ 
+     def clean_html(self, html):
+-- 
+2.26.2
+

0003-Fix-CVE-2021-28957.patch

@@ -0,0 +1,39 @@
+diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
+index b21a113..e40c808 100644
+--- a/src/lxml/html/defs.py
++++ b/src/lxml/html/defs.py
+@@ -21,6 +21,8 @@ link_attrs = frozenset([
+     'usemap',
+     # Not standard:
+     'dynsrc', 'lowsrc',
++    # HTML5 formaction
++    'formaction'
+     ])
+ 
+ # Not in the HTML 4 spec:
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index a193d99..87b7220 100644
+--- a/src/lxml/html/tests/test_clean.py
++++ b/src/lxml/html/tests/test_clean.py
+@@ -68,6 +68,21 @@ class CleanerTest(unittest.TestCase):
+         s = lxml.html.fromstring('<invalid tag>child</another>')
+         self.assertEqual('child', clean_html(s).text_content())
+ 
++    def test_formaction_attribute_in_button_input(self):
++        # The formaction attribute overrides the form's action and should be
++        # treated as a malicious link attribute
++        html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
++        '<button form="test" formaction="javascript:alert(1)">X</button>')
++        expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
++        '<button form="test" formaction="">X</button></div>')
++        cleaner = Cleaner(
++            forms=False,
++            safe_attrs_only=False,
++        )
++        self.assertEqual(
++            expected,
++            cleaner.clean_html(html))
++
+ 
+ def test_suite():
+     suite = unittest.TestSuite()

python-lxml.spec

@@ -2,13 +2,19 @@
 
 Name:           python-%{modname}
 Version:        4.5.1
-Release:        2%{?dist}
+Release:        4%{?dist}
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
 
 License:        BSD
 URL:            https://github.com/lxml/lxml
 Source0:        https://lxml.de/files/%{modname}-%{version}.tgz
 Patch0001:      https://github.com/lxml/lxml/commit/fa1d856cad369d0ac64323ddec14b02281491706.patch#/0001-Avoid-globally-overriding-the-libxml2-external-entit.patch
+Patch0002:      0002-Fix-CVE-2020-27783-mXSS-due-to-the-use-of-improper-p.patch
+
+# Fix for CVE-2021-28957:
+# missing input sanitization for formaction HTML5 attributes may lead to XSS
+# Resolved upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
+Patch0003:      0003-Fix-CVE-2021-28957.patch
 
 BuildRequires:  gcc
 BuildRequires:  libxml2-devel
@@ -58,6 +64,14 @@ env WITH_CYTHON=true %py3_build
 %{python3_sitearch}/%{modname}-*.egg-info/
 
 %changelog
+* Fri May 21 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.5.1-4
+- Fix CVE-2021-28957: missing input sanitization for formaction HTML5 attributes may lead to XSS
+- Resolves: rhbz#1941535
+
+* Fri Dec 18 2020 Mikolaj Izdebski <mizdebsk@redhat.com> - 4.5.1-3
+- Fix mXSS vulnerability due to the use of improper parser
+- Resolves: CVE-2020-27783
+
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.5.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild