From 19b3ff61752db172de9378d8d301483045c3be504ce86844760b61ecfc4fe089 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Tue, 13 Apr 2021 10:30:56 +0000 Subject: [PATCH] Accepting request 884898 from home:AndreasStieger:branches:devel:languages:python python-bleach 3.3.0 CVE-2021-23980 boo#1184547 OBS-URL: https://build.opensuse.org/request/show/884898 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-bleach?expand=0&rev=41 --- bleach-3.1.5.tar.gz | 3 -- bleach-3.3.0.tar.gz | 3 ++ de-vendor.patch | 101 +++++++++++++++++++++++++++++------------- python-bleach.changes | 17 +++++++ python-bleach.spec | 8 ++-- 5 files changed, 94 insertions(+), 38 deletions(-) delete mode 100644 bleach-3.1.5.tar.gz create mode 100644 bleach-3.3.0.tar.gz diff --git a/bleach-3.1.5.tar.gz b/bleach-3.1.5.tar.gz deleted file mode 100644 index f99e8a0..0000000 --- a/bleach-3.1.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3c4c520fdb9db59ef139915a5db79f8b51bc2a7257ea0389f30c846883430a4b -size 177972 diff --git a/bleach-3.3.0.tar.gz b/bleach-3.3.0.tar.gz new file mode 100644 index 0000000..ac24d56 --- /dev/null +++ b/bleach-3.3.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:98b3170739e5e83dd9dc19633f074727ad848cbedb6026708c8ac2d3b697a433 +size 181274 diff --git a/de-vendor.patch b/de-vendor.patch index 30f8afb..ba3ee23 100644 --- a/de-vendor.patch +++ b/de-vendor.patch @@ -1,48 +1,87 @@ ---- bleach/html5lib_shim.py +Index: bleach/html5lib_shim.py +=================================================================== +--- bleach/html5lib_shim.py.orig +++ bleach/html5lib_shim.py -@@ -11,23 +11,23 @@ +@@ -18,44 +18,44 @@ warnings.filterwarnings( + "ignore", + message="html5lib's sanitizer is deprecated", + category=DeprecationWarning, +- module="bleach._vendor.html5lib", ++ module="html5lib", + ) - import six - --from bleach._vendor.html5lib import ( -+from html5lib import ( +-from bleach._vendor.html5lib import ( # noqa: E402 module level import not at top of file ++from html5lib import ( # noqa: E402 module level import not at top of file HTMLParser, getTreeWalker, ) --from bleach._vendor.html5lib import constants --from bleach._vendor.html5lib.constants import ( -+from html5lib import constants -+from html5lib.constants import ( +-from bleach._vendor.html5lib import ( ++from html5lib import ( + constants, + ) # noqa: E402 module level import not at top of file +-from bleach._vendor.html5lib.constants import ( # noqa: E402 module level import not at top of file ++from html5lib.constants import ( # noqa: E402 module level import not at top of file namespaces, prefixes, ) --from bleach._vendor.html5lib.constants import _ReparseException as ReparseException --from bleach._vendor.html5lib.filters.base import Filter --from bleach._vendor.html5lib.filters.sanitizer import allowed_protocols --from bleach._vendor.html5lib.filters.sanitizer import Filter as SanitizerFilter --from bleach._vendor.html5lib._inputstream import HTMLInputStream --from bleach._vendor.html5lib.serializer import HTMLSerializer --from bleach._vendor.html5lib._tokenizer import HTMLTokenizer --from bleach._vendor.html5lib._trie import Trie -+from html5lib.constants import _ReparseException as ReparseException -+from html5lib.filters.base import Filter -+from html5lib.filters.sanitizer import allowed_protocols -+from html5lib.filters.sanitizer import Filter as SanitizerFilter -+from html5lib._inputstream import HTMLInputStream -+from html5lib.serializer import HTMLSerializer -+from html5lib._tokenizer import HTMLTokenizer -+from html5lib._trie import Trie +-from bleach._vendor.html5lib.constants import ( ++from html5lib.constants import ( + _ReparseException as ReparseException, + ) # noqa: E402 module level import not at top of file +-from bleach._vendor.html5lib.filters.base import ( ++from html5lib.filters.base import ( + Filter, + ) # noqa: E402 module level import not at top of file +-from bleach._vendor.html5lib.filters.sanitizer import ( ++from html5lib.filters.sanitizer import ( + allowed_protocols, + ) # noqa: E402 module level import not at top of file +-from bleach._vendor.html5lib.filters.sanitizer import ( ++from html5lib.filters.sanitizer import ( + Filter as SanitizerFilter, + ) # noqa: E402 module level import not at top of file +-from bleach._vendor.html5lib._inputstream import ( ++from html5lib._inputstream import ( + HTMLInputStream, + ) # noqa: E402 module level import not at top of file +-from bleach._vendor.html5lib.serializer import ( ++from html5lib.serializer import ( + escape, + HTMLSerializer, + ) # noqa: E402 module level import not at top of file +-from bleach._vendor.html5lib._tokenizer import ( ++from html5lib._tokenizer import ( + attributeMap, + HTMLTokenizer, + ) # noqa: E402 module level import not at top of file +-from bleach._vendor.html5lib._trie import ( ++from html5lib._trie import ( + Trie, + ) # noqa: E402 module level import not at top of file - - #: Map of entity name to expanded entity ---- tests/test_clean.py +Index: tests/test_clean.py +=================================================================== +--- tests/test_clean.py.orig +++ tests/test_clean.py -@@ -7,7 +7,7 @@ +@@ -7,7 +7,7 @@ import pytest from bleach import clean from bleach.html5lib_shim import Filter from bleach.sanitizer import Cleaner -from bleach._vendor.html5lib.constants import rcdataElements +from html5lib.constants import rcdataElements + def test_clean_idempotent(): - """Make sure that applying the filter twice doesn't change anything.""" +Index: bleach/sanitizer.py +=================================================================== +--- bleach/sanitizer.py.orig ++++ bleach/sanitizer.py +@@ -283,7 +283,7 @@ class BleachSanitizerFilter(html5lib_shi + "ignore", + message="html5lib's sanitizer is deprecated", + category=DeprecationWarning, +- module="bleach._vendor.html5lib", ++ module="html5lib", + ) + return super(BleachSanitizerFilter, self).__init__(source, **kwargs) + diff --git a/python-bleach.changes b/python-bleach.changes index 3a3c589..097670f 100644 --- a/python-bleach.changes +++ b/python-bleach.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Tue Apr 13 09:20:21 UTC 2021 - Andreas Stieger + +- update to 3.3.0: + * Backwards incompatible change: clean escapes HTML comments + even when strip_comments=False + * Fix CVE-2021-23980: mutation XSS on bleach.clean with specific + combinations of allowed tags (boo#1184547) +- includes changes from 3.2.3: + * fix clean and linkify raising ValueErrors for certain inputs +- includes changes from 3.2.2: + * fix linkify raising an IndexError on certain inputs +- includes changes from 3.2.1: + * change linkifier to add rel="nofollow" as documented +- includes changes from 3.2.0: + * html5lib dependency increased to 1.1.0 + ------------------------------------------------------------------- Mon Aug 31 09:15:22 UTC 2020 - Tomáš Chvátal diff --git a/python-bleach.spec b/python-bleach.spec index 0fad204..332a198 100644 --- a/python-bleach.spec +++ b/python-bleach.spec @@ -1,7 +1,7 @@ # # spec file for package python-bleach # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # Copyright (c) 2015 LISA GmbH, Bingen, Germany. # # All modifications and additions to the file contributed by third parties @@ -19,21 +19,21 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-bleach -Version: 3.1.5 +Version: 3.3.0 Release: 0 Summary: A whitelist-based HTML-sanitizing tool License: Apache-2.0 URL: https://github.com/jsocol/bleach Source: https://files.pythonhosted.org/packages/source/b/bleach/bleach-%{version}.tar.gz Patch0: de-vendor.patch -BuildRequires: %{python_module html5lib >= 1.0.0} +BuildRequires: %{python_module html5lib >= 1.1} BuildRequires: %{python_module packaging} BuildRequires: %{python_module pytest} BuildRequires: %{python_module setuptools} BuildRequires: %{python_module six >= 1.9} BuildRequires: fdupes BuildRequires: python-rpm-macros -Requires: python-html5lib >= 1.0.0 +Requires: python-html5lib >= 1.1 Requires: python-packaging Requires: python-six >= 1.9 BuildArch: noarch