Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
python-lxml
0001-CVE-2021-43818.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-CVE-2021-43818.patch of Package python-lxml
From f2330237440df7e8f39c3ad1b1aa8852be3b27c0 From: Stefan Behnel <stefan_ml@behnel.de> Date: Thu Nov 11 13:21:08 2021 +0100 Sat, 4 Aug 2018 12:56:14 +0200 Subject: [PATCH] Cleaner: Remove SVG image data URLs since they can embed script content. Reported as GHSL-2021-1038 CVE-2021-43818 diff -ru lxml-3.6.1.bak/src/lxml/html/clean.py lxml-3.6.1-0001/src/lxml/html/clean.py --- lxml-3.6.1.bak/src/lxml/html/clean.py 2016-07-24 10:27:20.000000000 +0200 +++ lxml-3.6.1-0001/src/lxml/html/clean.py 2022-02-25 15:01:53.870241814 +0100 @@ -70,18 +70,25 @@ # All kinds of schemes besides just javascript: that can cause # execution: -_is_image_dataurl = re.compile( - r'^data:image/.+;base64', re.I).search +_find_image_dataurls = re.compile( + r'^data:image/(.+);base64,', re.I).findall _is_possibly_malicious_scheme = re.compile( - r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):', - re.I).search + r'(javascript|jscript|livescript|vbscript|data|about|mocha):', + re.I).findall +# SVG images can contain script content +_is_unsafe_image_type = re.compile(r"(xml|svg)", re.I).findall + def _is_javascript_scheme(s): - if _is_image_dataurl(s): - return None - return _is_possibly_malicious_scheme(s) + is_image_url = False + for image_type in _find_image_dataurls(s): + is_image_url = True + if _is_unsafe_image_type(image_type): + return True + if is_image_url: + return False + return bool(_is_possibly_malicious_scheme(s)) _substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub -# FIXME: should data: be blocked? # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx _conditional_comment_re = re.compile( diff -ru lxml-3.6.1.bak/src/lxml/html/tests/test_clean.py lxml-3.6.1-0001/src/lxml/html/tests/test_clean.py --- lxml-3.6.1.bak/src/lxml/html/tests/test_clean.py 2014-02-26 20:36:12.000000000 +0100 +++ lxml-3.6.1-0001/src/lxml/html/tests/test_clean.py 2022-02-25 15:03:05.957050666 +0100 @@ -1,3 +1,5 @@ +import base64 +import gzip import unittest, sys from lxml.tests.common_imports import make_doctest from lxml.etree import LIBXML_VERSION @@ -61,6 +63,52 @@ self.assertEqual(expected, result) + @unittest.skipIf(sys.version_info[:2] < (3, 3), + "gzip.compress is available in >=3.2" + ) + def test_svg_data_links(self): + # Remove SVG images with potentially insecure content. + svg = b'<svg onload="alert(123)" />' + svgz = gzip.compress(svg) + svg_b64 = base64.b64encode(svg).decode('ASCII') + svgz_b64 = base64.b64encode(svgz).decode('ASCII') + urls = [ + "data:image/svg+xml;base64," + svg_b64, + "data:image/svg+xml-compressed;base64," + svgz_b64, + ] + for url in urls: + html = '<img src="%s">' % url + s = lxml.html.fragment_fromstring(html) + + cleaned = lxml.html.tostring(clean_html(s)) + self.assertEqual( + b'<img src="">', + cleaned, + "%s -> %s" % (url, cleaned)) + + def test_image_data_links(self): + data = b'123' + data_b64 = base64.b64encode(data).decode('ASCII') + urls = [ + "data:image/jpeg;base64," + data_b64, + "data:image/apng;base64," + data_b64, + "data:image/png;base64," + data_b64, + "data:image/gif;base64," + data_b64, + "data:image/webp;base64," + data_b64, + "data:image/bmp;base64," + data_b64, + "data:image/tiff;base64," + data_b64, + "data:image/x-icon;base64," + data_b64, + ] + for url in urls: + html = '<img src="%s">' % url + s = lxml.html.fragment_fromstring(html) + + cleaned = lxml.html.tostring(clean_html(s)) + self.assertEqual( + html.encode("UTF-8"), + cleaned, + "%s -> %s" % (url, cleaned)) + def test_clean_invalid_root_tag(self): # only testing that cleaning with invalid root tags works at all s = lxml.html.fromstring('parent <invalid tag>child</another>')
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
