lxml for LTS
Hi,
this is my debdiff for CVE-2014-3146 in lxml.
I used the patch for wheezy as template. I am sure there are some kind of
scripts/descriptions on how to test this. Are those available somewhere?
Thorsten
diff -u lxml-2.2.8/debian/changelog lxml-2.2.8/debian/changelog
--- lxml-2.2.8/debian/changelog
+++ lxml-2.2.8/debian/changelog
@@ -1,3 +1,11 @@
+lxml (2.2.8-2+deb6u1) squeeze-lts; urgency=medium
+
+ * CVE-2014-3146
+ DSA-2941-1
+ clean_html input sanitization flaw (#746812)
+
+ -- Thorsten Alteholz <debian@alteholz.de> Sun, 22 Jun 2014 17:00:00 +0200
+
lxml (2.2.8-2) unstable; urgency=low
* Add copyright and license information for test.py. Closes: #597547.
only in patch2:
unchanged:
--- lxml-2.2.8.orig/src/lxml/html/clean.py
+++ lxml-2.2.8/src/lxml/html/clean.py
@@ -79,9 +79,10 @@
# All kinds of schemes besides just javascript: that can cause
# execution:
-_javascript_scheme_re = re.compile(
- r'\s*(?:javascript|jscript|livescript|vbscript|about|mocha):', re.I)
-_substitute_whitespace = re.compile(r'\s+').sub
+_is_javascript_scheme = re.compile(
+ r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
+ re.I).search
+_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
# FIXME: should data: be blocked?
# FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
@@ -451,7 +452,7 @@
def _remove_javascript_link(self, link):
# links like "j a v a s c r i p t:" might be interpreted in IE
new = _substitute_whitespace('', link)
- if _javascript_scheme_re.search(new):
+ if _is_javascript_scheme(new):
# FIXME: should this be None to delete?
return ''
return link
only in patch2:
unchanged:
--- lxml-2.2.8.orig/src/lxml/html/tests/test_clean.txt
+++ lxml-2.2.8/src/lxml/html/tests/test_clean.txt
@@ -1,3 +1,4 @@
+>>> import re
>>> from lxml.html import fromstring, tostring
>>> from lxml.html.clean import clean, clean_html, Cleaner
>>> from lxml.html import usedoctest
@@ -14,6 +15,7 @@
... <body onload="evil_function()">
... <!-- I am interpreted for EVIL! -->
... <a href="javascript:evil_function()">a link</a>
+... <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a>
... <a href="#" onclick="evil_function()">another link</a>
... <p onclick="evil_function()">a paragraph</p>
... <div style="display: none">secret EVIL!</div>
@@ -27,7 +29,7 @@
... </body>
... </html>'''
->>> print(doc)
+>>> print(re.sub('[\x00-\x07\x0E]', '', doc))
<html>
<head>
<script type="text/javascript" src="evil-site"></script>
@@ -40,6 +42,7 @@
<body onload="evil_function()">
<!-- I am interpreted for EVIL! -->
<a href="javascript:evil_function()">a link</a>
+ <a href="javascrip t:evil_function()">a control char link</a>
<a href="#" onclick="evil_function()">another link</a>
<p onclick="evil_function()">a paragraph</p>
<div style="display: none">secret EVIL!</div>
@@ -66,6 +69,7 @@
<body onload="evil_function()">
<!-- I am interpreted for EVIL! -->
<a href="javascript:evil_function()">a link</a>
+ <a href="javascrip%20t:evil_function()">a control char link</a>
<a href="#" onclick="evil_function()">another link</a>
<p onclick="evil_function()">a paragraph</p>
<div style="display: none">secret EVIL!</div>
@@ -86,6 +90,7 @@
</head>
<body>
<a href="">a link</a>
+ <a href="">a control char link</a>
<a href="#">another link</a>
<p>a paragraph</p>
<div style="display: none">secret EVIL!</div>
@@ -103,6 +108,8 @@
</head>
<body>
<a href="">a link</a>
+ <a href="">a control char link</a>
+ <a href="">a control char link</a>
<a href="#">another link</a>
<p>a paragraph</p>
<div>secret EVIL!</div>
Reply to: