osc copypac from project:devel:languages:haskell:ghc-9.8.x package:ghc-pandoc revision:6, using keep-link

OBS-URL: https://build.opensuse.org/package/show/devel:languages:haskell/ghc-pandoc?expand=0&rev=29
2024-03-01 21:25:57 +00:00 · 2024-03-01 21:25:57 +00:00 · c0fe23c0df
commit c0fe23c0df
parent 5f7a0b72fa
2 changed files with 0 additions and 192 deletions
--- a/CVE-2023-35936.patch
+++ b/CVE-2023-35936.patch
@ -1,124 +0,0 @@
-From 5e381e3878b5da87ee7542f7e51c3c1a7fd84b89 Mon Sep 17 00:00:00 2001
-From: John MacFarlane <jgm@berkeley.edu>
-Date: Tue, 20 Jun 2023 13:50:13 -0700
-Subject: [PATCH] Fix a security vulnerability in MediaBag and
- T.P.Class.IO.writeMedia.
-
-This vulnerability, discovered by Entroy C, allows users to write
-arbitrary files to any location by feeding pandoc a specially crafted
-URL in an image element.  The vulnerability is serious for anyone
-using pandoc to process untrusted input.  The vulnerability does
-not affect pandoc when run with the `--sandbox` flag.
---
- src/Text/Pandoc/Class/IO.hs | 14 +++++++-------
- src/Text/Pandoc/MediaBag.hs | 28 ++++++++++++++++------------
- 2 files changed, 23 insertions(+), 19 deletions(-)
-
-Index: pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs
-===================================================================
--- pandoc-3.1.3.orig/src/Text/Pandoc/Class/IO.hs	2001-09-09 01:46:40.000000000 +0000
-+++ pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs	2023-07-14 18:39:12.169005026 +0000
-@@ -50,7 +50,7 @@ import Network.HTTP.Client.Internal (add
- import Network.HTTP.Client.TLS (mkManagerSettings)
- import Network.HTTP.Types.Header ( hContentType )
- import Network.Socket (withSocketsDo)
-import Network.URI (unEscapeString)
-+import Network.URI (URI(..), parseURI)
- import System.Directory (createDirectoryIfMissing)
- import System.Environment (getEnv)
- import System.FilePath ((</>), takeDirectory, normalise)
-@@ -122,11 +122,11 @@ newUniqueHash = hashUnique <$> liftIO Da
- 
- openURL :: (PandocMonad m, MonadIO m) => Text -> m (B.ByteString, Maybe MimeType)
- openURL u
- | Just u'' <- T.stripPrefix "data:" u = do
-     let mime     = T.takeWhile (/=',') u''
-     let contents = UTF8.fromString $
-                     unEscapeString $ T.unpack $ T.drop 1 $ T.dropWhile (/=',') u''
-     return (decodeBase64Lenient contents, Just mime)
-+ | Just (URI{ uriScheme = "data:",
-+              uriPath = upath }) <- parseURI (T.unpack u) = do
-+     let (mime, rest) = break (== '.') upath
-+     let contents = UTF8.fromString $ drop 1 rest
-+     return (decodeBase64Lenient contents, Just (T.pack mime))
-  | otherwise = do
-      let toReqHeader (n, v) = (CI.mk (UTF8.fromText n), UTF8.fromText v)
-      customHeaders <- map toReqHeader <$> getsCommonState stRequestHeaders
-@@ -224,7 +224,7 @@ writeMedia :: (PandocMonad m, MonadIO m)
-            -> m ()
- writeMedia dir (fp, _mt, bs) = do
-   -- we normalize to get proper path separators for the platform
-  let fullpath = normalise $ dir </> unEscapeString fp
-+  let fullpath = normalise $ dir </> fp
-   liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath)
-   logIOError $ BL.writeFile fullpath bs
- 
-Index: pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs
-===================================================================
--- pandoc-3.1.3.orig/src/Text/Pandoc/MediaBag.hs	2001-09-09 01:46:40.000000000 +0000
-+++ pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs	2023-07-14 18:39:12.170005139 +0000
-@@ -28,6 +28,7 @@ import Data.Data (Data)
- import qualified Data.Map as M
- import Data.Maybe (fromMaybe, isNothing)
- import Data.Typeable (Typeable)
-+import Network.URI (unEscapeString)
- import System.FilePath
- import qualified System.FilePath.Posix as Posix
- import qualified System.FilePath.Windows as Windows
-@@ -35,7 +36,7 @@ import Text.Pandoc.MIME (MimeType, getMi
- import Data.Text (Text)
- import qualified Data.Text as T
- import Data.Digest.Pure.SHA (sha1, showDigest)
-import Network.URI (URI (..), parseURI)
-+import Network.URI (URI (..), parseURI, isURI)
- 
- data MediaItem =
-   MediaItem
-@@ -54,9 +55,12 @@ newtype MediaBag = MediaBag (M.Map Text
- instance Show MediaBag where
-   show bag = "MediaBag " ++ show (mediaDirectory bag)
- 
--- | We represent paths with /, in normalized form.
-+-- | We represent paths with /, in normalized form.  Percent-encoding
-+-- is resolved.
