Bug #6538 ยป 0001-update-to-pylxml-3.5.0.patch
components/python/pylxml/Makefile | ||
---|---|---|
19 | 19 |
# CDDL HEADER END |
20 | 20 |
# |
21 | 21 |
# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. |
22 |
# Copyright 2015, PALO Richard. |
|
22 | 23 |
# |
23 | 24 |
include ../../../make-rules/shared-macros.mk |
24 | 25 | |
25 | 26 |
COMPONENT_NAME= pylxml |
26 |
COMPONENT_VERSION= 2.3.3 |
|
27 |
COMPONENT_REVISION= 1 |
|
27 |
COMPONENT_VERSION= 3.5.0 |
|
28 | 28 |
COMPONENT_PROJECT_URL= http://lxml.de/ |
29 | 29 |
COMPONENT_SRC_NAME= lxml |
30 | 30 |
COMPONENT_SRC= $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION) |
31 | 31 |
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tgz |
32 | 32 |
COMPONENT_ARCHIVE_HASH= \ |
33 |
sha256:2a3ca34f63b062ee8e059ca2460ac18040ec9622f0a31e143383f0db944ceb36 |
|
33 |
sha256:349f93e3a4b09cc59418854ab8013d027d246757c51744bf20069bc89016f578 |
|
34 | ||
34 | 35 |
COMPONENT_ARCHIVE_URL= $(COMPONENT_PROJECT_URL)files/$(COMPONENT_ARCHIVE) |
35 | 36 |
COMPONENT_BUGDB= python-mod/lxml |
36 | 37 | |
... | ... | |
44 | 45 | |
45 | 46 |
ASLR_MODE = $(ASLR_NOT_APPLICABLE) |
46 | 47 | |
48 |
COMPONENT_TEST_ARGS= test |
|
49 |
COMPONENT_TEST_CMD= $(MAKE) |
|
50 |
COMPONENT_TEST_DIR= $(COMPONENT_SRC) |
|
51 |
COMPONENT_TEST_ENV+= PYTHON=$(PYTHON) |
|
52 | ||
47 | 53 |
# common targets |
48 | 54 |
build: $(BUILD_32_and_64) |
49 | 55 | |
50 | 56 |
install: $(INSTALL_32_and_64) |
51 | 57 | |
52 |
test: $(BUILD_32_and_64) |
|
53 |
cd $(SOURCE_DIR) && $(PYTHON) selftest.py |
|
54 |
cd $(SOURCE_DIR) && $(PYTHON) selftest2.py |
|
58 |
test: $(TEST_32_and_64) |
|
55 | 59 | |
56 | 60 |
BUILD_PKG_DEPENDENCIES = $(BUILD_TOOLS) |
57 | 61 |
components/python/pylxml/patches/CVE-2014-3146.patch | ||
---|---|---|
1 |
--- lxml-2.3.3/src/lxml/html/clean.py.~1~ 2012-01-04 21:27:53.000000000 +0400 |
|
2 |
+++ lxml-2.3.3/src/lxml/html/clean.py 2014-05-22 10:28:10.385151119 +0400 |
|
3 |
@@ -79,9 +79,10 @@ |
|
4 |
|
|
5 |
# All kinds of schemes besides just javascript: that can cause |
|
6 |
# execution: |
|
7 |
-_javascript_scheme_re = re.compile( |
|
8 |
- r'\s*(?:javascript|jscript|livescript|vbscript|data|about|mocha):', re.I) |
|
9 |
-_substitute_whitespace = re.compile(r'\s+').sub |
|
10 |
+_is_javascript_scheme = re.compile( |
|
11 |
+ r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):', |
|
12 |
+ re.I).search |
|
13 |
+_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub |
|
14 |
# FIXME: should data: be blocked? |
|
15 |
|
|
16 |
# FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx |
|
17 |
@@ -459,7 +460,7 @@ |
|
18 |
def _remove_javascript_link(self, link): |
|
19 |
# links like "j a v a s c r i p t:" might be interpreted in IE |
|
20 |
new = _substitute_whitespace('', link) |
|
21 |
- if _javascript_scheme_re.search(new): |
|
22 |
+ if _is_javascript_scheme(new): |
|
23 |
# FIXME: should this be None to delete? |
|
24 |
return '' |
|
25 |
return link |
|
26 |
--- lxml-2.3.3/src/lxml/html/tests/test_clean.txt.~1~ 2012-01-04 21:27:53.000000000 +0400 |
|
27 |
+++ lxml-2.3.3/src/lxml/html/tests/test_clean.txt 2014-05-22 10:28:10.385786201 +0400 |
|
28 |
@@ -1,3 +1,4 @@ |
|
29 |
+>>> import re |
|
30 |
>>> from lxml.html import fromstring, tostring |
|
31 |
>>> from lxml.html.clean import clean, clean_html, Cleaner |
|
32 |
>>> from lxml.html import usedoctest |
|
33 |
@@ -15,6 +16,7 @@ |
|
34 |
... <body onload="evil_function()"> |
|
35 |
... <!-- I am interpreted for EVIL! --> |
|
36 |
... <a href="javascript:evil_function()">a link</a> |
|
37 |
+... <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a> |
|
38 |
... <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a> |
|
39 |
... <a href="#" onclick="evil_function()">another link</a> |
|
40 |
... <p onclick="evil_function()">a paragraph</p> |
|
41 |
@@ -29,7 +31,7 @@ |
|
42 |
... </body> |
|
43 |
... </html>''' |
|
44 |
|
|
45 |
->>> print(doc) |
|
46 |
+>>> print(re.sub('[\x00-\x07\x0E]', '', doc)) |
|
47 |
<html> |
|
48 |
<head> |
|
49 |
<script type="text/javascript" src="evil-site"></script> |
|
50 |
@@ -43,6 +45,7 @@ |
|
51 |
<body onload="evil_function()"> |
|
52 |
<!-- I am interpreted for EVIL! --> |
|
53 |
<a href="javascript:evil_function()">a link</a> |
|
54 |
+ <a href="javascrip t:evil_function()">a control char link</a> |
|
55 |
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a> |
|
56 |
<a href="#" onclick="evil_function()">another link</a> |
|
57 |
<p onclick="evil_function()">a paragraph</p> |
|
58 |
@@ -71,6 +74,7 @@ |
|
59 |
<body onload="evil_function()"> |
|
60 |
<!-- I am interpreted for EVIL! --> |
|
61 |
<a href="javascript:evil_function()">a link</a> |
|
62 |
+ <a href="javascrip%20t:evil_function()">a control char link</a> |
|
63 |
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a> |
|
64 |
<a href="#" onclick="evil_function()">another link</a> |
|
65 |
<p onclick="evil_function()">a paragraph</p> |
|
66 |
@@ -92,6 +96,7 @@ |
|
67 |
</head> |
|
68 |
<body> |
|
69 |
<a href="">a link</a> |
|
70 |
+ <a href="">a control char link</a> |
|
71 |
<a href="">data</a> |
|
72 |
<a href="#">another link</a> |
|
73 |
<p>a paragraph</p> |
|
74 |
@@ -110,6 +115,7 @@ |
|
75 |
</head> |
|
76 |
<body> |
|
77 |
<a href="">a link</a> |
|
78 |
+ <a href="">a control char link</a> |
|
79 |
<a href="">data</a> |
|
80 |
<a href="#">another link</a> |
|
81 |
<p>a paragraph</p> |
|
82 |
--- lxml-2.3.3/src/lxml.egg-info/PKG-INFO.~1~ 2012-01-04 21:53:53.000000000 +0400 |
|
83 |
+++ lxml-2.3.3/src/lxml.egg-info/PKG-INFO 2014-05-22 10:28:10.386213657 +0400 |
|
84 |
@@ -1,4 +1,4 @@ |
|
85 |
-Metadata-Version: 1.0 |
|
86 |
+Metadata-Version: 1.1 |
|
87 |
Name: lxml |
|
88 |
Version: 2.3.3 |
|
89 |
Summary: Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API. |
components/python/pylxml/pylxml-26.p5m | ||
---|---|---|
19 | 19 |
# CDDL HEADER END |
20 | 20 |
# |
21 | 21 |
# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. |
22 |
# Copyright 2015, PALO Richard. |
|
22 | 23 |
# |
23 | 24 | |
24 | 25 |
set name=pkg.fmri \ |
... | ... | |
41 | 42 |
file \ |
42 | 43 |
path=usr/lib/python2.6/vendor-packages/lxml-$(COMPONENT_VERSION)-py2.6.egg-info/not-zip-safe |
43 | 44 |
file \ |
45 |
path=usr/lib/python2.6/vendor-packages/lxml-$(COMPONENT_VERSION)-py2.6.egg-info/requires.txt |
|
46 |
file \ |
|
44 | 47 |
path=usr/lib/python2.6/vendor-packages/lxml-$(COMPONENT_VERSION)-py2.6.egg-info/top_level.txt |
45 | 48 |
file path=usr/lib/python2.6/vendor-packages/lxml/64/etree.so |
46 | 49 |
file path=usr/lib/python2.6/vendor-packages/lxml/64/objectify.so |
... | ... | |
51 | 54 |
file path=usr/lib/python2.6/vendor-packages/lxml/cssselect.py |
52 | 55 |
file path=usr/lib/python2.6/vendor-packages/lxml/doctestcompare.py |
53 | 56 |
file path=usr/lib/python2.6/vendor-packages/lxml/etree.so |
54 |
file path=usr/lib/python2.6/vendor-packages/lxml/etree_defs.h |
|
55 |
file path=usr/lib/python2.6/vendor-packages/lxml/etreepublic.pxd |
|
56 | 57 |
file path=usr/lib/python2.6/vendor-packages/lxml/html/ElementSoup.py |
57 | 58 |
file path=usr/lib/python2.6/vendor-packages/lxml/html/__init__.py |
58 |
file path=usr/lib/python2.6/vendor-packages/lxml/html/_dictmixin.py |
|
59 | 59 |
file path=usr/lib/python2.6/vendor-packages/lxml/html/_diffcommand.py |
60 | 60 |
file path=usr/lib/python2.6/vendor-packages/lxml/html/_html5builder.py |
61 | 61 |
file path=usr/lib/python2.6/vendor-packages/lxml/html/_setmixin.py |
... | ... | |
67 | 67 |
file path=usr/lib/python2.6/vendor-packages/lxml/html/html5parser.py |
68 | 68 |
file path=usr/lib/python2.6/vendor-packages/lxml/html/soupparser.py |
69 | 69 |
file path=usr/lib/python2.6/vendor-packages/lxml/html/usedoctest.py |
70 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/__init__.py |
|
71 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/c14n.pxd |
|
72 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/config.pxd |
|
73 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/dtdvalid.pxd |
|
74 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/etree_defs.h |
|
75 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/etreepublic.pxd |
|
76 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/htmlparser.pxd |
|
77 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/lxml-version.h |
|
78 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/relaxng.pxd |
|
79 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/schematron.pxd |
|
80 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/tree.pxd |
|
81 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/uri.pxd |
|
82 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/xinclude.pxd |
|
83 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/xmlerror.pxd |
|
84 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/xmlparser.pxd |
|
85 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/xmlschema.pxd |
|
86 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/xpath.pxd |
|
87 |
file path=usr/lib/python2.6/vendor-packages/lxml/includes/xslt.pxd |
|
88 |
dir path=usr/lib/python2.6/vendor-packages/lxml/isoschematron |
|
70 | 89 |
file path=usr/lib/python2.6/vendor-packages/lxml/isoschematron/__init__.py |
71 | 90 |
file \ |
72 | 91 |
path=usr/lib/python2.6/vendor-packages/lxml/isoschematron/resources/rng/iso-schematron.rng |
... | ... | |
86 | 105 |
path=usr/lib/python2.6/vendor-packages/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/iso_svrl_for_xslt1.xsl |
87 | 106 |
file \ |
88 | 107 |
path=usr/lib/python2.6/vendor-packages/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt |
108 |
file path=usr/lib/python2.6/vendor-packages/lxml/lxml.etree.h |
|
109 |
file path=usr/lib/python2.6/vendor-packages/lxml/lxml.etree_api.h |
|
89 | 110 |
file path=usr/lib/python2.6/vendor-packages/lxml/objectify.so |
90 | 111 |
file path=usr/lib/python2.6/vendor-packages/lxml/pyclasslookup.py |
91 | 112 |
file path=usr/lib/python2.6/vendor-packages/lxml/sax.py |
92 |
file path=usr/lib/python2.6/vendor-packages/lxml/tree.pxd |
|
93 | 113 |
file path=usr/lib/python2.6/vendor-packages/lxml/usedoctest.py |
94 | 114 |
license pylxml.copyright license="BSD, PSF, GPL" |
95 | 115 |
components/python/pylxml/pylxml-27.p5m | ||
---|---|---|
19 | 19 |
# CDDL HEADER END |
20 | 20 |
# |
21 | 21 |
# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. |
22 |
# Copyright 2015, PALO Richard. |
|
22 | 23 |
# |
23 | 24 | |
24 | 25 |
set name=pkg.fmri \ |
... | ... | |
39 | 40 |
file path=usr/lib/python2.7/vendor-packages/lxml-$(COMPONENT_VERSION)-py2.7.egg-info/not-zip-safe |
40 | 41 |
file path=usr/lib/python2.7/vendor-packages/lxml-$(COMPONENT_VERSION)-py2.7.egg-info/PKG-INFO |
41 | 42 |
file path=usr/lib/python2.7/vendor-packages/lxml-$(COMPONENT_VERSION)-py2.7.egg-info/SOURCES.txt |
43 |
file path=usr/lib/python2.7/vendor-packages/lxml-$(COMPONENT_VERSION)-py2.7.egg-info/requires.txt |
|
42 | 44 |
