packages/python-lxml
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!19 fix CVE-2021-28957

Browse Source 
From: @tong_1001
Reviewed-by: @hanxinke
Signed-off-by: @hanxinke
This commit is contained in:
openeuler-ci-bot 2021-04-14 11:48:57 +08:00 committed by Gitee
commit 4dc77836cd
2 changed files with 59 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
backport-CVE-2021-28957.patch Normal file
View File

@ -0,0 +1,52 @@
From 2d01a1ba8984e0483ce6619b972832377f208a0d Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@nyu.edu>
Date: Sun, 21 Mar 2021 10:03:09 -0400
Subject: [PATCH] Add HTML-5 "formaction" attribute to "defs.link_attrs"
(GH-316)
Resolves https://bugs.launchpad.net/lxml/+bug/1888153
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
---
src/lxml/html/defs.py | 2 ++
src/lxml/html/tests/test_clean.py | 15 +++++++++++++++
2 files changed, 17 insertions(+)
diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
index 1b3a75b36..2058ea330 100644
--- a/src/lxml/html/defs.py
+++ b/src/lxml/html/defs.py
@@ -23,6 +23,8 @@
'usemap',
# Not standard:
'dynsrc', 'lowsrc',
+ # HTML5 formaction
+ 'formaction'
])
# Not in the HTML 4 spec:
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
index 0e669f98d..45c2e83ab 100644
--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
@@ -123,6 +123,21 @@ def test_sneaky_js_in_math_style(self):
b'<math><style>/* deleted */</style></math>',
lxml.html.tostring(clean_html(s)))
+ def test_formaction_attribute_in_button_input(self):
+ # The formaction attribute overrides the form's action and should be
+ # treated as a malicious link attribute
+ html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
+ '<button form="test" formaction="javascript:alert(1)">X</button>')
+ expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
+ '<button form="test" formaction="">X</button></div>')
+ cleaner = Cleaner(
+ forms=False,
+ safe_attrs_only=False,
+ )
+ self.assertEqual(
+ expected,
+ cleaner.clean_html(html))
+
def test_suite():
suite = unittest.TestSuite()

9
python-lxml.spec
View File

@ -7,12 +7,14 @@ The latest release works with all CPython versions from 2.7 to 3.7.
Name: python-%{modname} Name: python-%{modname}
Version: 4.6.2 Version: 4.6.2
Release: 1 Release: 2
Summary: XML processing library combining libxml2/libxslt with the ElementTree API Summary: XML processing library combining libxml2/libxslt with the ElementTree API
License: BSD License: BSD
URL: https://files.pythonhosted.org URL: https://files.pythonhosted.org
Source0: https://files.pythonhosted.org/packages/db/f7/43fecb94d66959c1e23aa53d6161231dca0e93ec500224cf31b3c4073e37/lxml-4.6.2.tar.gz Source0: https://files.pythonhosted.org/packages/db/f7/43fecb94d66959c1e23aa53d6161231dca0e93ec500224cf31b3c4073e37/lxml-4.6.2.tar.gz
Patch6000: backport-CVE-2021-28957.patch
BuildRequires: gcc libxml2-devel libxslt-devel BuildRequires: gcc libxml2-devel libxslt-devel
%description %{_description} %description %{_description}
@ -28,7 +30,7 @@ BuildRequires: python3-devel python3-setuptools python3-Cython
%package_help %package_help
%prep %prep
%autosetup -n %{modname}-%{version} %autosetup -n %{modname}-%{version} -p1
%build %build
export WITH_CYTHON=true export WITH_CYTHON=true
@ -50,6 +52,9 @@ export WITH_CYTHON=true
%doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt %doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
%changelog %changelog
* Wed Apr 14 2021 shixuantong<shixuantong@huawei.com> - 4.6.2-2
- fix CVE-2021-28957
* Mon Feb 1 2021 wangjie<wangjie294@huawei.com> - 4.6.2-1 * Mon Feb 1 2021 wangjie<wangjie294@huawei.com> - 4.6.2-1
- upgrade 4.6.2-1 - upgrade 4.6.2-1