Overview

File CVE-2019-19450-code-inj-paraparser.patch of Package python-reportlab.30899

# HG changeset patch
# User robin
# Date 1571472620 -3600
# Node ID b117091a73c2ef71dee9eacf23db50fc7031989b
# Parent  f8ec5d88933b0531da77702faa31075805e25aa2
paraparser fix contributed by ravi prakash giri <raviprakashgiri@gmail.com>; version --> 3.5.31

---
 src/reportlab/platypus/paraparser.py |    7 +++++--
 tests/test_platypus_paragraphs.py    |   10 +++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

--- a/src/reportlab/platypus/paraparser.py
+++ b/src/reportlab/platypus/paraparser.py
@@ -841,8 +841,11 @@ class ParaParser(HTMLParser):
                 v = '\0'
         elif 'code' in attr:
             try:
-                v = int(eval(attr['code']))
-                v = chr(v) if isPy3 else unichr(v)
+                v = attr['code'].lower()
+                if v.startswith('0x'):
+                    v = int(v,16)
+                else:
+                    v = int(v,0)    #treat as a python literal would be
             except:
                 self._syntax_error('<unichar/> invalid code attribute %s' % ascii(attr['code']))
                 v = '\0'
--- a/tests/test_platypus_paragraphs.py
+++ b/tests/test_platypus_paragraphs.py
@@ -7,6 +7,7 @@ from reportlab.lib.testutils import setO
 setOutDir(__name__)
 import sys, os, unittest
 from operator import truth
+from reportlab.pdfgen.canvas import Canvas
 from reportlab.pdfbase.pdfmetrics import stringWidth, registerFont, registerFontFamily
 from reportlab.pdfbase.ttfonts import TTFont
 from reportlab.platypus.paraparser import ParaParser
@@ -107,7 +108,6 @@ class ParagraphCorners(unittest.TestCase
 
     def test3(self):
         '''compare CJK splitting in some edge cases'''
-        from reportlab.pdfgen.canvas import Canvas
         from reportlab.platypus.paragraph import Paragraph
         from reportlab.lib.styles import ParagraphStyle
         from reportlab.pdfbase import pdfmetrics
@@ -584,6 +584,14 @@ phonemic and <u>morphological</u> <strik
         doc = MyDocTemplate(outputfile('test_platypus_paragraphs_autoleading.pdf'))
         doc.build(story)
 
+    def test_unicharCodeSafety(self):
+        """test a bug reported by ravi prakash giri <raviprakashgiri@gmail.com>"""
+        normal = getSampleStyleSheet()['BodyText']
+        self.assertRaises(Exception,Paragraph,
+                """<unichar code="open('/tmp/test.txt','w').write('Hello from unichar')"/>""",
+                normal)
+
+
 class JustifyTestCase(unittest.TestCase):
     "Test justification of paragraphs."
     def testUl(self):
openSUSE Build Service is sponsored by
Places