- update to 3.1.3 (bsc#1167379):

* Add relative link to code of conduct. (#442)
  * Drop deprecated 'setup.py test' support. (#507)
  * Fix typo: curren -> current in tests/test_clean.py (#504)
  * Test on PyPy 7
  * Drop test support for end of life Python 3.4
  * ``bleach.clean`` behavior parsing embedded MathML and SVG content
    with RCDATA tags did not match browser behavior and could result in
    a mutation XSS.
    Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or
    ``svg`` tags and one or more of the RCDATA tags ``script``,
    ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or
    ``xmp`` in the allowed tags whitelist were vulnerable to a mutation
    XSS.
    This security issue was confirmed in Bleach version v3.1.1. Earlier
    versions are likely affected too.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-bleach?expand=0&rev=32
This commit is contained in:
Dirk Mueller 2020-03-23 10:22:56 +00:00 committed by Git OBS Bridge
parent 394b9b98a6
commit 2cc23971a9
5 changed files with 38 additions and 7 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:aa8b870d0f46965bac2c073a93444636b0e1ca74e9777e34f03dd494b8a59d48
size 174885

3
bleach-3.1.3.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f8dfd8a7e26443e986c4e44df31870da8e906ea61096af06ba5d5cc2d519842a
size 176601

View File

@ -1,5 +1,5 @@
--- bleach-3.1.0/bleach/html5lib_shim.py.orig 2019-03-03 16:10:33.148796311 +0700
+++ bleach-3.1.0/bleach/html5lib_shim.py 2019-03-03 16:11:07.945088029 +0700
--- bleach/html5lib_shim.py
+++ bleach/html5lib_shim.py
@@ -11,23 +11,23 @@
import six
@ -35,3 +35,14 @@
#: Map of entity name to expanded entity
--- tests/test_clean.py
+++ tests/test_clean.py
@@ -7,7 +7,7 @@
from bleach import clean
from bleach.html5lib_shim import Filter
from bleach.sanitizer import Cleaner
-from bleach._vendor.html5lib.constants import rcdataElements
+from html5lib.constants import rcdataElements
def test_clean_idempotent():
"""Make sure that applying the filter twice doesn't change anything."""

View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Mon Mar 23 10:09:15 UTC 2020 - Dirk Mueller <dmueller@suse.com>
- update to 3.1.3 (bsc#1167379):
* Add relative link to code of conduct. (#442)
* Drop deprecated 'setup.py test' support. (#507)
* Fix typo: curren -> current in tests/test_clean.py (#504)
* Test on PyPy 7
* Drop test support for end of life Python 3.4
* ``bleach.clean`` behavior parsing embedded MathML and SVG content
with RCDATA tags did not match browser behavior and could result in
a mutation XSS.
Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or
``svg`` tags and one or more of the RCDATA tags ``script``,
``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or
``xmp`` in the allowed tags whitelist were vulnerable to a mutation
XSS.
This security issue was confirmed in Bleach version v3.1.1. Earlier
versions are likely affected too.
-------------------------------------------------------------------
Fri Feb 28 16:13:43 UTC 2020 - Alexandros Toptsoglou <atoptsoglou@suse.com>

View File

@ -19,7 +19,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-bleach
Version: 3.1.1
Version: 3.1.3
Release: 0
Summary: A whitelist-based HTML-sanitizing tool
License: Apache-2.0
@ -56,7 +56,7 @@ Documentation is at http://bleach.readthedocs.org/ .
%prep
%setup -q -n bleach-%{version}
%patch0 -p1
%patch0
rm -rf bleach/_vendor
%build