Hello community, here is the log from the commit of package python-mistune for openSUSE:Factory checked in at 2017-11-11 14:17:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-mistune (Old) and /work/SRC/openSUSE:Factory/.python-mistune.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-mistune" Sat Nov 11 14:17:49 2017 rev:4 rq:539600 version:0.8 Changes: -------- --- /work/SRC/openSUSE:Factory/python-mistune/python-mistune.changes 2017-04-12 18:20:05.345098552 +0200 +++ /work/SRC/openSUSE:Factory/.python-mistune.new/python-mistune.changes 2017-11-11 14:17:49.823104822 +0100 @@ -1,0 +2,8 @@ +Mon Nov 6 16:58:50 UTC 2017 - [email protected] + +- update to version 0.8.0: + * Remove non breaking spaces preprocessing + * Remove rev and rel attribute for footnotes + * Fix bypassing XSS vulnerability by junorouse + +------------------------------------------------------------------- Old: ---- mistune-0.7.4.tar.gz New: ---- mistune-0.8.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-mistune.spec ++++++ --- /var/tmp/diff_new_pack.86gnVf/_old 2017-11-11 14:17:50.387084152 +0100 +++ /var/tmp/diff_new_pack.86gnVf/_new 2017-11-11 14:17:50.391084005 +0100 @@ -18,19 +18,19 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-mistune -Version: 0.7.4 +Version: 0.8 Release: 0 Summary: The fastest markdown parser in pure Python License: BSD-3-Clause Group: Development/Languages/Python Url: https://github.com/lepture/mistune Source0: https://files.pythonhosted.org/packages/source/m/mistune/mistune-%{version}.tar.gz -BuildRequires: fdupes -BuildRequires: python-rpm-macros BuildRequires: %{python_module Cython} BuildRequires: %{python_module devel} BuildRequires: %{python_module nose} BuildRequires: %{python_module setuptools} +BuildRequires: fdupes +BuildRequires: python-rpm-macros BuildRoot: %{_tmppath}/%{name}-%{version}-build %python_subpackages ++++++ mistune-0.7.4.tar.gz -> mistune-0.8.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.4/CHANGES.rst new/mistune-0.8/CHANGES.rst --- old/mistune-0.7.4/CHANGES.rst 2017-03-14 07:58:34.000000000 +0100 +++ new/mistune-0.8/CHANGES.rst 2017-10-26 19:02:20.000000000 +0200 @@ -3,6 +3,18 @@ Here is the full history of mistune. +Version 0.8 +~~~~~~~~~~~ + +Released on Oct. 26, 2017 + +* Remove non breaking spaces preprocessing +* Remove rev and rel attribute for footnotes +* Fix bypassing XSS vulnerability by junorouse + +This version is strongly recommended, since it fixed +a security issue. + Version 0.7.4 ~~~~~~~~~~~~~ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.4/PKG-INFO new/mistune-0.8/PKG-INFO --- old/mistune-0.7.4/PKG-INFO 2017-03-14 07:59:57.000000000 +0100 +++ new/mistune-0.8/PKG-INFO 2017-10-26 19:06:08.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: mistune -Version: 0.7.4 +Version: 0.8 Summary: The fastest markdown parser in pure Python Home-page: https://github.com/lepture/mistune Author: Hsiaoming Yang @@ -13,7 +13,7 @@ inspired by marked_. .. image:: https://img.shields.io/badge/donate-lepture-green.svg - :target: https://lepture.herokuapp.com/?amount=1000&reason=lepture%2Fmistune + :target: https://typlog.com/donate?amount=10&reason=lepture%2Fmistune :alt: Donate lepture .. image:: https://img.shields.io/pypi/wheel/mistune.svg?style=flat :target: https://pypi.python.org/pypi/mistune/ @@ -202,7 +202,7 @@ .. code:: python - import copy + import copy,re from mistune import Renderer, InlineGrammar, InlineLexer class WikiLinkRenderer(Renderer): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.4/README.rst new/mistune-0.8/README.rst --- old/mistune-0.7.4/README.rst 2016-11-16 03:31:26.000000000 +0100 +++ new/mistune-0.8/README.rst 2017-09-14 08:31:47.000000000 +0200 @@ -5,7 +5,7 @@ inspired by marked_. .. image:: https://img.shields.io/badge/donate-lepture-green.svg - :target: https://lepture.herokuapp.com/?amount=1000&reason=lepture%2Fmistune + :target: https://typlog.com/donate?amount=10&reason=lepture%2Fmistune :alt: Donate lepture .. image:: https://img.shields.io/pypi/wheel/mistune.svg?style=flat :target: https://pypi.python.org/pypi/mistune/ @@ -194,7 +194,7 @@ .. code:: python - import copy + import copy,re from mistune import Renderer, InlineGrammar, InlineLexer class WikiLinkRenderer(Renderer): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.4/mistune.egg-info/PKG-INFO new/mistune-0.8/mistune.egg-info/PKG-INFO --- old/mistune-0.7.4/mistune.egg-info/PKG-INFO 2017-03-14 07:59:57.000000000 +0100 +++ new/mistune-0.8/mistune.egg-info/PKG-INFO 2017-10-26 19:06:08.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: mistune -Version: 0.7.4 +Version: 0.8 Summary: The fastest markdown parser in pure Python Home-page: https://github.com/lepture/mistune Author: Hsiaoming Yang @@ -13,7 +13,7 @@ inspired by marked_. .. image:: https://img.shields.io/badge/donate-lepture-green.svg - :target: https://lepture.herokuapp.com/?amount=1000&reason=lepture%2Fmistune + :target: https://typlog.com/donate?amount=10&reason=lepture%2Fmistune :alt: Donate lepture .. image:: https://img.shields.io/pypi/wheel/mistune.svg?style=flat :target: https://pypi.python.org/pypi/mistune/ @@ -202,7 +202,7 @@ .. code:: python - import copy + import copy,re from mistune import Renderer, InlineGrammar, InlineLexer class WikiLinkRenderer(Renderer): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.4/mistune.egg-info/SOURCES.txt new/mistune-0.8/mistune.egg-info/SOURCES.txt --- old/mistune-0.7.4/mistune.egg-info/SOURCES.txt 2017-03-14 07:59:57.000000000 +0100 +++ new/mistune-0.8/mistune.egg-info/SOURCES.txt 2017-10-26 19:06:08.000000000 +0200 @@ -11,6 +11,7 @@ mistune.egg-info/dependency_links.txt mistune.egg-info/not-zip-safe mistune.egg-info/top_level.txt +tests/__init__.py tests/bench.py tests/test_cases.py tests/test_extra.py diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.4/mistune.py new/mistune-0.8/mistune.py --- old/mistune-0.7.4/mistune.py 2017-03-14 07:58:34.000000000 +0100 +++ new/mistune-0.8/mistune.py 2017-10-26 19:02:20.000000000 +0200 @@ -11,7 +11,7 @@ import re import inspect -__version__ = '0.7.4' +__version__ = '0.8' __author__ = 'Hsiaoming Yang <[email protected]>' __all__ = [ 'BlockGrammar', 'BlockLexer', @@ -75,8 +75,9 @@ def escape_link(url): """Remove dangerous URL schemes like javascript: and escape afterwards.""" lower_url = url.lower().strip('\x00\x1a \n\r\t') + for scheme in _scheme_blacklist: - if lower_url.startswith(scheme): + if re.sub(r'[^A-Za-z0-9\/:]+', '', lower_url).startswith(scheme): return '' return escape(url, quote=True, smart_amp=False) @@ -84,7 +85,6 @@ def preprocessing(text, tab=4): text = _newline_pattern.sub('\n', text) text = text.expandtabs(tab) - text = text.replace('\u00a0', ' ') text = text.replace('\u2424', '\n') pattern = re.compile(r'^ +$', re.M) return pattern.sub('', text) @@ -845,7 +845,7 @@ :param link: link content or email address. :param is_email: whether this is an email or not. """ - text = link = escape(link) + text = link = escape_link(link) if is_email: link = 'mailto:%s' % link return '<a href="%s">%s</a>' % (link, text) @@ -902,7 +902,7 @@ """ html = ( '<sup class="footnote-ref" id="fnref-%s">' - '<a href="#fn-%s" rel="footnote">%d</a></sup>' + '<a href="#fn-%s">%d</a></sup>' ) % (escape(key), escape(key), index) return html @@ -913,7 +913,7 @@ :param text: text content of the footnote. """ back = ( - '<a href="#fnref-%s" rev="footnote">↩</a>' + '<a href="#fnref-%s" class="footnote">↩</a>' ) % escape(key) text = text.rstrip() if text.endswith('</p>'): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.4/tests/bench.py new/mistune-0.8/tests/bench.py --- old/mistune-0.7.4/tests/bench.py 2016-11-16 03:31:26.000000000 +0100 +++ new/mistune-0.8/tests/bench.py 2017-09-14 08:31:47.000000000 +0200 @@ -50,7 +50,7 @@ m.EXT_TABLES | m.EXT_STRIKETHROUGH ) md = m.Markdown(m.HtmlRenderer(), extensions=extensions) - md.render(text) + md(text) @benchmark('markdown2') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.4/tests/fixtures/extra/footnotes.html new/mistune-0.8/tests/fixtures/extra/footnotes.html --- old/mistune-0.7.4/tests/fixtures/extra/footnotes.html 2016-11-16 03:31:26.000000000 +0100 +++ new/mistune-0.8/tests/fixtures/extra/footnotes.html 2017-09-14 08:31:47.000000000 +0200 @@ -1,15 +1,15 @@ -<p>This is the first paragraph.<sup class="footnote-ref" id="fnref-first"><a href="#fn-first" rel="footnote">1</a></sup></p> +<p>This is the first paragraph.<sup class="footnote-ref" id="fnref-first"><a href="#fn-first">1</a></sup></p> <ul> -<li>List item one.<sup class="footnote-ref" id="fnref-second"><a href="#fn-second" rel="footnote">2</a></sup></li> -<li>List item two.<sup class="footnote-ref" id="fnref-third"><a href="#fn-third" rel="footnote">3</a></sup></li> +<li>List item one.<sup class="footnote-ref" id="fnref-second"><a href="#fn-second">2</a></sup></li> +<li>List item two.<sup class="footnote-ref" id="fnref-third"><a href="#fn-third">3</a></sup></li> </ul> -<h1>Header<sup class="footnote-ref" id="fnref-fourth"><a href="#fn-fourth" rel="footnote">4</a></sup></h1> +<h1>Header<sup class="footnote-ref" id="fnref-fourth"><a href="#fn-fourth">4</a></sup></h1> -<p>Some paragraph with a footnote<sup class="footnote-ref" id="fnref-1"><a href="#fn-1" rel="footnote">5</a></sup>, and another<sup class="footnote-ref" id="fnref-2"><a href="#fn-2" rel="footnote">6</a></sup>.</p> +<p>Some paragraph with a footnote<sup class="footnote-ref" id="fnref-1"><a href="#fn-1">5</a></sup>, and another<sup class="footnote-ref" id="fnref-2"><a href="#fn-2">6</a></sup>.</p> -<p>Another paragraph with a named footnote<sup class="footnote-ref" id="fnref-fn-name"><a href="#fn-fn-name" rel="footnote">7</a></sup>.</p> +<p>Another paragraph with a named footnote<sup class="footnote-ref" id="fnref-fn-name"><a href="#fn-fn-name">7</a></sup>.