aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrancesco Colista <fcolista@alpinelinux.org>2021-03-29 14:37:17 +0000
committerFrancesco Colista <fcolista@alpinelinux.org>2021-03-29 14:37:17 +0000
commita77b53cf08aaca46a2f147c68007f38e2d697264 (patch)
tree31fa6b7a25b5a98cf9579f1ce34090ef82e207bd
parentce0215883bbd4e61ea8583b002d012785c239e93 (diff)
downloadaports-a77b53cf08aaca46a2f147c68007f38e2d697264.tar.gz
aports-a77b53cf08aaca46a2f147c68007f38e2d697264.tar.bz2
aports-a77b53cf08aaca46a2f147c68007f38e2d697264.tar.xz
community/py3-lxml: securit upgrade to fix CVE-2021-28957
Fixes #12559
-rw-r--r--community/py3-lxml/APKBUILD6
-rw-r--r--community/py3-lxml/CVE-2021-28957.patch52
2 files changed, 56 insertions, 2 deletions
diff --git a/community/py3-lxml/APKBUILD b/community/py3-lxml/APKBUILD
index 8fa60f5fea..a4d93ffff6 100644
--- a/community/py3-lxml/APKBUILD
+++ b/community/py3-lxml/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=py3-lxml
_pkgname=lxml
-pkgver=4.6.2
+pkgver=4.6.3
pkgrel=0
pkgdesc="Python3 LXML Library"
url="https://lxml.de/"
@@ -14,6 +14,8 @@ source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname
builddir="$srcdir/$_pkgname-$pkgver"
# secfixes:
+# 4.6.3-r0:
+# - CVE-2021-28957
# 4.6.2-r0:
# - CVE-2020-27783
@@ -29,4 +31,4 @@ package() {
python3 setup.py install --prefix=/usr --root="$pkgdir"
}
-sha512sums="0a99e3f3c95c409d3f336aa6fb7f21527cf75d00ef8b55731d8ae8ba1b90792812b4551cd0751e5296b0007dc6d448fe63990a487993229e26477f087e52e29d lxml-4.6.2.tar.gz"
+sha512sums="57489c42257afd00376886d6873c97088778afa8009fa644e2660722d134f346030218c24be6329ee828f73f5164cdd1dad583c17addbdf3e0c84e4d8ab9e176 lxml-4.6.3.tar.gz"
diff --git a/community/py3-lxml/CVE-2021-28957.patch b/community/py3-lxml/CVE-2021-28957.patch
new file mode 100644
index 0000000000..de583e4517
--- /dev/null
+++ b/community/py3-lxml/CVE-2021-28957.patch
@@ -0,0 +1,52 @@
+From 2d01a1ba8984e0483ce6619b972832377f208a0d Mon Sep 17 00:00:00 2001
+From: Kevin Chung <kchung@nyu.edu>
+Date: Sun, 21 Mar 2021 10:03:09 -0400
+Subject: [PATCH] Add HTML-5 "formaction" attribute to "defs.link_attrs"
+ (GH-316)
+
+Resolves https://bugs.launchpad.net/lxml/+bug/1888153
+See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
+---
+ src/lxml/html/defs.py | 2 ++
+ src/lxml/html/tests/test_clean.py | 15 +++++++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
+index 1b3a75b36..2058ea330 100644
+--- a/src/lxml/html/defs.py
++++ b/src/lxml/html/defs.py
+@@ -23,6 +23,8 @@
+ 'usemap',
+ # Not standard:
+ 'dynsrc', 'lowsrc',
++ # HTML5 formaction
++ 'formaction'
+ ])
+
+ # Not in the HTML 4 spec:
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index 0e669f98d..45c2e83ab 100644
+--- a/src/lxml/html/tests/test_clean.py
++++ b/src/lxml/html/tests/test_clean.py
+@@ -123,6 +123,21 @@ def test_sneaky_js_in_math_style(self):
+ b'<math><style>/* deleted */</style></math>',
+ lxml.html.tostring(clean_html(s)))
+
++ def test_formaction_attribute_in_button_input(self):
++ # The formaction attribute overrides the form's action and should be
++ # treated as a malicious link attribute
++ html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
++ '<button form="test" formaction="javascript:alert(1)">X</button>')
++ expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
++ '<button form="test" formaction="">X</button></div>')
++ cleaner = Cleaner(
++ forms=False,
++ safe_attrs_only=False,
++ )
++ self.assertEqual(
++ expected,
++ cleaner.clean_html(html))
++
+
+ def test_suite():
+ suite = unittest.TestSuite()