python/python-xhtml2pdf
SHA256
14
0
Fork 0
forked from pool/python-xhtml2pdf
Code Pull Requests Activity

Accepting request 1231846 from home:mcalabkova:branches:devel:languages:python

Browse Source 
- Add CVE-2024-25885.patch (bsc#1231408, CVE-2024-25885)

OBS-URL: https://build.opensuse.org/request/show/1231846
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-xhtml2pdf?expand=0&rev=25
This commit is contained in:
Nico Krapp
2024-12-18 13:43:21 +00:00
committed by Git OBS Bridge
parent 4337f7b6bb
commit c04385739b
3 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
CVE-2024-25885.patch Normal file
View File

@@ -0,0 +1,49 @@
From de0fdbdf4224f3277419c2080ca0fd35fd5948a5 Mon Sep 17 00:00:00 2001
From: David Trupiano <davetrupiano@gmail.com>
Date: Tue, 22 Oct 2024 15:45:54 -0400
Subject: [PATCH] fix reDOS CVE in getColor function
---
xhtml2pdf/util.py | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/xhtml2pdf/util.py b/xhtml2pdf/util.py
index ff4ac2a9..dafc1933 100644
--- a/xhtml2pdf/util.py
+++ b/xhtml2pdf/util.py
@@ -130,22 +130,31 @@ def getColor(value, default=None):
"""
Convert to color value.
This returns a Color object instance from a text bit.
+ Mitigation for ReDoS attack applied by limiting input length and validating input.
"""
if value is None:
return None
if isinstance(value, Color):
return value
value = str(value).strip().lower()
+
+ # Limit the length of the value to prevent excessive input causing ReDoS
+ if len(value) > 100: # Set a reasonable length limit to avoid extreme inputs
+ return default
+
if value in {"transparent", "none"}:
return default
if value in COLOR_BY_NAME:
return COLOR_BY_NAME[value]
if value.startswith("#") and len(value) == 4:
value = "#" + value[1] + value[1] + value[2] + value[2] + value[3] + value[3]
- elif rgb_re.search(value):
- # e.g., value = "<css function: rgb(153, 51, 153)>", go figure:
- r, g, b = (int(x) for x in rgb_re.search(value).groups())
- value = f"#{r:02x}{g:02x}{b:02x}"
+ elif rgb_re.match(value):
+ # Use match instead of search to ensure proper regex usage and limit to valid patterns
+ try:
+ r, g, b = (int(x) for x in rgb_re.match(value).groups())
+ value = f"#{r:02x}{g:02x}{b:02x}"
+ except ValueError:
+ pass
else:
# Shrug
pass

5
python-xhtml2pdf.changes
View File

@@ -1,3 +1,8 @@
-------------------------------------------------------------------
Wed Dec 18 10:01:41 UTC 2024 - Markéta Machová <mmachova@suse.com>
- Add CVE-2024-25885.patch (bsc#1231408, CVE-2024-25885)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Sep 17 02:41:49 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com> Tue Sep 17 02:41:49 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>

2
python-xhtml2pdf.spec
View File

@@ -23,6 +23,8 @@ Summary: PDF Generator Using HTML and CSS
License: Apache-2.0 License: Apache-2.0
URL: https://github.com/xhtml2pdf/xhtml2pdf URL: https://github.com/xhtml2pdf/xhtml2pdf
Source: https://github.com/xhtml2pdf/xhtml2pdf/archive/refs/tags/v%{version}.tar.gz#/xhtml2pdf-%{version}.tar.gz Source: https://github.com/xhtml2pdf/xhtml2pdf/archive/refs/tags/v%{version}.tar.gz#/xhtml2pdf-%{version}.tar.gz
# PATCH-FIX-UPSTREAM https://github.com/xhtml2pdf/xhtml2pdf/pull/784 fix reDOS CVE in getColor function
Patch0: CVE-2024-25885.patch
BuildRequires: %{python_module base >= 3.8} BuildRequires: %{python_module base >= 3.8}
BuildRequires: %{python_module pip} BuildRequires: %{python_module pip}
BuildRequires: %{python_module setuptools} BuildRequires: %{python_module setuptools}