File 0001-CVE-2021-43818.patch of Package python-lxml
From f2330237440df7e8f39c3ad1b1aa8852be3b27c0
From: Stefan Behnel <stefan_ml@behnel.de>
Date: Thu Nov 11 13:21:08 2021 +0100
Sat, 4 Aug 2018 12:56:14 +0200
Subject: [PATCH] Cleaner: Remove SVG image data URLs since they can embed
script content.
Reported as GHSL-2021-1038
CVE-2021-43818
diff -ru lxml-3.6.1.bak/src/lxml/html/clean.py lxml-3.6.1-0001/src/lxml/html/clean.py
--- lxml-3.6.1.bak/src/lxml/html/clean.py 2016-07-24 10:27:20.000000000 +0200
+++ lxml-3.6.1-0001/src/lxml/html/clean.py 2022-02-25 15:01:53.870241814 +0100
@@ -70,18 +70,25 @@
# All kinds of schemes besides just javascript: that can cause
# execution:
-_is_image_dataurl = re.compile(
- r'^data:image/.+;base64', re.I).search
+_find_image_dataurls = re.compile(
+ r'^data:image/(.+);base64,', re.I).findall
_is_possibly_malicious_scheme = re.compile(
- r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
- re.I).search
+ r'(javascript|jscript|livescript|vbscript|data|about|mocha):',
+ re.I).findall
+# SVG images can contain script content
+_is_unsafe_image_type = re.compile(r"(xml|svg)", re.I).findall
+
def _is_javascript_scheme(s):
- if _is_image_dataurl(s):
- return None
- return _is_possibly_malicious_scheme(s)
+ is_image_url = False
+ for image_type in _find_image_dataurls(s):
+ is_image_url = True
+ if _is_unsafe_image_type(image_type):
+ return True
+ if is_image_url:
+ return False
+ return bool(_is_possibly_malicious_scheme(s))
_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
-# FIXME: should data: be blocked?
# FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
_conditional_comment_re = re.compile(
diff -ru lxml-3.6.1.bak/src/lxml/html/tests/test_clean.py lxml-3.6.1-0001/src/lxml/html/tests/test_clean.py
--- lxml-3.6.1.bak/src/lxml/html/tests/test_clean.py 2014-02-26 20:36:12.000000000 +0100
+++ lxml-3.6.1-0001/src/lxml/html/tests/test_clean.py 2022-02-25 15:03:05.957050666 +0100
@@ -1,3 +1,5 @@
+import base64
+import gzip
import unittest, sys
from lxml.tests.common_imports import make_doctest
from lxml.etree import LIBXML_VERSION
@@ -61,6 +63,52 @@
self.assertEqual(expected, result)
+ @unittest.skipIf(sys.version_info[:2] < (3, 3),
+ "gzip.compress is available in >=3.2"
+ )
+ def test_svg_data_links(self):
+ # Remove SVG images with potentially insecure content.
+ svg = b'<svg onload="alert(123)" />'
+ svgz = gzip.compress(svg)
+ svg_b64 = base64.b64encode(svg).decode('ASCII')
+ svgz_b64 = base64.b64encode(svgz).decode('ASCII')
+ urls = [
+ "data:image/svg+xml;base64," + svg_b64,
+ "data:image/svg+xml-compressed;base64," + svgz_b64,
+ ]
+ for url in urls:
+ html = '<img src="%s">' % url
+ s = lxml.html.fragment_fromstring(html)
+
+ cleaned = lxml.html.tostring(clean_html(s))
+ self.assertEqual(
+ b'<img src="">',
+ cleaned,
+ "%s -> %s" % (url, cleaned))
+
+ def test_image_data_links(self):
+ data = b'123'
+ data_b64 = base64.b64encode(data).decode('ASCII')
+ urls = [
+ "data:image/jpeg;base64," + data_b64,
+ "data:image/apng;base64," + data_b64,
+ "data:image/png;base64," + data_b64,
+ "data:image/gif;base64," + data_b64,
+ "data:image/webp;base64," + data_b64,
+ "data:image/bmp;base64," + data_b64,
+ "data:image/tiff;base64," + data_b64,
+ "data:image/x-icon;base64," + data_b64,
+ ]
+ for url in urls:
+ html = '<img src="%s">' % url
+ s = lxml.html.fragment_fromstring(html)
+
+ cleaned = lxml.html.tostring(clean_html(s))
+ self.assertEqual(
+ html.encode("UTF-8"),
+ cleaned,
+ "%s -> %s" % (url, cleaned))
+
def test_clean_invalid_root_tag(self):
# only testing that cleaning with invalid root tags works at all
s = lxml.html.fromstring('parent <invalid tag>child</another>')
