Gilles Filippini pushed to branch master at Debian Java Maintainers / jython
Commits: eaf508ca by Gilles Filippini at 2022-12-29T12:20:14+01:00 CVE-2019-16935 - - - - - 3 changed files: - debian/changelog - + debian/patches/CVE-2019-16935.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,9 @@ +jython (2.7.2+repack1-5) unstable; urgency=medium + + * CVE-2019-16935 (closes: #1027149) + + -- Gilles Filippini <[email protected]> Thu, 29 Dec 2022 12:00:40 +0100 + jython (2.7.2+repack1-4) unstable; urgency=medium * Build-Depends: antlr3 (instead of antlr3.2; Closes: #995188) ===================================== debian/patches/CVE-2019-16935.patch ===================================== @@ -0,0 +1,75 @@ +Description: fix CVE-2019-16935 + Escape the server title of DocXMLRPCServer when rendering the + document page as HTML. + . + Patch backported from cython commit 8eb6415 +Origin: https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027149 +Index: jython/lib-python/2.7/DocXMLRPCServer.py +=================================================================== +--- jython.orig/lib-python/2.7/DocXMLRPCServer.py ++++ jython/lib-python/2.7/DocXMLRPCServer.py +@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXM + CGIXMLRPCRequestHandler, + resolve_dotted_attribute) + ++ ++def _html_escape_quote(s): ++ s = s.replace("&", "&") # Must be done first! ++ s = s.replace("<", "<") ++ s = s.replace(">", ">") ++ s = s.replace('"', """) ++ s = s.replace('\'', "'") ++ return s ++ ++ + class ServerHTMLDoc(pydoc.HTMLDoc): + """Class used to generate pydoc HTML document for a server""" + +@@ -210,7 +220,8 @@ class XMLRPCDocGenerator: + methods + ) + +- return documenter.page(self.server_title, documentation) ++ title = _html_escape_quote(self.server_title) ++ return documenter.page(title, documentation) + + class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): + """XML-RPC and documentation request handler class. +Index: jython/lib-python/2.7/test/test_docxmlrpc.py +=================================================================== +--- jython.orig/lib-python/2.7/test/test_docxmlrpc.py ++++ jython/lib-python/2.7/test/test_docxmlrpc.py +@@ -1,5 +1,6 @@ + from DocXMLRPCServer import DocXMLRPCServer + import httplib ++import re + import sys + from test import test_support + threading = test_support.import_module('threading') +@@ -194,6 +195,25 @@ class DocXMLRPCHTTPGETServer(unittest.Te + self.assertIn("""Try self.<strong>add</strong>, too.""", + response.read()) + ++ def test_server_title_escape(self): ++ """Test that the server title and documentation ++ are escaped for HTML. ++ """ ++ self.serv.set_server_title('test_title<script>') ++ self.serv.set_server_documentation('test_documentation<script>') ++ self.assertEqual('test_title<script>', self.serv.server_title) ++ self.assertEqual('test_documentation<script>', ++ self.serv.server_documentation) ++ ++ generated = self.serv.generate_html_documentation() ++ title = re.search(r'<title>(.+?)</title>', generated).group() ++ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group() ++ self.assertEqual('<title>Python: test_title<script></title>', ++ title) ++ self.assertEqual('<p><tt>test_documentation<script></tt></p>', ++ documentation) ++ ++ + def test_main(): + test_support.run_unittest(DocXMLRPCHTTPGETServer) + ===================================== debian/patches/series ===================================== @@ -5,3 +5,4 @@ javadoc-classpath.patch reproducible-builds.patch 08-java-backward-compatibility.patch antlr-getEOFToken.patch +CVE-2019-16935.patch View it on GitLab: https://salsa.debian.org/java-team/jython/-/commit/eaf508cac9fc5fcea06316d35932d24ae15ab158 -- View it on GitLab: https://salsa.debian.org/java-team/jython/-/commit/eaf508cac9fc5fcea06316d35932d24ae15ab158 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
