meta-openembedded/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch

Upstream-status:Backport

--- a/src/lxml/html/clean.py
+++ b/src/lxml/html/clean.py
@@ -70,9 +70,10 @@ _css_import_re = re.compile(
 
 # All kinds of schemes besides just javascript: that can cause
 # execution:
-_javascript_scheme_re = re.compile(
-    r'\s*(?:javascript|jscript|livescript|vbscript|data|about|mocha):', re.I)
-_substitute_whitespace = re.compile(r'\s+').sub
+_is_javascript_scheme = re.compile(
+    r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
+    re.I).search
+_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
 # FIXME: should data: be blocked?
 
 # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
@@ -467,7 +468,7 @@ class Cleaner(object):
     def _remove_javascript_link(self, link):
         # links like "j a v a s c r i p t:" might be interpreted in IE
         new = _substitute_whitespace('', link)
-        if _javascript_scheme_re.search(new):
+        if _is_javascript_scheme(new):
             # FIXME: should this be None to delete?
             return ''
         return link
--- a/src/lxml/html/tests/test_clean.txt
+++ b/src/lxml/html/tests/test_clean.txt
@@ -1,3 +1,4 @@
+>>> import re
 >>> from lxml.html import fromstring, tostring
 >>> from lxml.html.clean import clean, clean_html, Cleaner
 >>> from lxml.html import usedoctest
@@ -17,6 +18,7 @@
 ...   <body onload="evil_function()">
 ...     <!-- I am interpreted for EVIL! -->
 ...     <a href="javascript:evil_function()">a link</a>
+...     <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a>
 ...     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
 ...     <a href="#" onclick="evil_function()">another link</a>
 ...     <p onclick="evil_function()">a paragraph</p>
@@ -33,7 +35,7 @@
 ...   </body>
 ... </html>'''
 
->>> print(doc)
+>>> print(re.sub('[\x00-\x07\x0E]', '', doc))
 <html>
   <head>
     <script type="text/javascript" src="evil-site"></script>
@@ -49,6 +51,7 @@
   <body onload="evil_function()">
     <!-- I am interpreted for EVIL! -->
     <a href="javascript:evil_function()">a link</a>
+    <a href="javascrip t:evil_function()">a control char link</a>
     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
     <a href="#" onclick="evil_function()">another link</a>
     <p onclick="evil_function()">a paragraph</p>
@@ -81,6 +84,7 @@
   <body onload="evil_function()">
     <!-- I am interpreted for EVIL! -->
     <a href="javascript:evil_function()">a link</a>
+    <a href="javascrip%20t:evil_function()">a control char link</a>
     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
     <a href="#" onclick="evil_function()">another link</a>
     <p onclick="evil_function()">a paragraph</p>
@@ -104,6 +108,7 @@
   </head>
   <body>
     <a href="">a link</a>
+    <a href="">a control char link</a>
     <a href="">data</a>
     <a href="#">another link</a>
     <p>a paragraph</p>
@@ -123,6 +128,7 @@
   </head>
   <body>
     <a href="">a link</a>
+    <a href="">a control char link</a>
     <a href="">data</a>
     <a href="#">another link</a>
     <p>a paragraph</p>
@@ -146,6 +152,7 @@
   </head>
   <body>
     <a href="">a link</a>
+    <a href="">a control char link</a> 
     <a href="">data</a>
     <a href="#">another link</a>
     <p>a paragraph</p>