python-lxml: move to version 3.2.5

Remove version 3.0.2. Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Joe Slater <jslater@windriver.com> 2015-01-19 13:07:08 -0800
committer: Martin Jansa <Martin.Jansa@gmail.com> 2015-01-28 09:51:42 +0100
commit: c79de61fed4cda88f1977b53418623a61b0ec14e (patch)
tree: 3f33af8d9ed7de00061c8fe63e06e1bf423dfc10 /meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
parent: 66a1ccc69dff76bc1cc0be983160eea38137a0de (diff)
download: meta-openembedded-c79de61fed4cda88f1977b53418623a61b0ec14e.tar.gz
1 files changed, 91 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
new file mode 100644
index 0000000000..0a8e211bd3
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
@@ -0,0 +1,91 @@
+Upstream-status:Backport
+--- a/src/lxml/html/clean.py
+++ b/src/lxml/html/clean.py
+@@ -70,9 +70,10 @@ _css_import_re = re.compile(
+ 
+ # All kinds of schemes besides just javascript: that can cause
+ # execution:
+-_javascript_scheme_re = re.compile(
+-    r'\s*(?:javascript|jscript|livescript|vbscript|data|about|mocha):', re.I)
+-_substitute_whitespace = re.compile(r'\s+').sub
+_is_javascript_scheme = re.compile(
+    r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
+    re.I).search
+_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
+ # FIXME: should data: be blocked?
+ 
+ # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
+@@ -467,7 +468,7 @@ class Cleaner(object):
+     def _remove_javascript_link(self, link):
+         # links like "j a v a s c r i p t:" might be interpreted in IE
+         new = _substitute_whitespace('', link)
+-        if _javascript_scheme_re.search(new):
+        if _is_javascript_scheme(new):
+             # FIXME: should this be None to delete?
+             return ''
+         return link
+--- a/src/lxml/html/tests/test_clean.txt
+++ b/src/lxml/html/tests/test_clean.txt
+@@ -1,3 +1,4 @@
+>>> import re
+ >>> from lxml.html import fromstring, tostring
+ >>> from lxml.html.clean import clean, clean_html, Cleaner
+ >>> from lxml.html import usedoctest
+@@ -17,6 +18,7 @@
+ ...   <body onload="evil_function()">
+ ...     <!-- I am interpreted for EVIL! -->
+ ...     <a href="javascript:evil_function()">a link</a>
+...     <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a>
+ ...     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+ ...     <a href="#" onclick="evil_function()">another link</a>
+ ...     <p onclick="evil_function()">a paragraph</p>
+@@ -33,7 +35,7 @@
+ ...   </body>
+ ... </html>'''
+ 
+->>> print(doc)
+>>> print(re.sub('[\x00-\x07\x0E]', '', doc))
+ <html>
+   <head>
+     <script type="text/javascript" src="evil-site"></script>
+@@ -49,6 +51,7 @@
+   <body onload="evil_function()">
+     <!-- I am interpreted for EVIL! -->
+     <a href="javascript:evil_function()">a link</a>
+    <a href="javascrip t:evil_function()">a control char link</a>
+     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+     <a href="#" onclick="evil_function()">another link</a>
+     <p onclick="evil_function()">a paragraph</p>
+@@ -81,6 +84,7 @@
+   <body onload="evil_function()">
+     <!-- I am interpreted for EVIL! -->
+     <a href="javascript:evil_function()">a link</a>
+    <a href="javascrip%20t:evil_function()">a control char link</a>
+     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+     <a href="#" onclick="evil_function()">another link</a>
+     <p onclick="evil_function()">a paragraph</p>
+@@ -104,6 +108,7 @@
+   </head>
+   <body>
+     <a href="">a link</a>
+    <a href="">a control char link</a>
+     <a href="">data</a>
+     <a href="#">another link</a>
+     <p>a paragraph</p>
+@@ -123,6 +128,7 @@
+   </head>
+   <body>
+     <a href="">a link</a>
+    <a href="">a control char link</a>
+     <a href="">data</a>
+     <a href="#">another link</a>
+     <p>a paragraph</p>
+@@ -146,6 +152,7 @@
+   </head>
+   <body>
+     <a href="">a link</a>
+    <a href="">a control char link</a> 
+     <a href="">data</a>
+     <a href="#">another link</a>
