!24 upgrade python-lxml to 4.6.5

Merge pull request !24 from hanxinke/master
2021-12-13 11:20:26 +00:00 · 2021-12-13 11:20:26 +00:00 · b13a9c5d3c
commit b13a9c5d3c
parent 4dc77836cd 7dbbae455f
4 changed files with 8 additions and 59 deletions
--- a/backport-CVE-2021-28957.patch
+++ b/backport-CVE-2021-28957.patch
@ -1,52 +0,0 @@
 From 2d01a1ba8984e0483ce6619b972832377f208a0d Mon Sep 17 00:00:00 2001
 From: Kevin Chung <kchung@nyu.edu>
 Date: Sun, 21 Mar 2021 10:03:09 -0400
 Subject: [PATCH] Add HTML-5 "formaction" attribute to "defs.link_attrs"
 (GH-316)
 Resolves https://bugs.launchpad.net/lxml/+bug/1888153
 See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
 ---
 src/lxml/html/defs.py             |  2 ++
 src/lxml/html/tests/test_clean.py | 15 +++++++++++++++
 2 files changed, 17 insertions(+)
 diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
 index 1b3a75b36..2058ea330 100644
 --- a/src/lxml/html/defs.py
 +++ b/src/lxml/html/defs.py
@@ -23,6 +23,8 @@
     'usemap',
     # Not standard:
     'dynsrc', 'lowsrc',
 +    # HTML5 formaction
 +    'formaction'
     ])
 # Not in the HTML 4 spec:
 diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
 index 0e669f98d..45c2e83ab 100644
 --- a/src/lxml/html/tests/test_clean.py
 +++ b/src/lxml/html/tests/test_clean.py
@@ -123,6 +123,21 @@ def test_sneaky_js_in_math_style(self):
             b'<math><style>/* deleted */</style></math>',
             lxml.html.tostring(clean_html(s)))
 +    def test_formaction_attribute_in_button_input(self):
 +        # The formaction attribute overrides the form's action and should be
 +        # treated as a malicious link attribute
 +        html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
 +        '<button form="test" formaction="javascript:alert(1)">X</button>')
 +        expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
 +        '<button form="test" formaction="">X</button></div>')
 +        cleaner = Cleaner(
 +            forms=False,
 +            safe_attrs_only=False,
 +        )
 +        self.assertEqual(
 +            expected,
 +            cleaner.clean_html(html))
 +
 def test_suite():
     suite = unittest.TestSuite()
--- a/lxml-4.6.2.tar.gz
+++ b/lxml-4.6.2.tar.gz
--- a/lxml-4.6.5.tar.gz
+++ b/lxml-4.6.5.tar.gz
--- a/python-lxml.spec
+++ b/python-lxml.spec
@ -6,14 +6,12 @@ the simplicity of a native Python API, mostly compatible but superior to the wel
 The latest release works with all CPython versions from 2.7 to 3.7.
 Name:           python-%{modname}
-Version:        4.6.2
+Version:        4.6.5
-Release:        2
+Release:        1
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
 License:        BSD
-URL:            https://files.pythonhosted.org
+URL:            https://github.com/lxml/lxml
-Source0:        https://files.pythonhosted.org/packages/db/f7/43fecb94d66959c1e23aa53d6161231dca0e93ec500224cf31b3c4073e37/lxml-4.6.2.tar.gz
+Source0:        https://github.com/lxml/lxml/releases/download/lxml-4.6.5/lxml-4.6.5.tar.gz
 Patch6000:      backport-CVE-2021-28957.patch
 BuildRequires:  gcc libxml2-devel libxslt-devel
@ -44,7 +42,7 @@ export WITH_CYTHON=true
 %files -n python3-%{modname}
-%license doc/licenses/ZopePublicLicense.txt LICENSES.txt
+%license doc/licenses/*.txt LICENSES.txt
 %{python3_sitearch}/%{modname}/
 %{python3_sitearch}/*.egg-info/
@ -52,6 +50,9 @@ export WITH_CYTHON=true
 %doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
 %changelog 
 * Mon Dec 13 2021 hanxinke<hanxinke@huawei.com> - 4.6.5-1
 - DESC: upgrade python-lxml to 4.6.5
 * Wed Apr 14 2021 shixuantong<shixuantong@huawei.com> - 4.6.2-2
 - fix CVE-2021-28957