Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:Update
python3-lxml.26328
CVE-2020-27783.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2020-27783.patch of Package python3-lxml.26328
Index: lxml-3.3.5/src/lxml/html/clean.py =================================================================== --- lxml-3.3.5.orig/src/lxml/html/clean.py +++ lxml-3.3.5/src/lxml/html/clean.py @@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Clean # This is an IE-specific construct you can have in a stylesheet to # run some Javascript: -_css_javascript_re = re.compile( - r'expression\s*\(.*?\)', re.S|re.I) +_replace_css_javascript = re.compile( + r'expression\s*\(.*?\)', re.S|re.I).sub # Do I have to worry about @\nimport? -_css_import_re = re.compile( - r'@\s*import', re.I) +_replace_css_import = re.compile( + r'@\s*import', re.I).sub + +_looks_like_tag_content = re.compile( + r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', ).search # All kinds of schemes besides just javascript: that can cause # execution: @@ -278,8 +281,8 @@ class Cleaner(object): # from styles, otherwise... for el in _find_styled_elements(doc): old = el.get('style') - new = _css_javascript_re.sub('', old) - new = _css_import_re.sub('', new) + new = _replace_css_javascript('', old) + new = _replace_css_import('', new) if self._has_sneaky_javascript(new): # Something tricky is going on... del el.attrib['style'] @@ -290,9 +293,9 @@ class Cleaner(object): el.drop_tree() continue old = el.text or '' - new = _css_javascript_re.sub('', old) + new = _replace_css_javascript('', old) # The imported CSS can do anything; we just can't allow: - new = _css_import_re.sub('', old) + new = _replace_css_import('', new) if self._has_sneaky_javascript(new): # Something tricky is going on... el.text = '/* deleted */' @@ -493,6 +496,12 @@ class Cleaner(object): return True if 'expression(' in style: return True + if '</noscript' in style: + # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">' + return True + if _looks_like_tag_content(style): + # e.g. '<math><style><img src=x onerror=alert(1)></style></math>' + return True return False def clean_html(self, html): Index: lxml-3.3.5/src/lxml/html/tests/test_clean.py =================================================================== --- lxml-3.3.5.orig/src/lxml/html/tests/test_clean.py +++ lxml-3.3.5/src/lxml/html/tests/test_clean.py @@ -69,6 +69,26 @@ class CleanerTest(unittest.TestCase): s = lxml.html.fromstring('<invalid tag>child</another>') self.assertEqual('child', clean_html(s).text_content()) + def test_sneaky_noscript_in_style(self): + # This gets parsed as <noscript> -> <style>"...</noscript>..."</style> + # thus passing the </noscript> through into the output. + html = '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">' + s = lxml.html.fragment_fromstring(html) + + self.assertEqual( + b'<noscript><style>/* deleted */</style></noscript>', + lxml.html.tostring(clean_html(s))) + + def test_sneaky_js_in_math_style(self): + # This gets parsed as <math> -> <style>"..."</style> + # thus passing any tag/script/whatever content through into the output. + html = '<math><style><img src=x onerror=alert(1)></style></math>' + s = lxml.html.fragment_fromstring(html) + + self.assertEqual( + b'<math><style>/* deleted */</style></math>', + lxml.html.tostring(clean_html(s))) + def test_suite(): suite = unittest.TestSuite() Index: lxml-3.3.5/src/lxml/html/tests/test_clean.txt =================================================================== --- lxml-3.3.5.orig/src/lxml/html/tests/test_clean.txt +++ lxml-3.3.5/src/lxml/html/tests/test_clean.txt @@ -104,7 +104,11 @@ >>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc)) <html> <head> - <style>/* deleted */</style> + <style> + body {background-image: url()}; + div {background-image: url()}; + div {color: }; + </style> </head> <body> <a href="">a link</a> @@ -148,7 +152,11 @@ <link rel="alternate" type="text/rss" src="evil-rss"> <link rel="alternate" type="text/rss" href="http://example.com"> <link rel="stylesheet" type="text/rss" href="http://example.com"> - <style>/* deleted */</style> + <style> + body {background-image: url()}; + div {background-image: url()}; + div {color: }; + </style> </head> <body> <a href="">a link</a>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor