Compare commits
28 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| b0c7ac8fca | |||
| 838885d736 | |||
| 5ccc462890 | |||
| dca9e648b0 | |||
| 1093df3297 | |||
| 949ad2e45f | |||
| 66fe46cb27 | |||
| b344a850ee | |||
| 527b3777e9 | |||
| ac0a0301eb | |||
| ec725c6833 | |||
| f6a27f43a3 | |||
|
b87fcf42e1 | ||
| 2e3c98497c | |||
| 5cb5ba9011 | |||
|
fb6e196689 | ||
| 712403cbe5 | |||
|
|
a627ec0c95 | ||
| 16573ca095 | |||
|
|
7ae802b1ba | ||
| c01d1e453e | |||
|
|
65791c3183 | ||
|
|
59cbd779dd | ||
|
|
368dbfd6e9 | ||
|
b25cbf802f | ||
|
|
4b00a687c2 | ||
|
08e7f329dd | ||
|
|
c330fdc0c6 |
@@ -1,49 +0,0 @@
|
|||||||
From de0fdbdf4224f3277419c2080ca0fd35fd5948a5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: David Trupiano <davetrupiano@gmail.com>
|
|
||||||
Date: Tue, 22 Oct 2024 15:45:54 -0400
|
|
||||||
Subject: [PATCH] fix reDOS CVE in getColor function
|
|
||||||
|
|
||||||
---
|
|
||||||
xhtml2pdf/util.py | 17 +++++++++++++----
|
|
||||||
1 file changed, 13 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/xhtml2pdf/util.py b/xhtml2pdf/util.py
|
|
||||||
index ff4ac2a9..dafc1933 100644
|
|
||||||
--- a/xhtml2pdf/util.py
|
|
||||||
+++ b/xhtml2pdf/util.py
|
|
||||||
@@ -130,22 +130,31 @@ def getColor(value, default=None):
|
|
||||||
"""
|
|
||||||
Convert to color value.
|
|
||||||
This returns a Color object instance from a text bit.
|
|
||||||
+ Mitigation for ReDoS attack applied by limiting input length and validating input.
|
|
||||||
"""
|
|
||||||
if value is None:
|
|
||||||
return None
|
|
||||||
if isinstance(value, Color):
|
|
||||||
return value
|
|
||||||
value = str(value).strip().lower()
|
|
||||||
+
|
|
||||||
+ # Limit the length of the value to prevent excessive input causing ReDoS
|
|
||||||
+ if len(value) > 100: # Set a reasonable length limit to avoid extreme inputs
|
|
||||||
+ return default
|
|
||||||
+
|
|
||||||
if value in {"transparent", "none"}:
|
|
||||||
return default
|
|
||||||
if value in COLOR_BY_NAME:
|
|
||||||
return COLOR_BY_NAME[value]
|
|
||||||
if value.startswith("#") and len(value) == 4:
|
|
||||||
value = "#" + value[1] + value[1] + value[2] + value[2] + value[3] + value[3]
|
|
||||||
- elif rgb_re.search(value):
|
|
||||||
- # e.g., value = "<css function: rgb(153, 51, 153)>", go figure:
|
|
||||||
- r, g, b = (int(x) for x in rgb_re.search(value).groups())
|
|
||||||
- value = f"#{r:02x}{g:02x}{b:02x}"
|
|
||||||
+ elif rgb_re.match(value):
|
|
||||||
+ # Use match instead of search to ensure proper regex usage and limit to valid patterns
|
|
||||||
+ try:
|
|
||||||
+ r, g, b = (int(x) for x in rgb_re.match(value).groups())
|
|
||||||
+ value = f"#{r:02x}{g:02x}{b:02x}"
|
|
||||||
+ except ValueError:
|
|
||||||
+ pass
|
|
||||||
else:
|
|
||||||
# Shrug
|
|
||||||
pass
|
|
||||||
@@ -1,3 +1,8 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 5 11:30:19 UTC 2025 - Markéta Machová <mmachova@suse.com>
|
||||||
|
|
||||||
|
- python-pyhanko-cert-validator is included in python-pyHanko now
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Mar 10 15:21:26 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
Mon Mar 10 15:21:26 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
||||||
|
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package python-xhtml2pdf
|
# spec file for package python-xhtml2pdf
|
||||||
#
|
#
|
||||||
# Copyright (c) 2025 SUSE LLC
|
# Copyright (c) 2025 SUSE LLC and contributors
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@@ -32,8 +32,7 @@ BuildRequires: python-rpm-macros
|
|||||||
Requires: python-Pillow >= 8.1.1
|
Requires: python-Pillow >= 8.1.1
|
||||||
Requires: python-arabic-reshaper >= 3.0.0
|
Requires: python-arabic-reshaper >= 3.0.0
|
||||||
Requires: python-html5lib >= 1.1
|
Requires: python-html5lib >= 1.1
|
||||||
Requires: python-pyHanko >= 0.12.1
|
Requires: python-pyHanko >= 0.19.5
|
||||||
Requires: python-pyhanko-certvalidator >= 0.19.5
|
|
||||||
Requires: python-pypdf >= 3.1.0
|
Requires: python-pypdf >= 3.1.0
|
||||||
Requires: python-python-bidi >= 0.5.0
|
Requires: python-python-bidi >= 0.5.0
|
||||||
Requires: python-reportlab >= 4.0.4
|
Requires: python-reportlab >= 4.0.4
|
||||||
@@ -46,8 +45,7 @@ BuildArch: noarch
|
|||||||
BuildRequires: %{python_module Pillow >= 8.1.1}
|
BuildRequires: %{python_module Pillow >= 8.1.1}
|
||||||
BuildRequires: %{python_module arabic-reshaper >= 3.0.0}
|
BuildRequires: %{python_module arabic-reshaper >= 3.0.0}
|
||||||
BuildRequires: %{python_module html5lib >= 1.1}
|
BuildRequires: %{python_module html5lib >= 1.1}
|
||||||
BuildRequires: %{python_module pyHanko >= 0.12.1}
|
BuildRequires: %{python_module pyHanko >= 0.19.5}
|
||||||
BuildRequires: %{python_module pyhanko-certvalidator >= 0.19.5}
|
|
||||||
BuildRequires: %{python_module pypdf >= 3.1.0}
|
BuildRequires: %{python_module pypdf >= 3.1.0}
|
||||||
BuildRequires: %{python_module pytest}
|
BuildRequires: %{python_module pytest}
|
||||||
BuildRequires: %{python_module python-bidi >= 0.5.0}
|
BuildRequires: %{python_module python-bidi >= 0.5.0}
|
||||||
|
|||||||
@@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:c031b662d3f999e18f384e8d606be84a8a1e516d8380a87b3bd9fd2446a1e754
|
|
||||||
size 6960611
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:ce0e2b711f5200f46caf2a67008700fb1de0a761f2ae92d30b21e158de05912e
|
|
||||||
size 6683074
|
|
||||||
Reference in New Issue
Block a user