python-lxml: move to version 3.2.5

Remove version 3.0.2. Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Joe Slater <jslater@windriver.com> 2015-01-19 13:07:08 -0800
committer: Martin Jansa <Martin.Jansa@gmail.com> 2015-01-28 09:51:42 +0100
commit: c79de61fed4cda88f1977b53418623a61b0ec14e (patch)
tree: 3f33af8d9ed7de00061c8fe63e06e1bf423dfc10
parent: 66a1ccc69dff76bc1cc0be983160eea38137a0de (diff)
download: meta-openembedded-c79de61fed4cda88f1977b53418623a61b0ec14e.tar.gz
2 files changed, 96 insertions, 3 deletions
diff --git a/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
new file mode 100644
index 000000000..0a8e211bd
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
@@ -0,0 +1,91 @@
+Upstream-status:Backport
+--- a/src/lxml/html/clean.py
+++ b/src/lxml/html/clean.py
+@@ -70,9 +70,10 @@ _css_import_re = re.compile(
+ 
+ # All kinds of schemes besides just javascript: that can cause
+ # execution:
+-_javascript_scheme_re = re.compile(
+-    r'\s*(?:javascript|jscript|livescript|vbscript|data|about|mocha):', re.I)
+-_substitute_whitespace = re.compile(r'\s+').sub
+_is_javascript_scheme = re.compile(
+    r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
+    re.I).search
+_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
+ # FIXME: should data: be blocked?
+ 
+ # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
+@@ -467,7 +468,7 @@ class Cleaner(object):
+     def _remove_javascript_link(self, link):
+         # links like "j a v a s c r i p t:" might be interpreted in IE
+         new = _substitute_whitespace('', link)
+-        if _javascript_scheme_re.search(new):
+        if _is_javascript_scheme(new):
+             # FIXME: should this be None to delete?
+             return ''
+         return link
+--- a/src/lxml/html/tests/test_clean.txt
+++ b/src/lxml/html/tests/test_clean.txt
+@@ -1,3 +1,4 @@
+>>> import re
+ >>> from lxml.html import fromstring, tostring
+ >>> from lxml.html.clean import clean, clean_html, Cleaner
+ >>> from lxml.html import usedoctest
+@@ -17,6 +18,7 @@
+ ...   <body onload="evil_function()">
+ ...     <!-- I am interpreted for EVIL! -->
+ ...     <a href="javascript:evil_function()">a link</a>
+...     <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a>
+ ...     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+ ...     <a href="#" onclick="evil_function()">another link</a>
+ ...     <p onclick="evil_function()">a paragraph</p>
+@@ -33,7 +35,7 @@
+ ...   </body>
+ ... </html>'''
+ 
+->>> print(doc)
+>>> print(re.sub('[\x00-\x07\x0E]', '', doc))
+ <html>
+   <head>
+     <script type="text/javascript" src="evil-site"></script>
+@@ -49,6 +51,7 @@
+   <body onload="evil_function()">
+     <!-- I am interpreted for EVIL! -->
+     <a href="javascript:evil_function()">a link</a>
+    <a href="javascrip t:evil_function()">a control char link</a>
+     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+     <a href="#" onclick="evil_function()">another link</a>
+     <p onclick="evil_function()">a paragraph</p>
+@@ -81,6 +84,7 @@
+   <body onload="evil_function()">
+     <!-- I am interpreted for EVIL! -->
+     <a href="javascript:evil_function()">a link</a>
+    <a href="javascrip%20t:evil_function()">a control char link</a>
