Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit79b7a3c

Browse files
authored
Merge pull request fromGHSA-vv2x-vrpj-qqpq
Fix ghsa vv2x vrpj qqpq
2 parentsc045a8b +842fcb4 commit79b7a3c

File tree

7 files changed

+77
-6
lines changed

7 files changed

+77
-6
lines changed

‎CHANGES‎

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,25 @@
11
Bleach changes
22
==============
33

4+
Version 3.3.0 (February 1st, 2021)
5+
----------------------------------
6+
7+
**Backwards incompatible changes**
8+
9+
* clean escapes HTML comments even when strip_comments=False
10+
11+
**Security fixes**
12+
13+
* Fix bug 1621692 / GHSA-m6xf-fq7q-8743. See the advisory for details.
14+
15+
**Features**
16+
17+
None
18+
19+
**Bug fixes**
20+
21+
None
22+
423
Version 3.2.3 (January 26th, 2021)
524
----------------------------------
625

‎SECURITY.md‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@ currently being supported with security updates.
77

88
| Version| Supported|
99
| -------| ------------------|
10-
| 3.2.x|:white_check_mark:|
11-
| < 3.1|:x:|
10+
| 3.3.x|:white_check_mark:|
11+
| < 3.2|:x:|
1212

1313
##Reporting a Vulnerability
1414

‎bleach/__init__.py‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,9 @@
1818

1919

2020
# yyyymmdd
21-
__releasedate__="20210126"
21+
__releasedate__="20210201"
2222
# x.y.z or x.y.z.dev0 -- semver
23-
__version__="3.2.3"
23+
__version__="3.3.0"
2424
VERSION=packaging.version.Version(__version__)
2525

2626

‎bleach/html5lib_shim.py‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@
4848
HTMLInputStream,
4949
)# noqa: E402 module level import not at top of file
5050
frombleach._vendor.html5lib.serializerimport (
51+
escape,
5152
HTMLSerializer,
5253
)# noqa: E402 module level import not at top of file
5354
frombleach._vendor.html5lib._tokenizerimport (

‎bleach/sanitizer.py‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -371,6 +371,10 @@ def sanitize_token(self, token):
371371

372372
eliftoken_type=="Comment":
373373
ifnotself.strip_html_comments:
374+
# call lxml.sax.saxutils to escape &, <, and > in addition to " and '
375+
token["data"]=html5lib_shim.escape(
376+
token["data"],entities={'"':"&quot;","'":"&#x27;"}
377+
)
374378
returntoken
375379
else:
376380
returnNone

‎tests/test_clean.py‎

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -739,6 +739,53 @@ def test_namespace_rc_data_element_strip_false(
739739
)
740740

741741

742+
@pytest.mark.parametrize(
743+
"namespace_tag, end_tag, data, expected",
744+
[
745+
(
746+
"math",
747+
"p",
748+
"<math></p><style><!--</style><img src/onerror=alert(1)>",
749+
"<math><p></p><style><!--&lt;/style&gt;&lt;img src/onerror=alert(1)&gt;--></style></math>",
750+
),
751+
(
752+
"math",
753+
"br",
754+
"<math></br><style><!--</style><img src/onerror=alert(1)>",
755+
"<math><br><style><!--&lt;/style&gt;&lt;img src/onerror=alert(1)&gt;--></style></math>",
756+
),
757+
(
758+
"svg",
759+
"p",
760+
"<svg></p><style><!--</style><img src/onerror=alert(1)>",
761+
"<svg><p></p><style><!--&lt;/style&gt;&lt;img src/onerror=alert(1)&gt;--></style></svg>",
762+
),
763+
(
764+
"svg",
765+
"br",
766+
"<svg></br><style><!--</style><img src/onerror=alert(1)>",
767+
"<svg><br><style><!--&lt;/style&gt;&lt;img src/onerror=alert(1)&gt;--></style></svg>",
768+
),
769+
],
770+
)
771+
deftest_html_comments_escaped(namespace_tag,end_tag,data,expected):
772+
# refs: bug 1689399 / GHSA-vv2x-vrpj-qqpq
773+
#
774+
# p and br can be just an end tag (e.g. </p> == <p></p>)
775+
#
776+
# In browsers:
777+
#
778+
# * img and other tags break out of the svg or math namespace (e.g. <svg><img></svg> == <svg><img></svg>)
779+
# * style does not (e.g. <svg><style></svg> == <svg><style></style></svg>)
780+
# * the breaking tag ejects trailing elements (e.g. <svg><img><style></style></svg> == <svg></svg><img><style></style>)
781+
#
782+
# the ejected elements can trigger XSS
783+
assert (
784+
clean(data,tags=[namespace_tag,end_tag,"style"],strip_comments=False)
785+
==expected
786+
)
787+
788+
742789
defget_ids_and_tests():
743790
"""Retrieves regression tests from data/ directory
744791

‎tests_website/index.html‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
<html>
33
<head>
44
<metacharset="UTF-8">
5-
<title>Python Bleach 3.2.3</title>
5+
<title>Python Bleach 3.3.0</title>
66
<style>
77
textarea,iframe {
88
width:95%;
@@ -20,7 +20,7 @@
2020
</style>
2121
</head>
2222
<body>
23-
<h2>Python Bleach 3.2.3</h2>
23+
<h2>Python Bleach 3.3.0</h2>
2424
<p>
2525
<ahref="http://badge.fury.io/py/bleach"><imgstyle="max-width:100%;"alt="pypi version"src="https://badge.fury.io/py/bleach.svg"></a>
2626
<ahref="https://github.com/mozilla/bleach/actions?query=workflow%3ATest"><imgstyle="max-width:100%;"alt="Build Status"src="https://github.com/mozilla/bleach/workflows/Test/badge.svg"></a>

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp