aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoe Slater <jslater@windriver.com>2015-01-19 13:07:08 -0800
committerMartin Jansa <Martin.Jansa@gmail.com>2015-01-28 09:51:42 +0100
commitc79de61fed4cda88f1977b53418623a61b0ec14e (patch)
tree3f33af8d9ed7de00061c8fe63e06e1bf423dfc10
parent66a1ccc69dff76bc1cc0be983160eea38137a0de (diff)
downloadmeta-openembedded-contrib-c79de61fed4cda88f1977b53418623a61b0ec14e.tar.gz
meta-openembedded-contrib-c79de61fed4cda88f1977b53418623a61b0ec14e.tar.bz2
meta-openembedded-contrib-c79de61fed4cda88f1977b53418623a61b0ec14e.zip
python-lxml: move to version 3.2.5
Remove version 3.0.2. Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
-rw-r--r--meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch91
-rw-r--r--meta-python/recipes-devtools/python/python-lxml_3.2.5.bb (renamed from meta-python/recipes-devtools/python/python-lxml_3.0.2.bb)8
2 files changed, 96 insertions, 3 deletions
diff --git a/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
new file mode 100644
index 0000000000..0a8e211bd3
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
@@ -0,0 +1,91 @@
+Upstream-status:Backport
+
+--- a/src/lxml/html/clean.py
++++ b/src/lxml/html/clean.py
+@@ -70,9 +70,10 @@ _css_import_re = re.compile(
+
+ # All kinds of schemes besides just javascript: that can cause
+ # execution:
+-_javascript_scheme_re = re.compile(
+- r'\s*(?:javascript|jscript|livescript|vbscript|data|about|mocha):', re.I)
+-_substitute_whitespace = re.compile(r'\s+').sub
++_is_javascript_scheme = re.compile(
++ r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
++ re.I).search
++_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
+ # FIXME: should data: be blocked?
+
+ # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
+@@ -467,7 +468,7 @@ class Cleaner(object):
+ def _remove_javascript_link(self, link):
+ # links like "j a v a s c r i p t:" might be interpreted in IE
+ new = _substitute_whitespace('', link)
+- if _javascript_scheme_re.search(new):
++ if _is_javascript_scheme(new):
+ # FIXME: should this be None to delete?
+ return ''
+ return link
+--- a/src/lxml/html/tests/test_clean.txt
++++ b/src/lxml/html/tests/test_clean.txt
+@@ -1,3 +1,4 @@
++>>> import re
+ >>> from lxml.html import fromstring, tostring
+ >>> from lxml.html.clean import clean, clean_html, Cleaner
+ >>> from lxml.html import usedoctest
+@@ -17,6 +18,7 @@
+ ... <body onload="evil_function()">
+ ... <!-- I am interpreted for EVIL! -->
+ ... <a href="javascript:evil_function()">a link</a>
++... <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a>
+ ... <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+ ... <a href="#" onclick="evil_function()">another link</a>
+ ... <p onclick="evil_function()">a paragraph</p>
+@@ -33,7 +35,7 @@
+ ... </body>
+ ... </html>'''
+
+->>> print(doc)
++>>> print(re.sub('[\x00-\x07\x0E]', '', doc))
+ <html>
+ <head>
+ <script type="text/javascript" src="evil-site"></script>
+@@ -49,6 +51,7 @@
+ <body onload="evil_function()">
+ <!-- I am interpreted for EVIL! -->
+ <a href="javascript:evil_function()">a link</a>
++ <a href="javascrip t:evil_function()">a control char link</a>
+ <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+ <a href="#" onclick="evil_function()">another link</a>
+ <p onclick="evil_function()">a paragraph</p>
+@@ -81,6 +84,7 @@
+ <body onload="evil_function()">
+ <!-- I am interpreted for EVIL! -->
+ <a href="javascript:evil_function()">a link</a>
++ <a href="javascrip%20t:evil_function()">a control char link</a>
+ <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+ <a href="#" onclick="evil_function()">another link</a>
+ <p onclick="evil_function()">a paragraph</p>
+@@ -104,6 +108,7 @@
+ </head>
+ <body>
+ <a href="">a link</a>
++ <a href="">a control char link</a>
+ <a href="">data</a>
+ <a href="#">another link</a>
+ <p>a paragraph</p>
+@@ -123,6 +128,7 @@
+ </head>
+ <body>
+ <a href="">a link</a>
++ <a href="">a control char link</a>
+ <a href="">data</a>
+ <a href="#">another link</a>
+ <p>a paragraph</p>
+@@ -146,6 +152,7 @@
+ </head>
+ <body>
+ <a href="">a link</a>
++ <a href="">a control char link</a>
+ <a href="">data</a>
+ <a href="#">another link</a>
+ <p>a paragraph</p>
diff --git a/meta-python/recipes-devtools/python/python-lxml_3.0.2.bb b/meta-python/recipes-devtools/python/python-lxml_3.2.5.bb
index 5ab7b4a793..1fa2889958 100644
--- a/meta-python/recipes-devtools/python/python-lxml_3.0.2.bb
+++ b/meta-python/recipes-devtools/python/python-lxml_3.2.5.bb
@@ -8,9 +8,11 @@ SRCNAME = "lxml"
DEPENDS = "libxml2 libxslt"
-SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz;name=lxml"
-SRC_URI[lxml.md5sum] = "38b15b0dd5e9292cf98be800e84a3ce4"
-SRC_URI[lxml.sha256sum] = "cadba4cf0e235127795f76a6f7092cb035da23a6e9ec4c93f8af43a6784cd101"
+SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz \
+ file://python-lxml-3.2.5-fix-CVE-2014-3146.patch "
+
+SRC_URI[md5sum] = "6c4fb9b1840631cff09b8229a12a9ef7"
+SRC_URI[sha256sum] = "2bf072808a6546d0e56bf1ad3b98a43cca828724360d7419fad135141bd31f7e"
S = "${WORKDIR}/${SRCNAME}-${PV}"