diff --git a/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch new file mode 100644 index 000000000..0a8e211bd --- /dev/null +++ b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch @@ -0,0 +1,91 @@ +Upstream-status:Backport + +--- a/src/lxml/html/clean.py ++++ b/src/lxml/html/clean.py +@@ -70,9 +70,10 @@ _css_import_re = re.compile( + + # All kinds of schemes besides just javascript: that can cause + # execution: +-_javascript_scheme_re = re.compile( +- r'\s*(?:javascript|jscript|livescript|vbscript|data|about|mocha):', re.I) +-_substitute_whitespace = re.compile(r'\s+').sub ++_is_javascript_scheme = re.compile( ++ r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):', ++ re.I).search ++_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub + # FIXME: should data: be blocked? + + # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx +@@ -467,7 +468,7 @@ class Cleaner(object): + def _remove_javascript_link(self, link): + # links like "j a v a s c r i p t:" might be interpreted in IE + new = _substitute_whitespace('', link) +- if _javascript_scheme_re.search(new): ++ if _is_javascript_scheme(new): + # FIXME: should this be None to delete? + return '' + return link +--- a/src/lxml/html/tests/test_clean.txt ++++ b/src/lxml/html/tests/test_clean.txt +@@ -1,3 +1,4 @@ ++>>> import re + >>> from lxml.html import fromstring, tostring + >>> from lxml.html.clean import clean, clean_html, Cleaner + >>> from lxml.html import usedoctest +@@ -17,6 +18,7 @@ + ...
+ ... + ... a link ++... a control char link + ... data + ... another link + ...a paragraph
+@@ -33,7 +35,7 @@ + ... + ...