File 0002-CVE-2021-43818.patch of Package python-lxml

Overview Repositories Revisions Requests Users Attributes Meta

File 0002-CVE-2021-43818.patch of Package python-lxml

From 12fa9669007180a7bb87d990c375cf91ca5b664a
From: Stefan Behnel <stefan_ml@behnel.de>
Date: Thu Nov 11 13:21:08 2021 +0100
      Sat, 4 Aug 2018 12:56:14 +0200
Subject: [PATCH] Cleaner: Prevent "@import" from re-occurring in the CSS after 
 replacements, e.g. "@@importimport".
    
Reported as GHSL-2021-1037
CVE-2021-43818

diff -ru lxml-3.6.1.bak/src/lxml/html/clean.py lxml-3.6.1/src/lxml/html/clean.py
--- lxml-3.6.1.bak/src/lxml/html/clean.py	2016-07-24 10:27:20.000000000 +0200
+++ lxml-3.6.1/src/lxml/html/clean.py	2022-02-25 14:17:23.242567393 +0100
@@ -509,6 +509,8 @@
             return True
         if 'expression(' in style:
             return True
+        if '@import' in style:
+            return True
         return False
 
     def clean_html(self, html):
diff -ru lxml-3.6.1.bak/src/lxml/html/tests/test_clean.py lxml-3.6.1/src/lxml/html/tests/test_clean.py
--- lxml-3.6.1.bak/src/lxml/html/tests/test_clean.py	2014-02-26 20:36:12.000000000 +0100
+++ lxml-3.6.1/src/lxml/html/tests/test_clean.py	2022-02-25 14:59:54.720210591 +0100
@@ -5,7 +5,6 @@
 import lxml.html
 from lxml.html.clean import Cleaner, clean_html
 
-
 class CleanerTest(unittest.TestCase):
     def test_allow_tags(self):
         html = """
@@ -69,6 +68,26 @@
         s = lxml.html.fromstring('<invalid tag>child</another>')
         self.assertEqual('child', clean_html(s).text_content())
 
+    def test_sneaky_import_in_style(self):
+        # Prevent "@@importimport" -> "@import" replacement.
+        style_codes = [
+            "@@importimport(extstyle.css)",
+            "@ @  import import(extstyle.css)",
+            "@ @ importimport(extstyle.css)",
+            "@@  import import(extstyle.css)",
+            "@ @import import(extstyle.css)",
+            "@@importimport()",
+        ]
+        for style_code in style_codes:
+            html = '<style>%s</style>' % style_code
+            s = lxml.html.fragment_fromstring(html)
+
+            cleaned = lxml.html.tostring(clean_html(s))
+            self.assertEqual(
+                b'<style>/* deleted */</style>',
+                cleaned,
+                "%s  ->  %s" % (style_code, cleaned))
+
 
 def test_suite():
     suite = unittest.TestSuite()

Places

File 0002-CVE-2021-43818.patch of Package python-lxml

Places