Hi, this is my debdiff for CVE-2014-3146 in lxml.
I used the patch for wheezy as template. I am sure there are some kind of scripts/descriptions on how to test this. Are those available somewhere?
Thorsten diff -u lxml-2.2.8/debian/changelog lxml-2.2.8/debian/changelog --- lxml-2.2.8/debian/changelog +++ lxml-2.2.8/debian/changelog @@ -1,3 +1,11 @@ +lxml (2.2.8-2+deb6u1) squeeze-lts; urgency=medium + + * CVE-2014-3146 + DSA-2941-1 + clean_html input sanitization flaw (#746812) + + -- Thorsten Alteholz <[email protected]> Sun, 22 Jun 2014 17:00:00 +0200 + lxml (2.2.8-2) unstable; urgency=low * Add copyright and license information for test.py. Closes: #597547. only in patch2: unchanged: --- lxml-2.2.8.orig/src/lxml/html/clean.py +++ lxml-2.2.8/src/lxml/html/clean.py @@ -79,9 +79,10 @@ # All kinds of schemes besides just javascript: that can cause # execution: -_javascript_scheme_re = re.compile( - r'\s*(?:javascript|jscript|livescript|vbscript|about|mocha):', re.I) -_substitute_whitespace = re.compile(r'\s+').sub +_is_javascript_scheme = re.compile( + r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):', + re.I).search +_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub # FIXME: should data: be blocked? # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx @@ -451,7 +452,7 @@ def _remove_javascript_link(self, link): # links like "j a v a s c r i p t:" might be interpreted in IE new = _substitute_whitespace('', link) - if _javascript_scheme_re.search(new): + if _is_javascript_scheme(new): # FIXME: should this be None to delete? return '' return link only in patch2: unchanged: --- lxml-2.2.8.orig/src/lxml/html/tests/test_clean.txt +++ lxml-2.2.8/src/lxml/html/tests/test_clean.txt @@ -1,3 +1,4 @@ +>>> import re >>> from lxml.html import fromstring, tostring >>> from lxml.html.clean import clean, clean_html, Cleaner >>> from lxml.html import usedoctest @@ -14,6 +15,7 @@ ... <body onload="evil_function()"> ... <!-- I am interpreted for EVIL! --> ... <a href="javascript:evil_function()">a link</a> +... <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a> ... <a href="#" onclick="evil_function()">another link</a> ... <p onclick="evil_function()">a paragraph</p> ... <div style="display: none">secret EVIL!</div> @@ -27,7 +29,7 @@ ... </body> ... </html>''' ->>> print(doc) +>>> print(re.sub('[\x00-\x07\x0E]', '', doc)) <html> <head> <script type="text/javascript" src="evil-site"></script> @@ -40,6 +42,7 @@ <body onload="evil_function()"> <!-- I am interpreted for EVIL! --> <a href="javascript:evil_function()">a link</a> + <a href="javascrip t:evil_function()">a control char link</a> <a href="#" onclick="evil_function()">another link</a> <p onclick="evil_function()">a paragraph</p> <div style="display: none">secret EVIL!</div> @@ -66,6 +69,7 @@ <body onload="evil_function()"> <!-- I am interpreted for EVIL! --> <a href="javascript:evil_function()">a link</a> + <a href="javascrip%20t:evil_function()">a control char link</a> <a href="#" onclick="evil_function()">another link</a> <p onclick="evil_function()">a paragraph</p> <div style="display: none">secret EVIL!</div> @@ -86,6 +90,7 @@ </head> <body> <a href="">a link</a> + <a href="">a control char link</a> <a href="#">another link</a> <p>a paragraph</p> <div style="display: none">secret EVIL!</div> @@ -103,6 +108,8 @@ </head> <body> <a href="">a link</a> + <a href="">a control char link</a> + <a href="">a control char link</a> <a href="#">another link</a> <p>a paragraph</p> <div>secret EVIL!</div> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
