Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
python-reportlab
CVE-2019-19450-code-inj-paraparser.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-19450-code-inj-paraparser.patch of Package python-reportlab
# HG changeset patch # User robin # Date 1571472620 -3600 # Node ID b117091a73c2ef71dee9eacf23db50fc7031989b # Parent f8ec5d88933b0531da77702faa31075805e25aa2 paraparser fix contributed by ravi prakash giri <raviprakashgiri@gmail.com>; version --> 3.5.31 --- CHANGES.txt | 4 ++++ src/reportlab/platypus/paraparser.py | 6 +++++- tests/test_platypus_paragraphs.py | 11 +++++++++-- 3 files changed, 18 insertions(+), 3 deletions(-) --- a/CHANGES.txt +++ b/CHANGES.txt @@ -8,6 +8,10 @@ E.g. to retrieve the changes made betwee The contributors lists are in no order and apologies to those accidentally not mentioned. If we missed you, please let us know! +Security fix for CVE-2019-19450 +------------------------------- +* paraparser fix contributed by ravi prakash giri <raviprakashgiri@gmail.com> + ################################################################################# #################### RELEASE 2.6 27/09/2012 ################# ################################################################################# --- a/src/reportlab/platypus/paraparser.py +++ b/src/reportlab/platypus/paraparser.py @@ -745,7 +745,11 @@ class ParaParser(xmllib.XMLParser): v = '\0' elif 'code' in attr: try: - v = unichr(int(eval(attr['code']))).encode('utf8') + v = attr['code'].lower() + if v.startswith('0x'): + v = int(v,16) + else: + v = int(v,0) #treat as a python literal would be except: self._syntax_error('<unichar/> invalid code attribute %s' % attr['code']) v = '\0' --- a/tests/test_platypus_paragraphs.py +++ b/tests/test_platypus_paragraphs.py @@ -9,6 +9,7 @@ import sys, os, unittest from string import split, strip, join, whitespace from operator import truth from types import StringType, ListType +from reportlab.pdfgen.canvas import Canvas from reportlab.pdfbase.pdfmetrics import stringWidth, registerFont, registerFontFamily from reportlab.pdfbase.ttfonts import TTFont from reportlab.platypus.paraparser import ParaParser @@ -110,7 +111,6 @@ class ParagraphCorners(unittest.TestCase def test3(self): '''compare CJK splitting in some edge cases''' - from reportlab.pdfgen.canvas import Canvas from reportlab.platypus.paragraph import Paragraph from reportlab.lib.styles import ParagraphStyle from reportlab.pdfbase import pdfmetrics @@ -509,7 +509,6 @@ phonemic and <u>morphological</u> <strik a(Paragraph(fmt % dict(valign=valign,testsFolder=testsFolder),p_style)) a(XPreformatted(fmt % dict(valign=valign,testsFolder=testsFolder),p_style)) - a(Paragraph('<br/><b>Some Paragraph tests of <img width="x%" height="x%"</b>...', normal)) a(Paragraph('H=10%% <img src="%(testsFolder)s/../docs/images/testimg.gif" width="0.57in" height="10%%" />'%dict(testsFolder=testsFolder), normal)) a(Paragraph('H=50%% <img src="%(testsFolder)s/../docs/images/testimg.gif" width="0.57in" height="50%%" />'%dict(testsFolder=testsFolder), normal)) @@ -534,6 +533,14 @@ phonemic and <u>morphological</u> <strik a(Paragraph('H=50%% W=50%% <img src="%(testsFolder)s/../docs/images/testimg.gif" width="50%%" height="50%%" />'%dict(testsFolder=testsFolder), normalCJK)) doc = MyDocTemplate(outputfile('test_platypus_paragraphs_autoleading.pdf')) doc.build(story) + + def test_unicharCodeSafety(self): + """test a bug reported by ravi prakash giri <raviprakashgiri@gmail.com>""" + normal = getSampleStyleSheet()['BodyText'] + self.assertRaises(Exception,Paragraph, + """<unichar code="open('/tmp/test.txt','w').write('Hello from unichar')"/>""", + normal) + class JustifyTestCase(unittest.TestCase): "Test justification of paragraphs."
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor