[oe-commits] Joe Slater : python-lxml: move to version 3.2.5

git at git.openembedded.org git at git.openembedded.org
Wed Jan 28 08:56:32 UTC 2015 

Module: meta-openembedded.git
Branch: master
Commit: c79de61fed4cda88f1977b53418623a61b0ec14e
URL:    http://git.openembedded.org/?p=meta-openembedded.git&a=commit;h=c79de61fed4cda88f1977b53418623a61b0ec14e

Author: Joe Slater <jslater at windriver.com>
Date:   Mon Jan 19 13:07:08 2015 -0800

python-lxml: move to version 3.2.5

Remove version 3.0.2.

Signed-off-by: Joe Slater <jslater at windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>

---

 .../python-lxml-3.2.5-fix-CVE-2014-3146.patch      | 91 ++++++++++++++++++++++
 .../{python-lxml_3.0.2.bb => python-lxml_3.2.5.bb} |  8 +-
 2 files changed, 96 insertions(+), 3 deletions(-)

diff --git a/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
new file mode 100644
index 0000000..0a8e211
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
@@ -0,0 +1,91 @@
+Upstream-status:Backport
+
+--- a/src/lxml/html/clean.py
++++ b/src/lxml/html/clean.py
+@@ -70,9 +70,10 @@ _css_import_re = re.compile(
+ 
+ # All kinds of schemes besides just javascript: that can cause
+ # execution:
+-_javascript_scheme_re = re.compile(
+-    r'\s*(?:javascript|jscript|livescript|vbscript|data|about|mocha):', re.I)
+-_substitute_whitespace = re.compile(r'\s+').sub
++_is_javascript_scheme = re.compile(
++    r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
++    re.I).search
++_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
+ # FIXME: should data: be blocked?
+ 
+ # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
+@@ -467,7 +468,7 @@ class Cleaner(object):
+     def _remove_javascript_link(self, link):
+         # links like "j a v a s c r i p t:" might be interpreted in IE
+         new = _substitute_whitespace('', link)
+-        if _javascript_scheme_re.search(new):
++        if _is_javascript_scheme(new):
+             # FIXME: should this be None to delete?
+             return ''
+         return link
+--- a/src/lxml/html/tests/test_clean.txt
++++ b/src/lxml/html/tests/test_clean.txt
+@@ -1,3 +1,4 @@
++>>> import re
+ >>> from lxml.html import fromstring, tostring
+ >>> from lxml.html.clean import clean, clean_html, Cleaner
+ >>> from lxml.html import usedoctest
+@@ -17,6 +18,7 @@
+ ...   <body onload="evil_function()">
+ ...     <!-- I am interpreted for EVIL! -->
+ ...     <a href="javascript:evil_function()">a link</a>
++...     <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a>
+ ...     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+ ...     <a href="#" onclick="evil_function()">another link</a>
+ ...     <p onclick="evil_function()">a paragraph</p>
+@@ -33,7 +35,7 @@
+ ...   </body>
+ ... </html>'''
+ 
+->>> print(doc)
++>>> print(re.sub('[\x00-\x07\x0E]', '', doc))
+ <html>
+   <head>
+     <script type="text/javascript" src="evil-site"></script>
+@@ -49,6 +51,7 @@
+   <body onload="evil_function()">
+     <!-- I am interpreted for EVIL! -->
+     <a href="javascript:evil_function()">a link</a>
++    <a href="javascrip t:evil_function()">a control char link</a>
+     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+     <a href="#" onclick="evil_function()">another link</a>
+     <p onclick="evil_function()">a paragraph</p>
+@@ -81,6 +84,7 @@
+   <body onload="evil_function()">
+     <!-- I am interpreted for EVIL! -->
+     <a href="javascript:evil_function()">a link</a>
++    <a href="javascrip%20t:evil_function()">a control char link</a>
+     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+     <a href="#" onclick="evil_function()">another link</a>
+     <p onclick="evil_function()">a paragraph</p>
+@@ -104,6 +108,7 @@
+   </head>
+   <body>
+     <a href="">a link</a>
++    <a href="">a control char link</a>
+     <a href="">data</a>
+     <a href="#">another link</a>
+     <p>a paragraph</p>
+@@ -123,6 +128,7 @@
+   </head>
+   <body>
+     <a href="">a link</a>
++    <a href="">a control char link</a>
+     <a href="">data</a>
+     <a href="#">another link</a>
+     <p>a paragraph</p>
+@@ -146,6 +152,7 @@
+   </head>
+   <body>
+     <a href="">a link</a>
++    <a href="">a control char link</a> 
+     <a href="">data</a>
+     <a href="#">another link</a>
+     <p>a paragraph</p>
diff --git a/meta-python/recipes-devtools/python/python-lxml_3.0.2.bb b/meta-python/recipes-devtools/python/python-lxml_3.2.5.bb
similarity index 82%
rename from meta-python/recipes-devtools/python/python-lxml_3.0.2.bb
rename to meta-python/recipes-devtools/python/python-lxml_3.2.5.bb
index 5ab7b4a..1fa2889 100644
--- a/meta-python/recipes-devtools/python/python-lxml_3.0.2.bb
+++ b/meta-python/recipes-devtools/python/python-lxml_3.2.5.bb
@@ -8,9 +8,11 @@ SRCNAME = "lxml"
 
 DEPENDS = "libxml2 libxslt"
 
-SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz;name=lxml"
-SRC_URI[lxml.md5sum] = "38b15b0dd5e9292cf98be800e84a3ce4"
-SRC_URI[lxml.sha256sum] = "cadba4cf0e235127795f76a6f7092cb035da23a6e9ec4c93f8af43a6784cd101"
+SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz \
+		file://python-lxml-3.2.5-fix-CVE-2014-3146.patch "
+
+SRC_URI[md5sum] = "6c4fb9b1840631cff09b8229a12a9ef7"
+SRC_URI[sha256sum] = "2bf072808a6546d0e56bf1ad3b98a43cca828724360d7419fad135141bd31f7e"
 
 S = "${WORKDIR}/${SRCNAME}-${PV}"

More information about the Openembedded-commits mailing list