!21 [sync] PR-17: fix CVE-2021-28957

From: @openeuler-sync-bot Reviewed-by: @hanxinke Signed-off-by: @hanxinke
2021-04-14 16:04:57 +08:00 · 2021-04-14 16:04:57 +08:00 · 8201a80b7a
commit 8201a80b7a
parent 391d392ea9 9e3cf580d4
2 changed files with 62 additions and 1 deletions
--- a/backport-CVE-2021-28957.patch
+++ b/backport-CVE-2021-28957.patch
@ -0,0 +1,57 @@
+From 2d01a1ba8984e0483ce6619b972832377f208a0d Mon Sep 17 00:00:00 2001
+From: Kevin Chung <kchung@nyu.edu>
+Date: Sun, 21 Mar 2021 10:03:09 -0400
+Subject: [PATCH] Add HTML-5 "formaction" attribute to "defs.link_attrs"
+ (GH-316)
+
+https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
+
+Resolves https://bugs.launchpad.net/lxml/+bug/1888153
+See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
+---
+ src/lxml/html/defs.py             |  2 ++
+ src/lxml/html/tests/test_clean.py | 15 +++++++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
+index b21a113..e40c808 100644
+--- a/src/lxml/html/defs.py
+++ b/src/lxml/html/defs.py
+@@ -21,6 +21,8 @@ link_attrs = frozenset([
+     'usemap',
+     # Not standard:
+     'dynsrc', 'lowsrc',
+    # HTML5 formaction
+    'formaction'
+     ])
+ 
+ # Not in the HTML 4 spec:
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index 0e669f9..45c2e83 100644
+--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
+@@ -123,6 +123,21 @@ class CleanerTest(unittest.TestCase):
+             b'<math><style>/* deleted */</style></math>',
+             lxml.html.tostring(clean_html(s)))
+ 
+    def test_formaction_attribute_in_button_input(self):
+        # The formaction attribute overrides the form's action and should be
+        # treated as a malicious link attribute
+        html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
+        '<button form="test" formaction="javascript:alert(1)">X</button>')
+        expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
+        '<button form="test" formaction="">X</button></div>')
+        cleaner = Cleaner(
+            forms=False,
+            safe_attrs_only=False,
+        )
+        self.assertEqual(
+            expected,
+            cleaner.clean_html(html))
+
+ 
+ def test_suite():
+     suite = unittest.TestSuite()
+-- 
+1.8.3.1
+
--- a/python-lxml.spec
+++ b/python-lxml.spec
@ -7,7 +7,7 @@ The latest release works with all CPython versions from 2.7 to 3.7.

 Name:           python-%{modname}
 Version:        4.5.2
-Release:        2
+Release:        3
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
 License:        BSD
 URL:            http://lxml.de
@ -15,6 +15,7 @@ Source0:        http://lxml.de/files/%{modname}-%{version}.tgz

 Patch6000:      backport-CVE-2020-27783-1.patch
 Patch6001:      backport-CVE-2020-27783-2.patch
+Patch6002:      backport-CVE-2021-28957.patch

 BuildRequires:  gcc libxml2-devel libxslt-devel

@ -66,6 +67,9 @@ export WITH_CYTHON=true
 %doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt

 %changelog
+* Wed Apr 14 2021 shixuantong <shixuantong@huawei.com> - 4.5.2-3
+- fix CVE-2021-28957
+
 * Fri Feb 05 2021 shixuantong <shixuantong@huawei.com> - 4.5.2-2
 - fix CVE-2020-27783