packages/python-lxml
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-27783

Browse Source
This commit is contained in:
sxt1001 2021-02-05 10:54:40 +08:00
parent 7b4e5b40ff
commit aa459788cf
3 changed files with 193 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
backport-CVE-2020-27783-1.patch Normal file
View File

@ -0,0 +1,49 @@
From 89e7aad6e7ff9ecd88678ff25f885988b184b26e Mon Sep 17 00:00:00 2001
From: Stefan Behnel <stefan_ml@behnel.de>
Date: Sun, 18 Oct 2020 10:06:46 +0200
Subject: [PATCH] Prevent combinations of <noscript> and <style> to sneak
JavaScript through the HTML cleaner.
---
src/lxml/html/clean.py | 3 +++
src/lxml/html/tests/test_clean.py | 10 ++++++++++
2 files changed, 13 insertions(+)
diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
index 6b19213..6775ac3 100644
--- a/src/lxml/html/clean.py
+++ b/src/lxml/html/clean.py
@@ -537,6 +537,9 @@ class Cleaner(object):
return True
if 'expression(' in style:
return True
+ if '</noscript' in style:
+ # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
+ return True
return False
def clean_html(self, html):
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
index 4477337..3c8ee25 100644
--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
@@ -103,6 +103,16 @@ class CleanerTest(unittest.TestCase):
'<p><span>Cy<!-- xx -->an</span><!-- XXX --></p>',
cleaner.clean_html(html))
+ def test_sneaky_noscript_in_style(self):
+ # This gets parsed as <noscript> -> <style>"...</noscript>..."</style>
+ # thus passing the </noscript> through into the output.
+ html = '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
+ s = lxml.html.fragment_fromstring(html)
+
+ self.assertEqual(
+ b'<noscript><style>/* deleted */</style></noscript>',
+ lxml.html.tostring(clean_html(s)))
+
def test_suite():
suite = unittest.TestSuite()
--
1.8.3.1

