summaryrefslogtreecommitdiffstats
path: root/meta-python/recipes-devtools/python
diff options
context:
space:
mode:
authorJoe Slater <jslater@windriver.com>2015-01-19 13:07:08 -0800
committerMartin Jansa <Martin.Jansa@gmail.com>2015-01-28 09:51:42 +0100
commitc79de61fed4cda88f1977b53418623a61b0ec14e (patch)
tree3f33af8d9ed7de00061c8fe63e06e1bf423dfc10 /meta-python/recipes-devtools/python
parent66a1ccc69dff76bc1cc0be983160eea38137a0de (diff)
downloadmeta-openembedded-c79de61fed4cda88f1977b53418623a61b0ec14e.tar.gz
python-lxml: move to version 3.2.5
Remove version 3.0.2. Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-python/recipes-devtools/python')
-rw-r--r--meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch91
-rw-r--r--meta-python/recipes-devtools/python/python-lxml_3.2.5.bb (renamed from meta-python/recipes-devtools/python/python-lxml_3.0.2.bb)8
2 files changed, 96 insertions, 3 deletions
diff --git a/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
new file mode 100644
index 0000000000..0a8e211bd3
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
@@ -0,0 +1,91 @@
1Upstream-status:Backport
2
3--- a/src/lxml/html/clean.py
4+++ b/src/lxml/html/clean.py
5@@ -70,9 +70,10 @@ _css_import_re = re.compile(
6
7 # All kinds of schemes besides just javascript: that can cause
8 # execution:
9-_javascript_scheme_re = re.compile(
10- r'\s*(?:javascript|jscript|livescript|vbscript|data|about|mocha):', re.I)
11-_substitute_whitespace = re.compile(r'\s+').sub
12+_is_javascript_scheme = re.compile(
13+ r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
14+ re.I).search
15+_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
16 # FIXME: should data: be blocked?
17
18 # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
19@@ -467,7 +468,7 @@ class Cleaner(object):
20 def _remove_javascript_link(self, link):
21 # links like "j a v a s c r i p t:" might be interpreted in IE
22 new = _substitute_whitespace('', link)
23- if _javascript_scheme_re.search(new):
24+ if _is_javascript_scheme(new):
25 # FIXME: should this be None to delete?
26 return ''
27 return link
28--- a/src/lxml/html/tests/test_clean.txt
29+++ b/src/lxml/html/tests/test_clean.txt
30@@ -1,3 +1,4 @@
31+>>> import re
32 >>> from lxml.html import fromstring, tostring
33 >>> from lxml.html.clean import clean, clean_html, Cleaner
34 >>> from lxml.html import usedoctest
35@@ -17,6 +18,7 @@
36 ... <body onload="evil_function()">
37 ... <!-- I am interpreted for EVIL! -->
38 ... <a href="javascript:evil_function()">a link</a>
39+... <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a>
40 ... <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
41 ... <a href="#" onclick="evil_function()">another link</a>
42 ... <p onclick="evil_function()">a paragraph</p>
43@@ -33,7 +35,7 @@
44 ... </body>
45 ... </html>'''
46
47->>> print(doc)
48+>>> print(re.sub('[\x00-\x07\x0E]', '', doc))
49 <html>
50 <head>
51 <script type="text/javascript" src="evil-site"></script>
52@@ -49,6 +51,7 @@
53 <body onload="evil_function()">
54 <!-- I am interpreted for EVIL! -->
55 <a href="javascript:evil_function()">a link</a>
56+ <a href="javascrip t:evil_function()">a control char link</a>
57 <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
58 <a href="#" onclick="evil_function()">another link</a>
59 <p onclick="evil_function()">a paragraph</p>
60@@ -81,6 +84,7 @@
61 <body onload="evil_function()">
62 <!-- I am interpreted for EVIL! -->
63 <a href="javascript:evil_function()">a link</a>
64+ <a href="javascrip%20t:evil_function()">a control char link</a>
65 <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
66 <a href="#" onclick="evil_function()">another link</a>
67 <p onclick="evil_function()">a paragraph</p>
68@@ -104,6 +108,7 @@
69 </head>
70 <body>
71 <a href="">a link</a>
72+ <a href="">a control char link</a>
73 <a href="">data</a>
74 <a href="#">another link</a>
75 <p>a paragraph</p>
76@@ -123,6 +128,7 @@
77 </head>
78 <body>
79 <a href="">a link</a>
80+ <a href="">a control char link</a>
81 <a href="">data</a>
82 <a href="#">another link</a>
83 <p>a paragraph</p>
84@@ -146,6 +152,7 @@
85 </head>
86 <body>
87 <a href="">a link</a>
88+ <a href="">a control char link</a>
89 <a href="">data</a>
90 <a href="#">another link</a>
91 <p>a paragraph</p>
diff --git a/meta-python/recipes-devtools/python/python-lxml_3.0.2.bb b/meta-python/recipes-devtools/python/python-lxml_3.2.5.bb
index 5ab7b4a793..1fa2889958 100644
--- a/meta-python/recipes-devtools/python/python-lxml_3.0.2.bb
+++ b/meta-python/recipes-devtools/python/python-lxml_3.2.5.bb
@@ -8,9 +8,11 @@ SRCNAME = "lxml"
8 8
9DEPENDS = "libxml2 libxslt" 9DEPENDS = "libxml2 libxslt"
10 10
11SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz;name=lxml" 11SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz \
12SRC_URI[lxml.md5sum] = "38b15b0dd5e9292cf98be800e84a3ce4" 12 file://python-lxml-3.2.5-fix-CVE-2014-3146.patch "
13SRC_URI[lxml.sha256sum] = "cadba4cf0e235127795f76a6f7092cb035da23a6e9ec4c93f8af43a6784cd101" 13
14SRC_URI[md5sum] = "6c4fb9b1840631cff09b8229a12a9ef7"
15SRC_URI[sha256sum] = "2bf072808a6546d0e56bf1ad3b98a43cca828724360d7419fad135141bd31f7e"
14 16
15S = "${WORKDIR}/${SRCNAME}-${PV}" 17S = "${WORKDIR}/${SRCNAME}-${PV}"
16 18
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-10-25 19:15:01 +0000