Compare commits
2 Commits
Author | SHA1 | Date |
---|---|---|
Charalampos Stratakis | 420dc55c3e | |
Mikolaj Izdebski | ae540ddc4b |
|
@ -1,7 +1,7 @@
|
|||
From fa1d856cad369d0ac64323ddec14b02281491706 Mon Sep 17 00:00:00 2001
|
||||
From b90f1ec15cfd26684ef54eb19b536b010d6a740b Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Behnel <stefan_ml@behnel.de>
|
||||
Date: Sat, 23 May 2020 09:34:22 +0200
|
||||
Subject: [PATCH] Avoid globally overriding the libxml2 external entity
|
||||
Subject: [PATCH 1/2] Avoid globally overriding the libxml2 external entity
|
||||
resolver and instead set it for each parser run. This improves the
|
||||
interoperability with other users of libxml2 in the system, such as
|
||||
libxmlsec.
|
||||
|
@ -18,7 +18,7 @@ Subject: [PATCH] Avoid globally overriding the libxml2 external entity
|
|||
8 files changed, 62 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/CHANGES.txt b/CHANGES.txt
|
||||
index 30e805997..07afb641b 100644
|
||||
index 30e80599..07afb641 100644
|
||||
--- a/CHANGES.txt
|
||||
+++ b/CHANGES.txt
|
||||
@@ -2,6 +2,17 @@
|
||||
|
@ -40,7 +40,7 @@ index 30e805997..07afb641b 100644
|
|||
==================
|
||||
|
||||
diff --git a/src/lxml/dtd.pxi b/src/lxml/dtd.pxi
|
||||
index 595296546..5dcb80c46 100644
|
||||
index 59529654..5dcb80c4 100644
|
||||
--- a/src/lxml/dtd.pxi
|
||||
+++ b/src/lxml/dtd.pxi
|
||||
@@ -277,14 +277,20 @@ cdef class DTD(_Validator):
|
||||
|
@ -65,7 +65,7 @@ index 595296546..5dcb80c46 100644
|
|||
raise DTDParseError, u"either filename or external ID required"
|
||||
|
||||
diff --git a/src/lxml/parser.pxi b/src/lxml/parser.pxi
|
||||
index 22620373c..3ed223bd5 100644
|
||||
index 22620373..3ed223bd 100644
|
||||
--- a/src/lxml/parser.pxi
|
||||
+++ b/src/lxml/parser.pxi
|
||||
@@ -502,7 +502,15 @@ cdef xmlparser.xmlParserInput* _local_resolver(const_char* c_url, const_char* c_
|
||||
|
@ -181,7 +181,7 @@ index 22620373c..3ed223bd5 100644
|
|||
c_data += buffer_len
|
||||
|
||||
diff --git a/src/lxml/relaxng.pxi b/src/lxml/relaxng.pxi
|
||||
index d161ce46e..6a82a295f 100644
|
||||
index d161ce46..6a82a295 100644
|
||||
--- a/src/lxml/relaxng.pxi
|
||||
+++ b/src/lxml/relaxng.pxi
|
||||
@@ -64,7 +64,9 @@ cdef class RelaxNG(_Validator):
|
||||
|
@ -195,7 +195,7 @@ index d161ce46e..6a82a295f 100644
|
|||
_require_rnc2rng()
|
||||
rng_data_utf8 = _utf8(_rnc2rng.dumps(_rnc2rng.load(file)))
|
||||
diff --git a/src/lxml/schematron.pxi b/src/lxml/schematron.pxi
|
||||
index af4ba7f01..dfd2cc05f 100644
|
||||
index af4ba7f0..dfd2cc05 100644
|
||||
--- a/src/lxml/schematron.pxi
|
||||
+++ b/src/lxml/schematron.pxi
|
||||
@@ -95,7 +95,9 @@ cdef class Schematron(_Validator):
|
||||
|
@ -219,7 +219,7 @@ index af4ba7f01..dfd2cc05f 100644
|
|||
schematron.xmlSchematronFreeParserCtxt(parser_ctxt)
|
||||
|
||||
diff --git a/src/lxml/xinclude.pxi b/src/lxml/xinclude.pxi
|
||||
index f73afee61..6bac82923 100644
|
||||
index f73afee6..6bac8292 100644
|
||||
--- a/src/lxml/xinclude.pxi
|
||||
+++ b/src/lxml/xinclude.pxi
|
||||
@@ -49,11 +49,13 @@ cdef class XInclude:
|
||||
|
@ -237,7 +237,7 @@ index f73afee61..6bac82923 100644
|
|||
__GLOBAL_PARSER_CONTEXT.popImpliedContext()
|