</p> <p>This paragraph should not have a footnote marker since the footnote is undefined.[^3]</p> @@ -18,43 +18,43 @@ the footnote has already been used before.[^1]</p> <p>This paragraph links to a footnote with plenty of -block-level content.<sup class="footnote-ref" id="fnref-block"><a href="#fn-block" rel="footnote">8</a></sup></p> +block-level content.<sup class="footnote-ref" id="fnref-block"><a href="#fn-block">8</a></sup></p> <p>This paragraph host the footnote reference within a -footnote test<sup class="footnote-ref" id="fnref-reference"><a href="#fn-reference" rel="footnote">9</a></sup>.</p> +footnote test<sup class="footnote-ref" id="fnref-reference"><a href="#fn-reference">9</a></sup>.</p> <div class="footnotes"> <hr> <ol> <li id="fn-first"> -<p>This is the first note.<a href="#fnref-first" rev="footnote">↩</a></p> +<p>This is the first note.<a href="#fnref-first" class="footnote">↩</a></p> </li> <li id="fn-second"> -<p>This is the second note.<a href="#fnref-second" rev="footnote">↩</a></p> +<p>This is the second note.<a href="#fnref-second" class="footnote">↩</a></p> </li> <li id="fn-third"> -<p>This is the third note, defined out of order.<a href="#fnref-third" rev="footnote">↩</a></p> +<p>This is the third note, defined out of order.<a href="#fnref-third" class="footnote">↩</a></p> </li> <li id="fn-fourth"> -<p>This is the fourth note.<a href="#fnref-fourth" rev="footnote">↩</a></p> +<p>This is the fourth note.<a href="#fnref-fourth" class="footnote">↩</a></p> </li> <li id="fn-1"> -<p>Content for fifth footnote.<a href="#fnref-1" rev="footnote">↩</a></p> +<p>Content for fifth footnote.<a href="#fnref-1" class="footnote">↩</a></p> </li> <li id="fn-2"> <p>Content for sixth footnote spaning on three lines, with some span-level markup like -<em>emphasis</em>, a <a href="http://www.michelf.com/";>link</a>.<a href="#fnref-2" rev="footnote">↩</a></p> +<em>emphasis</em>, a <a href="http://www.michelf.com/";>link</a>.<a href="#fnref-2" class="footnote">↩</a></p> </li> <li id="fn-fn-name"> -<p>Footnote beginning on the line next to the marker.<a href="#fnref-fn-name" rev="footnote">↩</a></p> +<p>Footnote beginning on the line next to the marker.<a href="#fnref-fn-name" class="footnote">↩</a></p> </li> <li id="fn-block"> @@ -71,12 +71,12 @@ <pre><code>Code block </code></pre> -<p><a href="#fnref-block" rev="footnote">↩</a></p> +<p><a href="#fnref-block" class="footnote">↩</a></p> </li> <li id="fn-reference"> <p>This footnote attemps to refer to another footnote. This -should be impossible.[^impossible]<a href="#fnref-reference" rev="footnote">↩</a></p> +should be impossible.[^impossible]<a href="#fnref-reference" class="footnote">↩</a></p> </li> </ol> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.4/tests/test_extra.py new/mistune-0.8/tests/test_extra.py --- old/mistune-0.7.4/tests/test_extra.py 2017-03-14 07:58:34.000000000 +0100 +++ new/mistune-0.8/tests/test_extra.py 2017-10-26 18:50:16.000000000 +0200 @@ -23,6 +23,8 @@ ('javascript:alert`1`', ''), # bypass attempt ('jAvAsCrIpT:alert`1`', ''), + # bypass with newline + ('javasc\nript:alert`1`', ''), # javascript pseudo protocol with entities ('javascript:alert`1`', 'javascript&colon;alert`1`'), # javascript pseudo protocol with prefix (dangerous in Chrome)