- canonicalize :: FilePath -> Text
-canonicalize = T.replace "\\" "/" . T.pack . normalise
-+canonicalize fp
-+  | isURI fp = T.pack fp
-+  | otherwise = T.replace "\\" "/" . T.pack . normalise . unEscapeString $ fp
- 
- -- | Delete a media item from a 'MediaBag', or do nothing if no item corresponds
- -- to the given path.
-@@ -79,23 +83,23 @@ insertMedia fp mbMime contents (MediaBag
-                              , mediaContents = contents
-                              , mediaMimeType = mt }
-         fp' = canonicalize fp
-+        fp'' = T.unpack fp'
-         uri = parseURI fp
-        newpath = if Posix.isRelative fp
-                       && Windows.isRelative fp
-+        newpath = if Posix.isRelative fp''
-+                       && Windows.isRelative fp''
-                        && isNothing uri
-                       && ".." `notElem` splitDirectories fp
-                     then T.unpack fp'
-+                       && not (".." `T.isInfixOf` fp')
-+                     then fp''
-                      else showDigest (sha1 contents) <> "." <> ext
-        fallback = case takeExtension fp of
-                        ".gz" -> getMimeTypeDef $ dropExtension fp
-                        _     -> getMimeTypeDef fp
-+        fallback = case takeExtension fp'' of
-+                        ".gz" -> getMimeTypeDef $ dropExtension fp''
-+                        _     -> getMimeTypeDef fp''
-         mt = fromMaybe fallback mbMime
-        path = maybe fp uriPath uri
-+        path = maybe fp'' (unEscapeString . uriPath) uri
-         ext = case takeExtension path of
-                 '.':e -> e
-                 _ -> maybe "" T.unpack $ extensionFromMimeType mt
- 
-
- -- | Lookup a media item in a 'MediaBag', returning mime type and contents.
- lookupMedia :: FilePath
-             -> MediaBag
--- a/CVE-2023-38745.patch
+++ b/CVE-2023-38745.patch
@ -1,68 +0,0 @@
-From eddedbfc14916aa06fc01ff04b38aeb30ae2e625 Mon Sep 17 00:00:00 2001
-From: John MacFarlane <jgm@berkeley.edu>
-Date: Thu, 20 Jul 2023 09:26:38 -0700
-Subject: [PATCH] Fix new variant of the vulnerability in CVE-2023-35936.
-
-Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete.
-An attacker could get around it by double-encoding the malicious
-extension to create or override arbitrary files.
-
-    $ echo '![](data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua)' >b.md
-    $ .cabal/bin/pandoc b.md --extract-media=bar
-    <p><img
-    src="bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+%2f%2e%2e%2f%2e%2e%2fb%2elua" /></p>
-    $ cat b.lua
-    print "hello"
-    $ find bar
-    bar/
-    bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+
-
-This commit adds a test case for this more complex attack and fixes
-the vulnerability.  (The fix is quite simple: if the URL-unescaped
-filename or extension contains a '%', we just use the sha1 hash of the
-contents as the canonical name, just as we do if the filename contains
-'..'.)
---
- src/Text/Pandoc/Class/IO.hs |  2 ++
- src/Text/Pandoc/MediaBag.hs |  7 ++++---
- test/Tests/MediaBag.hs      | 12 +++++++++++-
- 3 files changed, 17 insertions(+), 4 deletions(-)
-
-Index: pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs
-===================================================================
--- pandoc-3.1.3.orig/src/Text/Pandoc/Class/IO.hs	2023-09-21 09:24:23.311539088 +0000
-+++ pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs	2023-09-21 09:27:24.005959930 +0000
-@@ -224,6 +224,8 @@ writeMedia :: (PandocMonad m, MonadIO m)
-            -> m ()
- writeMedia dir (fp, _mt, bs) = do
-   -- we normalize to get proper path separators for the platform
-+  -- we unescape URI encoding, but given how insertMedia
-+  -- is written, we shouldn't have any % in a canonical media name...
-   let fullpath = normalise $ dir </> fp
-   liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath)
-   logIOError $ BL.writeFile fullpath bs
-Index: pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs
-===================================================================
--- pandoc-3.1.3.orig/src/Text/Pandoc/MediaBag.hs	2023-09-21 09:24:23.311539088 +0000
-+++ pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs	2023-09-21 09:27:24.006959920 +0000
-@@ -89,16 +89,17 @@ insertMedia fp mbMime contents (MediaBag
-                        && Windows.isRelative fp''
-                        && isNothing uri
-                        && not (".." `T.isInfixOf` fp')
-+                       && '%' `notElem` fp''
-                      then fp''
-                     else showDigest (sha1 contents) <> "." <> ext
-+                     else showDigest (sha1 contents) <> ext
-         fallback = case takeExtension fp'' of
-                         ".gz" -> getMimeTypeDef $ dropExtension fp''
-                         _     -> getMimeTypeDef fp''
-         mt = fromMaybe fallback mbMime
-         path = maybe fp'' (unEscapeString . uriPath) uri
-         ext = case takeExtension path of
-                '.':e -> e
-                _ -> maybe "" T.unpack $ extensionFromMimeType mt
-+                '.':e | '%' `notElem` e -> '.':e
-+                _ -> maybe "" (\x -> '.':T.unpack x) $ extensionFromMimeType mt
- 
- -- | Lookup a media item in a 'MediaBag', returning mime type and contents.
- lookupMedia :: FilePath