file path=usr/lib/python2.7/vendor-packages/lxml-$(COMPONENT_VERSION)-py2.7.egg-info/top_level.txt |
43 | 45 |
file path=usr/lib/python2.7/vendor-packages/lxml/__init__.py |
44 | 46 |
file path=usr/lib/python2.7/vendor-packages/lxml/_elementpath.py |
... | ... | |
49 | 51 |
file path=usr/lib/python2.7/vendor-packages/lxml/doctestcompare.py |
50 | 52 |
file path=usr/lib/python2.7/vendor-packages/lxml/ElementInclude.py |
51 | 53 |
file path=usr/lib/python2.7/vendor-packages/lxml/etree.so |
52 |
file path=usr/lib/python2.7/vendor-packages/lxml/etree_defs.h |
|
53 |
file path=usr/lib/python2.7/vendor-packages/lxml/etreepublic.pxd |
|
54 | 54 |
file path=usr/lib/python2.7/vendor-packages/lxml/html/__init__.py |
55 |
file path=usr/lib/python2.7/vendor-packages/lxml/html/_dictmixin.py |
|
56 | 55 |
file path=usr/lib/python2.7/vendor-packages/lxml/html/_diffcommand.py |
57 | 56 |
file path=usr/lib/python2.7/vendor-packages/lxml/html/_setmixin.py |
58 | 57 |
file path=usr/lib/python2.7/vendor-packages/lxml/html/builder.py |
... | ... | |
64 | 63 |
file path=usr/lib/python2.7/vendor-packages/lxml/html/html5parser.py |
65 | 64 |
file path=usr/lib/python2.7/vendor-packages/lxml/html/soupparser.py |
66 | 65 |
file path=usr/lib/python2.7/vendor-packages/lxml/html/usedoctest.py |
66 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/__init__.py |
|
67 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/c14n.pxd |
|
68 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/config.pxd |
|
69 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/dtdvalid.pxd |
|
70 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/etree_defs.h |
|
71 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/etreepublic.pxd |
|
72 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/htmlparser.pxd |
|
73 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/lxml-version.h |
|
74 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/relaxng.pxd |
|
75 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/schematron.pxd |
|
76 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/tree.pxd |
|
77 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/uri.pxd |
|
78 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/xinclude.pxd |
|
79 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/xmlerror.pxd |
|
80 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/xmlparser.pxd |
|
81 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/xmlschema.pxd |
|
82 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/xpath.pxd |
|
83 |
file path=usr/lib/python2.7/vendor-packages/lxml/includes/xslt.pxd |
|
67 | 84 |
file path=usr/lib/python2.7/vendor-packages/lxml/isoschematron/__init__.py |
68 | 85 |
file \ |
69 | 86 |
path=usr/lib/python2.7/vendor-packages/lxml/isoschematron/resources/rng/iso-schematron.rng |
... | ... | |
83 | 100 |
path=usr/lib/python2.7/vendor-packages/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/iso_svrl_for_xslt1.xsl |
84 | 101 |
file \ |
85 | 102 |
path=usr/lib/python2.7/vendor-packages/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt |
103 |
file path=usr/lib/python2.7/vendor-packages/lxml/lxml.etree.h |
|
104 |
file path=usr/lib/python2.7/vendor-packages/lxml/lxml.etree_api.h |
|
86 | 105 |
file path=usr/lib/python2.7/vendor-packages/lxml/objectify.so |
87 | 106 |
file path=usr/lib/python2.7/vendor-packages/lxml/pyclasslookup.py |
88 | 107 |
file path=usr/lib/python2.7/vendor-packages/lxml/sax.py |
89 |
file path=usr/lib/python2.7/vendor-packages/lxml/tree.pxd |
|
90 | 108 |
file path=usr/lib/python2.7/vendor-packages/lxml/usedoctest.py |
91 | 109 | |
92 | 110 |
# force a dependency on the lxml package |