+     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+     <a href="#" onclick="evil_function()">another link</a>
+     <p onclick="evil_function()">a paragraph</p>
+@@ -104,6 +108,7 @@
+   </head>
+   <body>
+     <a href="">a link</a>
+    <a href="">a control char link</a>
+     <a href="">data</a>
+     <a href="#">another link</a>
+     <p>a paragraph</p>
+@@ -123,6 +128,7 @@
+   </head>
+   <body>
+     <a href="">a link</a>
+    <a href="">a control char link</a>
+     <a href="">data</a>
+     <a href="#">another link</a>
+     <p>a paragraph</p>
+@@ -146,6 +152,7 @@
+   </head>
+   <body>
+     <a href="">a link</a>
+    <a href="">a control char link</a> 
+     <a href="">data</a>
+     <a href="#">another link</a>
+     <p>a paragraph</p>
diff --git a/meta-python/recipes-devtools/python/python-lxml_3.0.2.bb b/meta-python/recipes-devtools/python/python-lxml_3.2.5.bb
index 5ab7b4a79..1fa288995 100644
--- a/meta-python/recipes-devtools/python/python-lxml_3.0.2.bb
+++ b/meta-python/recipes-devtools/python/python-lxml_3.2.5.bb
@@ -8,9 +8,11 @@ SRCNAME = "lxml"
 DEPENDS = "libxml2 libxslt"
-SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz;name=lxml"
+SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz \
-SRC_URI[lxml.md5sum] = "38b15b0dd5e9292cf98be800e84a3ce4"
+                file://python-lxml-3.2.5-fix-CVE-2014-3146.patch "
-SRC_URI[lxml.sha256sum] = "cadba4cf0e235127795f76a6f7092cb035da23a6e9ec4c93f8af43a6784cd101"
+SRC_URI[md5sum] = "6c4fb9b1840631cff09b8229a12a9ef7"
+SRC_URI[sha256sum] = "2bf072808a6546d0e56bf1ad3b98a43cca828724360d7419fad135141bd31f7e"
 S = "${WORKDIR}/${SRCNAME}-${PV}"
author	Joe Slater <jslater@windriver.com>	2015-01-19 13:07:08 -0800
committer	Martin Jansa <Martin.Jansa@gmail.com>	2015-01-28 09:51:42 +0100
commit	c79de61fed4cda88f1977b53418623a61b0ec14e (patch)
tree	3f33af8d9ed7de00061c8fe63e06e1bf423dfc10
parent	66a1ccc69dff76bc1cc0be983160eea38137a0de (diff)
download	meta-openembedded-c79de61fed4cda88f1977b53418623a61b0ec14e.tar.gz

diff --git a/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch new file mode 100644 index 000000000..0a8e211bd --- /dev/null +++ b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
@@ -0,0 +1,91 @@
		1	Upstream-status:Backport
		2
		3	--- a/src/lxml/html/clean.py
		4	+++ b/src/lxml/html/clean.py
		5	@@ -70,9 +70,10 @@ _css_import_re = re.compile(
		6
		7	# All kinds of schemes besides just javascript: that can cause
		8	# execution:
		9	-_javascript_scheme_re = re.compile(
		10	- r'\s*(?:javascript\|jscript\|livescript\|vbscript\|data\|about\|mocha):', re.I)
		11	-_substitute_whitespace = re.compile(r'\s+').sub
		12	+_is_javascript_scheme = re.compile(
		13	+ r'(?:javascript\|jscript\|livescript\|vbscript\|data\|about\|mocha):',
		14	+ re.I).search
		15	+_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
		16	# FIXME: should data: be blocked?
		17
		18	# FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
		19	@@ -467,7 +468,7 @@ class Cleaner(object):
		20	def _remove_javascript_link(self, link):
		21	# links like "j a v a s c r i p t:" might be interpreted in IE
		22	new = _substitute_whitespace('', link)
		23	- if _javascript_scheme_re.search(new):
		24	+ if _is_javascript_scheme(new):
		25	# FIXME: should this be None to delete?
