Accepting request 884898 from home:AndreasStieger:branches:devel:languages:python

python-bleach 3.3.0 CVE-2021-23980 boo#1184547 OBS-URL: https://build.opensuse.org/request/show/884898 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-bleach?expand=0&rev=41
2021-04-13 10:30:56 +00:00 · 2021-04-13 10:30:56 +00:00 · 19b3ff6175
commit 19b3ff6175
parent efa22fed01
5 changed files with 94 additions and 38 deletions
--- a/bleach-3.1.5.tar.gz
+++ b/bleach-3.1.5.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3c4c520fdb9db59ef139915a5db79f8b51bc2a7257ea0389f30c846883430a4b
-size 177972
--- a/bleach-3.3.0.tar.gz
+++ b/bleach-3.3.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:98b3170739e5e83dd9dc19633f074727ad848cbedb6026708c8ac2d3b697a433
+size 181274
--- a/de-vendor.patch
+++ b/de-vendor.patch
@ -1,48 +1,87 @@
--- bleach/html5lib_shim.py
+Index: bleach/html5lib_shim.py
+===================================================================
+--- bleach/html5lib_shim.py.orig
 +++ bleach/html5lib_shim.py
-@@ -11,23 +11,23 @@
+@@ -18,44 +18,44 @@ warnings.filterwarnings(
+     "ignore",
+     message="html5lib's sanitizer is deprecated",
+     category=DeprecationWarning,
+-    module="bleach._vendor.html5lib",
+    module="html5lib",
+ )
 
- import six
- 
-from bleach._vendor.html5lib import (
-+from html5lib import (
+-from bleach._vendor.html5lib import (  # noqa: E402 module level import not at top of file
+from html5lib import (  # noqa: E402 module level import not at top of file
     HTMLParser,
     getTreeWalker,
 )
-from bleach._vendor.html5lib import constants
-from bleach._vendor.html5lib.constants import (
-+from html5lib import constants
-+from html5lib.constants import (
+-from bleach._vendor.html5lib import (
+from html5lib import (
+     constants,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib.constants import (  # noqa: E402 module level import not at top of file
+from html5lib.constants import (  # noqa: E402 module level import not at top of file
     namespaces,
     prefixes,
 )
-from bleach._vendor.html5lib.constants import _ReparseException as ReparseException
-from bleach._vendor.html5lib.filters.base import Filter
-from bleach._vendor.html5lib.filters.sanitizer import allowed_protocols
-from bleach._vendor.html5lib.filters.sanitizer import Filter as SanitizerFilter
-from bleach._vendor.html5lib._inputstream import HTMLInputStream
-from bleach._vendor.html5lib.serializer import HTMLSerializer
-from bleach._vendor.html5lib._tokenizer import HTMLTokenizer
-from bleach._vendor.html5lib._trie import Trie
-+from html5lib.constants import _ReparseException as ReparseException
-+from html5lib.filters.base import Filter
-+from html5lib.filters.sanitizer import allowed_protocols
-+from html5lib.filters.sanitizer import Filter as SanitizerFilter
-+from html5lib._inputstream import HTMLInputStream
-+from html5lib.serializer import HTMLSerializer
-+from html5lib._tokenizer import HTMLTokenizer
-+from html5lib._trie import Trie
+-from bleach._vendor.html5lib.constants import (
+from html5lib.constants import (
+     _ReparseException as ReparseException,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib.filters.base import (
+from html5lib.filters.base import (
+     Filter,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib.filters.sanitizer import (
+from html5lib.filters.sanitizer import (
+     allowed_protocols,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib.filters.sanitizer import (
+from html5lib.filters.sanitizer import (
+     Filter as SanitizerFilter,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib._inputstream import (
+from html5lib._inputstream import (
+     HTMLInputStream,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib.serializer import (
+from html5lib.serializer import (
+     escape,
+     HTMLSerializer,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib._tokenizer import (
+from html5lib._tokenizer import (
+     attributeMap,
+     HTMLTokenizer,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib._trie import (
+from html5lib._trie import (
+     Trie,
+ )  # noqa: E402 module level import not at top of file
 
- 
- #: Map of entity name to expanded entity
--- tests/test_clean.py
+Index: tests/test_clean.py
+===================================================================
+--- tests/test_clean.py.orig
 +++ tests/test_clean.py
-@@ -7,7 +7,7 @@
+@@ -7,7 +7,7 @@ import pytest
 from bleach import clean
 from bleach.html5lib_shim import Filter
 from bleach.sanitizer import Cleaner
 -from bleach._vendor.html5lib.constants import rcdataElements
 +from html5lib.constants import rcdataElements
 
+ 
 def test_clean_idempotent():
-     """Make sure that applying the filter twice doesn't change anything."""
+Index: bleach/sanitizer.py
+===================================================================
+--- bleach/sanitizer.py.orig
+++ bleach/sanitizer.py
+@@ -283,7 +283,7 @@ class BleachSanitizerFilter(html5lib_shi
+             "ignore",
+             message="html5lib's sanitizer is deprecated",
+             category=DeprecationWarning,
+-            module="bleach._vendor.html5lib",
+            module="html5lib",
+         )
+         return super(BleachSanitizerFilter, self).__init__(source, **kwargs)
+ 
--- a/python-bleach.changes
+++ b/python-bleach.changes
@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Tue Apr 13 09:20:21 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- update to 3.3.0:
+  * Backwards incompatible change: clean escapes HTML comments
+    even when strip_comments=False
+  * Fix CVE-2021-23980: mutation XSS on bleach.clean with specific
+    combinations of allowed tags (boo#1184547)
+- includes changes from 3.2.3:
+  * fix clean and linkify raising ValueErrors for certain inputs
+- includes changes from 3.2.2:
+  * fix linkify raising an IndexError on certain inputs
+- includes changes from 3.2.1:
+  * change linkifier to add rel="nofollow" as documented
+- includes changes from 3.2.0:
+  * html5lib dependency increased to 1.1.0
+
 -------------------------------------------------------------------
 Mon Aug 31 09:15:22 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>

--- a/python-bleach.spec
+++ b/python-bleach.spec
@ -1,7 +1,7 @@
 #
 # spec file for package python-bleach
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 # Copyright (c) 2015 LISA GmbH, Bingen, Germany.
 #
 # All modifications and additions to the file contributed by third parties
@ -19,21 +19,21 @@

 %{?!python_module:%define python_module() python-%{**} python3-%{**}}
 Name:           python-bleach
-Version:        3.1.5
+Version:        3.3.0
 Release:        0
 Summary:        A whitelist-based HTML-sanitizing tool
 License:        Apache-2.0
 URL:            https://github.com/jsocol/bleach
 Source:         https://files.pythonhosted.org/packages/source/b/bleach/bleach-%{version}.tar.gz
 Patch0:         de-vendor.patch
-BuildRequires:  %{python_module html5lib >= 1.0.0}
+BuildRequires:  %{python_module html5lib >= 1.1}
 BuildRequires:  %{python_module packaging}
 BuildRequires:  %{python_module pytest}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  %{python_module six >= 1.9}
 BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
-Requires:       python-html5lib >= 1.0.0
+Requires:       python-html5lib >= 1.1
 Requires:       python-packaging
 Requires:       python-six >= 1.9
 BuildArch:      noarch