File feedparser-issue254-CVE-2011-1157.patch of Package python-feedparser.import4630
Index: feedparser-4.1/tests/wellformed/sanitize/xml_malicious_comment.xml
===================================================================
--- /dev/null
+++ feedparser-4.1/tests/wellformed/sanitize/xml_malicious_comment.xml
@@ -0,0 +1,7 @@
+<!--
+Description: malicious comment
+Expect: not bozo and feed['title'] == u'safe'
+-->
+<feed xmlns="http://www.w3.org/2005/Atom">
+ <title type="html">sa<!-- -- nonwhitespace >fe<script>alert(1);</script></title>
+</feed>
Index: feedparser-4.1/tests/wellformed/sanitize/xml_unclosed_comment.xml
===================================================================
--- /dev/null
+++ feedparser-4.1/tests/wellformed/sanitize/xml_unclosed_comment.xml
@@ -0,0 +1,7 @@
+<!--
+Description: unclosed comment
+Expect: not bozo and feed['title'] == u'safe'
+-->
+<feed xmlns="http://www.w3.org/2005/Atom">
+ <title type="html">safe<!--</title>
+</feed>
Index: feedparser-4.1/feedparser.py
===================================================================
--- feedparser-4.1.orig/feedparser.py
+++ feedparser-4.1/feedparser.py
@@ -1657,6 +1657,19 @@ class _HTMLSanitizer(_BaseHTMLProcessor)
if not self.unacceptablestack:
_BaseHTMLProcessor.handle_data(self, text)
+ def parse_comment(self, i, report=1):
+ ret = _BaseHTMLProcessor.parse_comment(self, i, report)
+ if ret >= 0:
+ return ret
+ # if ret == -1, this may be a malicious attempt to circumvent
+ # sanitization, or a page-destroying unclosed comment
+ match = re.compile(r'--[^>]*>').search(self.rawdata, i+4)
+ if match:
+ return match.end()
+ # unclosed comment; deliberately fail to handle_data()
+ return len(self.rawdata)
+
+
def _sanitizeHTML(htmlSource, encoding):
p = _HTMLSanitizer(encoding)
htmlSource = htmlSource.replace('<
