packages/python-lxml
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-28957

Browse Source 
(cherry picked from commit 4940d987fe4b34338113f508669aa7c8b6a20db6)
This commit is contained in:
tong_1001 2021-04-14 10:39:39 +08:00 committed by openeuler-sync-bot
parent 391d392ea9
commit 9e3cf580d4
2 changed files with 62 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
backport-CVE-2021-28957.patch Normal file
View File

@ -0,0 +1,57 @@
From 2d01a1ba8984e0483ce6619b972832377f208a0d Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@nyu.edu>
Date: Sun, 21 Mar 2021 10:03:09 -0400
Subject: [PATCH] Add HTML-5 "formaction" attribute to "defs.link_attrs"
(GH-316)
https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
Resolves https://bugs.launchpad.net/lxml/+bug/1888153
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
---
src/lxml/html/defs.py | 2 ++
src/lxml/html/tests/test_clean.py | 15 +++++++++++++++
2 files changed, 17 insertions(+)
diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
index b21a113..e40c808 100644
--- a/src/lxml/html/defs.py
+++ b/src/lxml/html/defs.py
@@ -21,6 +21,8 @@ link_attrs = frozenset([
'usemap',
# Not standard:
'dynsrc', 'lowsrc',
+ # HTML5 formaction
+ 'formaction'
])
# Not in the HTML 4 spec:
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
index 0e669f9..45c2e83 100644
--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
@@ -123,6 +123,21 @@ class CleanerTest(unittest.TestCase):
b'<math><style>/* deleted */</style></math>',
lxml.html.tostring(clean_html(s)))
+ def test_formaction_attribute_in_button_input(self):
+ # The formaction attribute overrides the form's action and should be
+ # treated as a malicious link attribute
+ html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
+ '<button form="test" formaction="javascript:alert(1)">X</button>')
+ expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
+ '<button form="test" formaction="">X</button></div>')
+ cleaner = Cleaner(
+ forms=False,
+ safe_attrs_only=False,
+ )
+ self.assertEqual(
+ expected,
+ cleaner.clean_html(html))
+
def test_suite():
suite = unittest.TestSuite()
--
1.8.3.1

6
python-lxml.spec
View File

@ -7,7 +7,7 @@ The latest release works with all CPython versions from 2.7 to 3.7.
Name: python-%{modname} Name: python-%{modname}
Version: 4.5.2 Version: 4.5.2
Release: 2 Release: 3
Summary: XML processing library combining libxml2/libxslt with the ElementTree API Summary: XML processing library combining libxml2/libxslt with the ElementTree API
License: BSD License: BSD
URL: http://lxml.de URL: http://lxml.de
@ -15,6 +15,7 @@ Source0: http://lxml.de/files/%{modname}-%{version}.tgz
Patch6000: backport-CVE-2020-27783-1.patch Patch6000: backport-CVE-2020-27783-1.patch
Patch6001: backport-CVE-2020-27783-2.patch Patch6001: backport-CVE-2020-27783-2.patch
Patch6002: backport-CVE-2021-28957.patch
BuildRequires: gcc libxml2-devel libxslt-devel BuildRequires: gcc libxml2-devel libxslt-devel
@ -66,6 +67,9 @@ export WITH_CYTHON=true
%doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt %doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
%changelog %changelog
* Wed Apr 14 2021 shixuantong <shixuantong@huawei.com> - 4.5.2-3
- fix CVE-2021-28957
* Fri Feb 05 2021 shixuantong <shixuantong@huawei.com> - 4.5.2-2 * Fri Feb 05 2021 shixuantong <shixuantong@huawei.com> - 4.5.2-2
- fix CVE-2020-27783 - fix CVE-2020-27783