||||
self._error_log.disconnect()
|
||||
diff --git a/src/lxml/xmlschema.pxi b/src/lxml/xmlschema.pxi
|
||||
index cc2c1928d..ab26d935e 100644
|
||||
index cc2c1928..ab26d935 100644
|
||||
--- a/src/lxml/xmlschema.pxi
|
||||
+++ b/src/lxml/xmlschema.pxi
|
||||
@@ -77,7 +77,9 @@ cdef class XMLSchema(_Validator):
|
||||
|
@ -251,7 +251,7 @@ index cc2c1928d..ab26d935e 100644
|
|||
__GLOBAL_PARSER_CONTEXT.popImpliedContext()
|
||||
xmlschema.xmlSchemaFreeParserCtxt(parser_ctxt)
|
||||
diff --git a/src/lxml/xslt.pxi b/src/lxml/xslt.pxi
|
||||
index e7b49600c..d483cfa30 100644
|
||||
index e7b49600..d483cfa3 100644
|
||||
--- a/src/lxml/xslt.pxi
|
||||
+++ b/src/lxml/xslt.pxi
|
||||
@@ -397,7 +397,9 @@ cdef class XSLT:
|
||||
|
@ -275,3 +275,6 @@ index e7b49600c..d483cfa30 100644
|
|||
return c_result
|
||||
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
|
|
@ -0,0 +1,75 @@
|
|||
From 06fbba68024e0287b8e8f6da85ce840ffbfec3bc Mon Sep 17 00:00:00 2001
|
||||
From: Mikolaj Izdebski <mizdebsk@redhat.com>
|
||||
Date: Fri, 18 Dec 2020 16:08:43 +0100
|
||||
Subject: [PATCH 2/2] Fix CVE-2020-27783: mXSS due to the use of improper
|
||||
parser
|
||||
|
||||
Backported from upstream commits 89e7aad6e7ff9ecd88678ff25f885988b184b26e
|
||||
and a105ab8dc262ec6735977c25c13f0bdfcdec72a7
|
||||
---
|
||||
src/lxml/html/clean.py | 25 +++++++++++++++++--------
|
||||
1 file changed, 17 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
|
||||
index da1f8706..c4fbfaa3 100644
|
||||
--- a/src/lxml/html/clean.py
|
||||
+++ b/src/lxml/html/clean.py
|
||||
@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
|
||||
|
||||
# This is an IE-specific construct you can have in a stylesheet to
|
||||
# run some Javascript:
|
||||
-_css_javascript_re = re.compile(
|
||||
- r'expression\s*\(.*?\)', re.S|re.I)
|
||||
+_replace_css_javascript = re.compile(
|
||||
+ r'expression\s*\(.*?\)', re.S|re.I).sub
|
||||
|
||||
# Do I have to worry about @\nimport?
|
||||
-_css_import_re = re.compile(
|
||||
- r'@\s*import', re.I)
|
||||
+_replace_css_import = re.compile(
|
||||
+ r'@\s*import', re.I).sub
|
||||
+
|
||||
+_looks_like_tag_content = re.compile(
|
||||
+ r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
|
||||
|
||||
# All kinds of schemes besides just javascript: that can cause
|
||||
# execution:
|
||||
@@ -292,8 +295,8 @@ class Cleaner(object):
|
||||
if not self.inline_style:
|
||||
for el in _find_styled_elements(doc):
|
||||
old = el.get('style')
|
||||
- new = _css_javascript_re.sub('', old)
|
||||
- new = _css_import_re.sub('', new)
|
||||
+ new = _replace_css_javascript('', old)
|
||||
+ new = _replace_css_import('', new)
|
||||
if self._has_sneaky_javascript(new):
|
||||
# Something tricky is going on...
|
||||
del el.attrib['style']
|
||||
@@ -305,9 +308,9 @@ class Cleaner(object):
|
||||
el.drop_tree()
|
||||
continue
|
||||
old = el.text or ''
|
||||
- new = _css_javascript_re.sub('', old)
|
||||
+ new = _replace_css_javascript('', old)
|
||||
# The imported CSS can do anything; we just can't allow:
|
||||
- new = _css_import_re.sub('', old)
|
||||
+ new = _replace_css_import('', new)
|
||||
if self._has_sneaky_javascript(new):