+     <p>a paragraph</p>
author	Joe Slater <jslater@windriver.com>	2015-01-19 13:07:08 -0800
committer	Martin Jansa <Martin.Jansa@gmail.com>	2015-01-28 09:51:42 +0100
commit	c79de61fed4cda88f1977b53418623a61b0ec14e (patch)
tree	3f33af8d9ed7de00061c8fe63e06e1bf423dfc10 /meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
parent	66a1ccc69dff76bc1cc0be983160eea38137a0de (diff)
download	meta-openembedded-c79de61fed4cda88f1977b53418623a61b0ec14e.tar.gz

diff --git a/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch new file mode 100644 index 0000000000..0a8e211bd3 --- /dev/null +++ b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
@@ -0,0 +1,91 @@
	1	Upstream-status:Backport
	2
	3	--- a/src/lxml/html/clean.py
	4	+++ b/src/lxml/html/clean.py
	5	@@ -70,9 +70,10 @@ _css_import_re = re.compile(
	6
	7	# All kinds of schemes besides just javascript: that can cause
	8	# execution:
	9	-_javascript_scheme_re = re.compile(
	10	- r'\s*(?:javascript\|jscript\|livescript\|vbscript\|data\|about\|mocha):', re.I)
	11	-_substitute_whitespace = re.compile(r'\s+').sub
	12	+_is_javascript_scheme = re.compile(
	13	+ r'(?:javascript\|jscript\|livescript\|vbscript\|data\|about\|mocha):',
	14	+ re.I).search
	15	+_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
	16	# FIXME: should data: be blocked?
	17
	18	# FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
	19	@@ -467,7 +468,7 @@ class Cleaner(object):
	20	def _remove_javascript_link(self, link):
	21	# links like "j a v a s c r i p t:" might be interpreted in IE
	22	new = _substitute_whitespace('', link)
	23	- if _javascript_scheme_re.search(new):
	24	+ if _is_javascript_scheme(new):
	25	# FIXME: should this be None to delete?
	26	return ''
	27	return link
	28	--- a/src/lxml/html/tests/test_clean.txt
	29	+++ b/src/lxml/html/tests/test_clean.txt
	30	@@ -1,3 +1,4 @@
	31	+>>> import re
	32	>>> from lxml.html import fromstring, tostring
	33	>>> from lxml.html.clean import clean, clean_html, Cleaner
	34	>>> from lxml.html import usedoctest
	35	@@ -17,6 +18,7 @@
	36	... <body onload="evil_function()">
	37	... <!-- I am interpreted for EVIL! -->
	38	... <a href="javascript:evil_function()">a link</a>
	39	+... <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a>
	40	... <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
	41	... <a href="#" onclick="evil_function()">another link</a>
	42	... <p onclick="evil_function()">a paragraph</p>
	43	@@ -33,7 +35,7 @@
	44	... </body>
	45	... </html>'''
	46
	47	->>> print(doc)
	48	+>>> print(re.sub('[\x00-\x07\x0E]', '', doc))
	49	<html>
	50	<head>
	51	<script type="text/javascript" src="evil-site"></script>
	52	@@ -49,6 +51,7 @@
	53	<body onload="evil_function()">
	54	<!-- I am interpreted for EVIL! -->
	55	<a href="javascript:evil_function()">a link</a>
	56	+ <a href="javascrip t:evil_function()">a control char link</a>
	57	<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
	58	<a href="#" onclick="evil_function()">another link</a>
	59	<p onclick="evil_function()">a paragraph</p>
	60	@@ -81,6 +84,7 @@
	61	<body onload="evil_function()">
	62	<!-- I am interpreted for EVIL! -->
	63	<a href="javascript:evil_function()">a link</a>
	64	+ <a href="javascrip%20t:evil_function()">a control char link</a>
	65	<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
	66	<a href="#" onclick="evil_function()">another link</a>
	67	<p onclick="evil_function()">a paragraph</p>
	68	@@ -104,6 +108,7 @@
	69	</head>
	70	<body>
	71	<a href="">a link</a>
	72	+ <a href="">a control char link</a>
	73	<a href="">data</a>
	74	<a href="#">another link</a>
	75	<p>a paragraph</p>
	76	@@ -123,6 +128,7 @@
	77	</head>
	78	<body>
	79	<a href="">a link</a>
	80	+ <a href="">a control char link</a>
	81	<a href="">data</a>
	82	<a href="#">another link</a>
	83	<p>a paragraph</p>
	84	@@ -146,6 +152,7 @@
	85	</head>
	86	<body>
	87	<a href="">a link</a>
	88	+ <a href="">a control char link</a>
	89	<a href="">data</a>
	90	<a href="#">another link</a>
	91	<p>a paragraph</p>