		26	return ''
		27	return link
		28	--- a/src/lxml/html/tests/test_clean.txt
		29	+++ b/src/lxml/html/tests/test_clean.txt
		30	@@ -1,3 +1,4 @@
		31	+>>> import re
		32	>>> from lxml.html import fromstring, tostring
		33	>>> from lxml.html.clean import clean, clean_html, Cleaner
		34	>>> from lxml.html import usedoctest
		35	@@ -17,6 +18,7 @@
		36	... <body onload="evil_function()">
		37	... <!-- I am interpreted for EVIL! -->
		38	... <a href="javascript:evil_function()">a link</a>
		39	+... <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a>
		40	... <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
		41	... <a href="#" onclick="evil_function()">another link</a>
		42	... <p onclick="evil_function()">a paragraph</p>
		43	@@ -33,7 +35,7 @@
		44	... </body>
		45	... </html>'''
		46
		47	->>> print(doc)
		48	+>>> print(re.sub('[\x00-\x07\x0E]', '', doc))
		49	<html>
		50	<head>
		51	<script type="text/javascript" src="evil-site"></script>
		52	@@ -49,6 +51,7 @@
		53	<body onload="evil_function()">
		54	<!-- I am interpreted for EVIL! -->
		55	<a href="javascript:evil_function()">a link</a>
		56	+ <a href="javascrip t:evil_function()">a control char link</a>
		57	<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
		58	<a href="#" onclick="evil_function()">another link</a>
		59	<p onclick="evil_function()">a paragraph</p>
		60	@@ -81,6 +84,7 @@
		61	<body onload="evil_function()">
		62	<!-- I am interpreted for EVIL! -->
		63	<a href="javascript:evil_function()">a link</a>
		64	+ <a href="javascrip%20t:evil_function()">a control char link</a>
		65	<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
		66	<a href="#" onclick="evil_function()">another link</a>
		67	<p onclick="evil_function()">a paragraph</p>
		68	@@ -104,6 +108,7 @@
		69	</head>
		70	<body>
		71	<a href="">a link</a>
		72	+ <a href="">a control char link</a>
		73	<a href="">data</a>
		74	<a href="#">another link</a>
		75	<p>a paragraph</p>
		76	@@ -123,6 +128,7 @@
		77	</head>
		78	<body>
		79	<a href="">a link</a>
		80	+ <a href="">a control char link</a>
		81	<a href="">data</a>
		82	<a href="#">another link</a>
		83	<p>a paragraph</p>
		84	@@ -146,6 +152,7 @@
		85	</head>
		86	<body>
		87	<a href="">a link</a>
		88	+ <a href="">a control char link</a>
		89	<a href="">data</a>
		90	<a href="#">another link</a>
		91	<p>a paragraph</p>


diff --git a/meta-python/recipes-devtools/python/python-lxml_3.0.2.bb b/meta-python/recipes-devtools/python/python-lxml_3.2.5.bb index 5ab7b4a79..1fa288995 100644 --- a/meta-python/recipes-devtools/python/python-lxml_3.0.2.bb +++ b/meta-python/recipes-devtools/python/python-lxml_3.2.5.bb
@@ -8,9 +8,11 @@ SRCNAME = "lxml"
8		8
9	DEPENDS = "libxml2 libxslt"	9	DEPENDS = "libxml2 libxslt"
10		10
11	SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz;name=lxml"	11	SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz \
12	SRC_URI[lxml.md5sum] = "38b15b0dd5e9292cf98be800e84a3ce4"	12	file://python-lxml-3.2.5-fix-CVE-2014-3146.patch "
13	SRC_URI[lxml.sha256sum] = "cadba4cf0e235127795f76a6f7092cb035da23a6e9ec4c93f8af43a6784cd101"	13
		14	SRC_URI[md5sum] = "6c4fb9b1840631cff09b8229a12a9ef7"
		15	SRC_URI[sha256sum] = "2bf072808a6546d0e56bf1ad3b98a43cca828724360d7419fad135141bd31f7e"
14		16
15	S = "${WORKDIR}/${SRCNAME}-${PV}"	17	S = "${WORKDIR}/${SRCNAME}-${PV}"
16		18