File 0002-CVE-2021-43818.patch of Package python-lxml
From 12fa9669007180a7bb87d990c375cf91ca5b664a
From: Stefan Behnel <stefan_ml@behnel.de>
Date: Thu Nov 11 13:21:08 2021 +0100
Sat, 4 Aug 2018 12:56:14 +0200
Subject: [PATCH] Cleaner: Prevent "@import" from re-occurring in the CSS after
replacements, e.g. "@@importimport".
Reported as GHSL-2021-1037
CVE-2021-43818
diff -ru lxml-3.6.1.bak/src/lxml/html/clean.py lxml-3.6.1/src/lxml/html/clean.py
--- lxml-3.6.1.bak/src/lxml/html/clean.py 2016-07-24 10:27:20.000000000 +0200
+++ lxml-3.6.1/src/lxml/html/clean.py 2022-02-25 14:17:23.242567393 +0100
@@ -509,6 +509,8 @@
return True
if 'expression(' in style:
return True
+ if '@import' in style:
+ return True
return False
def clean_html(self, html):
diff -ru lxml-3.6.1.bak/src/lxml/html/tests/test_clean.py lxml-3.6.1/src/lxml/html/tests/test_clean.py
--- lxml-3.6.1.bak/src/lxml/html/tests/test_clean.py 2014-02-26 20:36:12.000000000 +0100
+++ lxml-3.6.1/src/lxml/html/tests/test_clean.py 2022-02-25 14:59:54.720210591 +0100
@@ -5,7 +5,6 @@
import lxml.html
from lxml.html.clean import Cleaner, clean_html
-
class CleanerTest(unittest.TestCase):
def test_allow_tags(self):
html = """
@@ -69,6 +68,26 @@
s = lxml.html.fromstring('<invalid tag>child</another>')
self.assertEqual('child', clean_html(s).text_content())
+ def test_sneaky_import_in_style(self):
+ # Prevent "@@importimport" -> "@import" replacement.
+ style_codes = [
+ "@@importimport(extstyle.css)",
+ "@ @ import import(extstyle.css)",
+ "@ @ importimport(extstyle.css)",
+ "@@ import import(extstyle.css)",
+ "@ @import import(extstyle.css)",
+ "@@importimport()",
+ ]
+ for style_code in style_codes:
+ html = '<style>%s</style>' % style_code
+ s = lxml.html.fragment_fromstring(html)
+
+ cleaned = lxml.html.tostring(clean_html(s))
+ self.assertEqual(
+ b'<style>/* deleted */</style>',
+ cleaned,
+ "%s -> %s" % (style_code, cleaned))
+
def test_suite():
suite = unittest.TestSuite()