|
||||
# Something tricky is going on...
|
||||
el.text = '/* deleted */'
|
||||
@@ -522,6 +525,12 @@ class Cleaner(object):
|
||||
return True
|
||||
if 'expression(' in style:
|
||||
return True
|
||||
+ if '</noscript' in style:
|
||||
+ # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
|
||||
+ return True
|
||||
+ if _looks_like_tag_content(style):
|
||||
+ # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
|
||||
+ return True
|
||||
return False
|
||||
|
||||
def clean_html(self, html):
|
||||
--
|
||||
2.26.2
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
|
||||
index b21a113..e40c808 100644
|
||||
--- a/src/lxml/html/defs.py
|
||||
+++ b/src/lxml/html/defs.py
|
||||
@@ -21,6 +21,8 @@ link_attrs = frozenset([
|
||||
'usemap',
|
||||
# Not standard:
|
||||
'dynsrc', 'lowsrc',
|
||||
+ # HTML5 formaction
|
||||
+ 'formaction'
|
||||
])
|
||||
|
||||
# Not in the HTML 4 spec:
|
||||
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
|
||||
index a193d99..87b7220 100644
|
||||
--- a/src/lxml/html/tests/test_clean.py
|
||||
+++ b/src/lxml/html/tests/test_clean.py
|
||||
@@ -68,6 +68,21 @@ class CleanerTest(unittest.TestCase):
|
||||
s = lxml.html.fromstring('<invalid tag>child</another>')
|
||||
self.assertEqual('child', clean_html(s).text_content())
|
||||
|
||||
+ def test_formaction_attribute_in_button_input(self):
|
||||
+ # The formaction attribute overrides the form's action and should be
|
||||
+ # treated as a malicious link attribute
|
||||
+ html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
|
||||
+ '<button form="test" formaction="javascript:alert(1)">X</button>')
|
||||
+ expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
|
||||
+ '<button form="test" formaction="">X</button></div>')
|
||||
+ cleaner = Cleaner(
|
||||
+ forms=False,
|
||||
+ safe_attrs_only=False,
|
||||
+ )
|
||||
+ self.assertEqual(
|
||||
+ expected,
|
||||
+ cleaner.clean_html(html))
|
||||
+
|
||||
|
||||
def test_suite():
|
||||
suite = unittest.TestSuite()
|
|
@ -2,13 +2,19 @@
|
|||
|
||||
Name: python-%{modname}
|
||||
Version: 4.5.1
|
||||
Release: 2%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: XML processing library combining libxml2/libxslt with the ElementTree API
|
||||
|
||||
License: BSD
|
||||
URL: https://github.com/lxml/lxml
|
||||
Source0: https://lxml.de/files/%{modname}-%{version}.tgz
|
||||
Patch0001: https://github.com/lxml/lxml/commit/fa1d856cad369d0ac64323ddec14b02281491706.patch#/0001-Avoid-globally-overriding-the-libxml2-external-entit.patch
|
||||
Patch0002: 0002-Fix-CVE-2020-27783-mXSS-due-to-the-use-of-improper-p.patch
|
||||
|
||||
# Fix for CVE-2021-28957:
|
||||
# missing input sanitization for formaction HTML5 attributes may lead to XSS
|
||||
# Resolved upstream: https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
|
||||
Patch0003: 0003-Fix-CVE-2021-28957.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: libxml2-devel
|
||||
|
@ -58,6 +64,14 @@ env WITH_CYTHON=true %py3_build
|
|||
%{python3_sitearch}/%{modname}-*.egg-info/
|
||||
|
||||
%changelog
|
||||
* Fri May 21 2021 Charalampos Stratakis <cstratak@redhat.com> - 4.5.1-4
|
||||
- Fix CVE-2021-28957: missing input sanitization for formaction HTML5 attributes may lead to XSS
|
||||
- Resolves: rhbz#1941535
|
||||
|
||||
* Fri Dec 18 2020 Mikolaj Izdebski <mizdebsk@redhat.com> - 4.5.1-3
|
||||
- Fix mXSS vulnerability due to the use of improper parser
|
||||
- Resolves: CVE-2020-27783
|
||||
|
||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.5.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
|
|
Loading…
Reference in New Issue