136
backport-CVE-2020-27783-2.patch Normal file
View File

@ -0,0 +1,136 @@
From a105ab8dc262ec6735977c25c13f0bdfcdec72a7 Mon Sep 17 00:00:00 2001
From: Stefan Behnel <stefan_ml@behnel.de>
Date: Thu, 26 Nov 2020 09:20:52 +0100
Subject: [PATCH] Prevent combinations of <math/svg> and <style> to sneak
JavaScript through the HTML cleaner.
---
src/lxml/html/clean.py | 22 ++++++++++++++--------
src/lxml/html/tests/test_clean.py | 10 ++++++++++
src/lxml/html/tests/test_clean.txt | 18 +++++++++++++++---
3 files changed, 39 insertions(+), 11 deletions(-)
diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
index 6775ac3..272b4a1 100644
--- a/src/lxml/html/clean.py
+++ b/src/lxml/html/clean.py
@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
# This is an IE-specific construct you can have in a stylesheet to
# run some Javascript:
-_css_javascript_re = re.compile(
- r'expression\s*\(.*?\)', re.S|re.I)
+_replace_css_javascript = re.compile(
+ r'expression\s*\(.*?\)', re.S|re.I).sub
# Do I have to worry about @\nimport?
-_css_import_re = re.compile(
- r'@\s*import', re.I)
+_replace_css_import = re.compile(
+ r'@\s*import', re.I).sub
+
+_looks_like_tag_content = re.compile(
+ r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
# All kinds of schemes besides just javascript: that can cause
# execution:
@@ -304,8 +307,8 @@ class Cleaner(object):
if not self.inline_style:
for el in _find_styled_elements(doc):
old = el.get('style')
- new = _css_javascript_re.sub('', old)
- new = _css_import_re.sub('', new)
+ new = _replace_css_javascript('', old)
+ new = _replace_css_import('', new)
if self._has_sneaky_javascript(new):
# Something tricky is going on...
del el.attrib['style']
@@ -317,9 +320,9 @@ class Cleaner(object):
el.drop_tree()
continue
old = el.text or ''
- new = _css_javascript_re.sub('', old)
+ new = _replace_css_javascript('', old)
# The imported CSS can do anything; we just can't allow:
- new = _css_import_re.sub('', old)
+ new = _replace_css_import('', new)
if self._has_sneaky_javascript(new):
# Something tricky is going on...
el.text = '/* deleted */'
@@ -540,6 +543,9 @@ class Cleaner(object):
if '</noscript' in style:
# e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
return True
+ if _looks_like_tag_content(style):
+ # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
+ return True
return False
def clean_html(self, html):
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
index 3c8ee25..0e669f9 100644
--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
@@ -113,6 +113,16 @@ class CleanerTest(unittest.TestCase):
b'<noscript><style>/* deleted */</style></noscript>',
lxml.html.tostring(clean_html(s)))
+ def test_sneaky_js_in_math_style(self):
+ # This gets parsed as <math> -> <style>"..."</style>
+ # thus passing any tag/script/whatever content through into the output.
+ html = '<math><style><img src=x onerror=alert(1)></style></math>'
+ s = lxml.html.fragment_fromstring(html)
+
+ self.assertEqual(
+ b'<math><style>/* deleted */</style></math>',
+ lxml.html.tostring(clean_html(s)))
+
def test_suite():
suite = unittest.TestSuite()
diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt
index 275be07..18e6c7e 100644
--- a/src/lxml/html/tests/test_clean.txt
+++ b/src/lxml/html/tests/test_clean.txt
@@ -104,7 +104,11 @@
>>> print(Cleaner(page_structure=False, comments=False).clean_html(doc))
<html>
<head>
- <style>/* deleted */</style>
+ <style>
+ body {background-image: url()};
+ div {background-image: url()};
+ div {color: };
+ </style>
</head>
<body>
<!-- I am interpreted for EVIL! -->
@@ -126,7 +130,11 @@
>>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))
<html>
<head>
- <style>/* deleted */</style>
+ <style>
+ body {background-image: url()};
+ div {background-image: url()};
+ div {color: };
+ </style>
</head>
<body>
<a href="">a link</a>
@@ -190,7 +198,11 @@
<link rel="alternate" type="text/rss" src="evil-rss">
<link rel="alternate" type="text/rss" href="http://example.com">
<link rel="stylesheet" type="text/rss" href="http://example.com">
- <style>/* deleted */</style>
+ <style>
+ body {background-image: url()};
+ div {background-image: url()};
+ div {color: };
+ </style>
</head>
<body>
<a href="">a link</a>
--
1.8.3.1

10
python-lxml.spec
View File

@ -7,12 +7,15 @@ The latest release works with all CPython versions from 2.7 to 3.7.
Name: python-%{modname}
Version: 4.5.2
Release: 1
Release: 2
Summary: XML processing library combining libxml2/libxslt with the ElementTree API
License: BSD
URL: http://lxml.de
Source0: http://lxml.de/files/%{modname}-%{version}.tgz
Patch6000: backport-CVE-2020-27783-1.patch
Patch6001: backport-CVE-2020-27783-2.patch
BuildRequires: gcc libxml2-devel libxslt-devel
%description %{_description}
@ -34,7 +37,7 @@ BuildRequires: python3-devel python3-setuptools python3-Cython
%package_help
%prep
%autosetup -n %{modname}-%{version}
%autosetup -n %{modname}-%{version} -p1
%build
export WITH_CYTHON=true
@ -63,6 +66,9 @@ export WITH_CYTHON=true
%doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
%changelog
* Fri Feb 05 2021 shixuantong <shixuantong@huawei.com> - 4.5.2-2
- fix CVE-2020-27783
* Tue Jan 05 2020 shixuantong <shixuantong@huawei.com> - 4.5.2-1
- update version to 4.5.2