File CVE-2019-19450-code-inj-paraparser.patch of Package python-reportlab.30897
# HG changeset patch
# User robin
# Date 1571472620 -3600
# Node ID b117091a73c2ef71dee9eacf23db50fc7031989b
# Parent f8ec5d88933b0531da77702faa31075805e25aa2
paraparser fix contributed by ravi prakash giri <raviprakashgiri@gmail.com>; version --> 3.5.31
---
CHANGES.txt | 4 ++++
src/reportlab/platypus/paraparser.py | 6 +++++-
tests/test_platypus_paragraphs.py | 11 +++++++++--
3 files changed, 18 insertions(+), 3 deletions(-)
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -8,6 +8,10 @@ E.g. to retrieve the changes made betwee
The contributors lists are in no order and apologies to those accidentally not
mentioned. If we missed you, please let us know!
+Security fix for CVE-2019-19450
+-------------------------------
+* paraparser fix contributed by ravi prakash giri <raviprakashgiri@gmail.com>
+
#################################################################################
#################### RELEASE 2.6 27/09/2012 #################
#################################################################################
--- a/src/reportlab/platypus/paraparser.py
+++ b/src/reportlab/platypus/paraparser.py
@@ -745,7 +745,11 @@ class ParaParser(xmllib.XMLParser):
v = '\0'
elif 'code' in attr:
try:
- v = unichr(int(eval(attr['code']))).encode('utf8')
+ v = attr['code'].lower()
+ if v.startswith('0x'):
+ v = int(v,16)
+ else:
+ v = int(v,0) #treat as a python literal would be
except:
self._syntax_error('<unichar/> invalid code attribute %s' % attr['code'])
v = '\0'
--- a/tests/test_platypus_paragraphs.py
+++ b/tests/test_platypus_paragraphs.py
@@ -9,6 +9,7 @@ import sys, os, unittest
from string import split, strip, join, whitespace
from operator import truth
from types import StringType, ListType
+from reportlab.pdfgen.canvas import Canvas
from reportlab.pdfbase.pdfmetrics import stringWidth, registerFont, registerFontFamily
from reportlab.pdfbase.ttfonts import TTFont
from reportlab.platypus.paraparser import ParaParser
@@ -110,7 +111,6 @@ class ParagraphCorners(unittest.TestCase
def test3(self):
'''compare CJK splitting in some edge cases'''
- from reportlab.pdfgen.canvas import Canvas
from reportlab.platypus.paragraph import Paragraph
from reportlab.lib.styles import ParagraphStyle
from reportlab.pdfbase import pdfmetrics
@@ -509,7 +509,6 @@ phonemic and <u>morphological</u> <strik
a(Paragraph(fmt % dict(valign=valign,testsFolder=testsFolder),p_style))
a(XPreformatted(fmt % dict(valign=valign,testsFolder=testsFolder),p_style))
-
a(Paragraph('<br/><b>Some Paragraph tests of <img width="x%" height="x%"</b>...', normal))
a(Paragraph('H=10%% <img src="%(testsFolder)s/../docs/images/testimg.gif" width="0.57in" height="10%%" />'%dict(testsFolder=testsFolder), normal))
a(Paragraph('H=50%% <img src="%(testsFolder)s/../docs/images/testimg.gif" width="0.57in" height="50%%" />'%dict(testsFolder=testsFolder), normal))
@@ -534,6 +533,14 @@ phonemic and <u>morphological</u> <strik
a(Paragraph('H=50%% W=50%% <img src="%(testsFolder)s/../docs/images/testimg.gif" width="50%%" height="50%%" />'%dict(testsFolder=testsFolder), normalCJK))
doc = MyDocTemplate(outputfile('test_platypus_paragraphs_autoleading.pdf'))
doc.build(story)
+
+ def test_unicharCodeSafety(self):
+ """test a bug reported by ravi prakash giri <raviprakashgiri@gmail.com>"""
+ normal = getSampleStyleSheet()['BodyText']
+ self.assertRaises(Exception,Paragraph,
+ """<unichar code="open('/tmp/test.txt','w').write('Hello from unichar')"/>""",
+ normal)
+
class JustifyTestCase(unittest.TestCase):
"Test justification of paragraphs."
