Skip to content
Snippets Groups Projects
Commit a77b53cf authored by Francesco Colista's avatar Francesco Colista
Browse files

community/py3-lxml: securit upgrade to fix CVE-2021-28957

Fixes #12559
parent ce021588
No related branches found
No related tags found
1 merge request!202783.13 vala
......@@ -3,7 +3,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=py3-lxml
_pkgname=lxml
pkgver=4.6.2
pkgver=4.6.3
pkgrel=0
pkgdesc="Python3 LXML Library"
url="https://lxml.de/"
......@@ -14,6 +14,8 @@ source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname
builddir="$srcdir/$_pkgname-$pkgver"
# secfixes:
# 4.6.3-r0:
# - CVE-2021-28957
# 4.6.2-r0:
# - CVE-2020-27783
......@@ -29,4 +31,4 @@ package() {
python3 setup.py install --prefix=/usr --root="$pkgdir"
}
sha512sums="0a99e3f3c95c409d3f336aa6fb7f21527cf75d00ef8b55731d8ae8ba1b90792812b4551cd0751e5296b0007dc6d448fe63990a487993229e26477f087e52e29d lxml-4.6.2.tar.gz"
sha512sums="57489c42257afd00376886d6873c97088778afa8009fa644e2660722d134f346030218c24be6329ee828f73f5164cdd1dad583c17addbdf3e0c84e4d8ab9e176 lxml-4.6.3.tar.gz"
From 2d01a1ba8984e0483ce6619b972832377f208a0d Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@nyu.edu>
Date: Sun, 21 Mar 2021 10:03:09 -0400
Subject: [PATCH] Add HTML-5 "formaction" attribute to "defs.link_attrs"
(GH-316)
Resolves https://bugs.launchpad.net/lxml/+bug/1888153
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
---
src/lxml/html/defs.py | 2 ++
src/lxml/html/tests/test_clean.py | 15 +++++++++++++++
2 files changed, 17 insertions(+)
diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
index 1b3a75b36..2058ea330 100644
--- a/src/lxml/html/defs.py
+++ b/src/lxml/html/defs.py
@@ -23,6 +23,8 @@
'usemap',
# Not standard:
'dynsrc', 'lowsrc',
+ # HTML5 formaction
+ 'formaction'
])
# Not in the HTML 4 spec:
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
index 0e669f98d..45c2e83ab 100644
--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
@@ -123,6 +123,21 @@ def test_sneaky_js_in_math_style(self):
b'<math><style>/* deleted */</style></math>',
lxml.html.tostring(clean_html(s)))
+ def test_formaction_attribute_in_button_input(self):
+ # The formaction attribute overrides the form's action and should be
+ # treated as a malicious link attribute
+ html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
+ '<button form="test" formaction="javascript:alert(1)">X</button>')
+ expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
+ '<button form="test" formaction="">X</button></div>')
+ cleaner = Cleaner(
+ forms=False,
+ safe_attrs_only=False,
+ )
+ self.assertEqual(
+ expected,
+ cleaner.clean_html(html))
+
def test_suite():
suite = unittest.TestSuite()
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment