diff options
-rw-r--r-- | community/py3-lxml/APKBUILD | 6 | ||||
-rw-r--r-- | community/py3-lxml/CVE-2021-28957.patch | 52 |
2 files changed, 56 insertions, 2 deletions
diff --git a/community/py3-lxml/APKBUILD b/community/py3-lxml/APKBUILD index 8fa60f5feaf..a4d93ffff63 100644 --- a/community/py3-lxml/APKBUILD +++ b/community/py3-lxml/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Francesco Colista <fcolista@alpinelinux.org> pkgname=py3-lxml _pkgname=lxml -pkgver=4.6.2 +pkgver=4.6.3 pkgrel=0 pkgdesc="Python3 LXML Library" url="https://lxml.de/" @@ -14,6 +14,8 @@ source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname builddir="$srcdir/$_pkgname-$pkgver" # secfixes: +# 4.6.3-r0: +# - CVE-2021-28957 # 4.6.2-r0: # - CVE-2020-27783 @@ -29,4 +31,4 @@ package() { python3 setup.py install --prefix=/usr --root="$pkgdir" } -sha512sums="0a99e3f3c95c409d3f336aa6fb7f21527cf75d00ef8b55731d8ae8ba1b90792812b4551cd0751e5296b0007dc6d448fe63990a487993229e26477f087e52e29d lxml-4.6.2.tar.gz" +sha512sums="57489c42257afd00376886d6873c97088778afa8009fa644e2660722d134f346030218c24be6329ee828f73f5164cdd1dad583c17addbdf3e0c84e4d8ab9e176 lxml-4.6.3.tar.gz" diff --git a/community/py3-lxml/CVE-2021-28957.patch b/community/py3-lxml/CVE-2021-28957.patch new file mode 100644 index 00000000000..de583e45171 --- /dev/null +++ b/community/py3-lxml/CVE-2021-28957.patch @@ -0,0 +1,52 @@ +From 2d01a1ba8984e0483ce6619b972832377f208a0d Mon Sep 17 00:00:00 2001 +From: Kevin Chung <kchung@nyu.edu> +Date: Sun, 21 Mar 2021 10:03:09 -0400 +Subject: [PATCH] Add HTML-5 "formaction" attribute to "defs.link_attrs" + (GH-316) + +Resolves https://bugs.launchpad.net/lxml/+bug/1888153 +See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957 +--- + src/lxml/html/defs.py | 2 ++ + src/lxml/html/tests/test_clean.py | 15 +++++++++++++++ + 2 files changed, 17 insertions(+) + +diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py +index 1b3a75b36..2058ea330 100644 +--- a/src/lxml/html/defs.py ++++ b/src/lxml/html/defs.py +@@ -23,6 +23,8 @@ + 'usemap', + # Not standard: + 'dynsrc', 'lowsrc', ++ # HTML5 formaction ++ 'formaction' + ]) + + # Not in the HTML 4 spec: +diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py +index 0e669f98d..45c2e83ab 100644 +--- a/src/lxml/html/tests/test_clean.py ++++ b/src/lxml/html/tests/test_clean.py +@@ -123,6 +123,21 @@ def test_sneaky_js_in_math_style(self): + b'<math><style>/* deleted */</style></math>', + lxml.html.tostring(clean_html(s))) + ++ def test_formaction_attribute_in_button_input(self): ++ # The formaction attribute overrides the form's action and should be ++ # treated as a malicious link attribute ++ html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>' ++ '<button form="test" formaction="javascript:alert(1)">X</button>') ++ expected = ('<div><form id="test"><input type="submit" formaction=""></form>' ++ '<button form="test" formaction="">X</button></div>') ++ cleaner = Cleaner( ++ forms=False, ++ safe_attrs_only=False, ++ ) ++ self.assertEqual( ++ expected, ++ cleaner.clean_html(html)) ++ + + def test_suite(): + suite = unittest.TestSuite() |