pool/python-weasyprint
SHA256
17
0
Fork 3
Code Issues Pull Requests 1 Activity

Compare commits

merge into: pool:leap-16.1
Branches Tags
pool:factory pool:leap-16.0 pool:leap-16.1 dgarcia:CVE-2025-68616 dgarcia:factory dgarcia:leap-16.0 dgarcia:leap-16.1
...
pull from: dgarcia:CVE-2025-68616
Branches Tags
dgarcia:CVE-2025-68616 dgarcia:factory dgarcia:leap-16.0 dgarcia:leap-16.1 pool:factory pool:leap-16.0 pool:leap-16.1

1 Commits

Author SHA256 Message Date
Daniel Garcia Moreno
6a88841ded Add CVE-2025-68616.patch to fix (SSRF) 
Add CVE-2025-68616.patch to fix server-side request forgery (SSRF)
vulnerability in default fetcher.

(bsc#1256936, CVE-2025-68616)
 2026-01-20 10:14:54 +01:00
3 changed files with 95 additions and 0 deletions
Expand all files Collapse all files

86
CVE-2025-68616.patch Normal file
View File

@@ -0,0 +1,86 @@
From 64ffeea2c2dca4377b7ec4e9e3cf5dfe1a9b6c0a Mon Sep 17 00:00:00 2001
From: Guillaume Ayoub <guillaume@courtbouillon.org>
Date: Wed, 31 Dec 2025 19:09:20 +0100
Subject: [PATCH 1/2] =?UTF-8?q?Don=E2=80=99t=20allow=20redirects=20with=20?=
=?UTF-8?q?deprecated=20default=5Furl=5Ffetcher=20function?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is a security fix.
When calling default_url_fetcher in a custom URL fetcher, redirects are handled by
Python and dont go though the custom URL fetcher, allowing attackers to make WeasyPrint
reach URLs forbidden by the custom URL fetcher.
See CVE-2025-68616.
---
weasyprint/urls.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
Index: weasyprint-65.1/weasyprint/urls.py
===================================================================
--- weasyprint-65.1.orig/weasyprint/urls.py
+++ weasyprint-65.1/weasyprint/urls.py
@@ -10,7 +10,8 @@ import zlib
from gzip import GzipFile
from pathlib import Path
from urllib.parse import quote, unquote, urljoin, urlsplit
-from urllib.request import Request, pathname2url, urlopen
+from urllib.request import Request, pathname2url, build_opener
+from urllib import request
from . import __version__
from .logger import LOGGER
@@ -177,7 +178,8 @@ def ensure_url(string):
return string if url_is_absolute(string) else path2url(string)
-def default_url_fetcher(url, timeout=10, ssl_context=None):
+def default_url_fetcher(url, timeout=10, ssl_context=None,
+ allow_redirects=False):
"""Fetch an external resource such as an image or stylesheet.
Another callable with the same signature can be given as the
@@ -190,6 +192,8 @@ def default_url_fetcher(url, timeout=10,
The number of seconds before HTTP requests are dropped.
:param ssl.SSLContext ssl_context:
An SSL context used for HTTP requests.
+ :param bool allow_redirects:
+ Whether HTTP redirects must be followed.
:raises: An exception indicating failure, e.g. :obj:`ValueError` on
syntactically invalid URL.
:returns: A :obj:`dict` with the following keys:
@@ -214,15 +218,29 @@ def default_url_fetcher(url, timeout=10,
has to be closed manually.
"""
+
if UNICODE_SCHEME_RE.match(url):
# See https://bugs.python.org/issue34702
if url.startswith('file://'):
url = url.split('?')[0]
url = iri_to_uri(url)
- response = urlopen(
- Request(url, headers=HTTP_HEADERS), timeout=timeout,
- context=ssl_context)
+
+ # Default opener, redirects won't be followed
+ handlers = [
+ request.ProxyHandler(), request.UnknownHandler(), request.HTTPHandler(),
+ request.HTTPDefaultErrorHandler(), request.FTPHandler(),
+ request.FileHandler(), request.HTTPErrorProcessor(), request.DataHandler(),
+ request.HTTPSHandler(context=ssl_context)]
+ if allow_redirects:
+ handlers.append(request.HTTPRedirectHandler())
+
+ opener = request.OpenerDirector()
+ for handler in handlers:
+ opener.add_handler(handler)
+
+ response = opener.open(
+ Request(url, headers=HTTP_HEADERS), timeout=timeout)
response_info = response.info()
result = {
'redirected_url': response.geturl(),

7
python-weasyprint.changes
View File

@@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Jan 20 09:07:47 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
- Add CVE-2025-68616.patch to fix server-side request forgery (SSRF)
vulnerability in default fetcher.
(bsc#1256936, CVE-2025-68616, gh#Kozea/WeasyPrint@b6a14f0f3f4c)
-------------------------------------------------------------------
Tue May 20 12:11:26 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

2
python-weasyprint.spec
View File

@@ -36,6 +36,8 @@ License: BSD-3-Clause
URL: https://github.com/Kozea/WeasyPrint
Source: https://files.pythonhosted.org/packages/source/w/weasyprint/weasyprint-%{version}.tar.gz
Source100: python-weasyprint-rpmlintrc
# PATCH-FIX-UPSTREAM CVE-2025-68616.patch Backported from gh#Kozea/WeasyPrint@b6a14f0f3f4c
Patch0: CVE-2025-68616.patch
BuildRequires: %{python_module base >= 3.9}
BuildRequires: %{python_module flit-core}
BuildRequires: %{python_module pip}