commit 039e98b00ec0707675e3b5b7422f06249e3d83b2
Author: Arkadiusz MiĆkiewicz <[email protected]>
Date: Mon Sep 14 19:50:07 2015 +0200
- rel 5; FC fixes
python-defusedxml-entity_loop.patch | 52 ++++++++++++++++++++++++++++
python-defusedxml-format_strings.patch | 63 ++++++++++++++++++++++++++++++++++
python-defusedxml.spec | 6 +++-
3 files changed, 120 insertions(+), 1 deletion(-)
---
diff --git a/python-defusedxml.spec b/python-defusedxml.spec
index c7df7c2..ec96dac 100644
--- a/python-defusedxml.spec
+++ b/python-defusedxml.spec
@@ -8,11 +8,13 @@
Summary: XML bomb protection for Python stdlib modules
Name: python-%{module}
Version: 0.4.1
-Release: 4
+Release: 5
License: PSF
Group: Libraries/Python
Source0:
https://pypi.python.org/packages/source/d/defusedxml/defusedxml-%{version}.tar.gz
# Source0-md5: 230a5eff64f878b392478e30376d673a
+Patch0: python-defusedxml-entity_loop.patch
+Patch1: python-defusedxml-format_strings.patch
URL: https://pypi.python.org/pypi/defusedxml
%if %{with python2}
BuildRequires: python-distribute
@@ -37,6 +39,8 @@ XML bomb protection for Python stdlib modules.
%prep
%setup -q -n %{module}-%{version}
+%patch0 -p1
+%patch1 -p1
%build
%if %{with python2}
diff --git a/python-defusedxml-entity_loop.patch
b/python-defusedxml-entity_loop.patch
new file mode 100644
index 0000000..9db8c55
--- /dev/null
+++ b/python-defusedxml-entity_loop.patch
@@ -0,0 +1,52 @@
+diff -ru defusedxml-0.4.1-orig/tests.py defusedxml-0.4.1/tests.py
+--- defusedxml-0.4.1-orig/tests.py 2015-07-17 05:28:36.501213026 +0000
++++ defusedxml-0.4.1/tests.py 2015-07-17 05:21:51.633843568 +0000
+@@ -133,11 +133,12 @@
+ self.iterparse(self.xml_simple_ns)
+
+ def test_entities_forbidden(self):
+- self.assertRaises(EntitiesForbidden, self.parse, self.xml_bomb)
++ self.assertRaises((EntitiesForbidden, XMLSyntaxError),
++ self.parse, self.xml_bomb)
+ self.assertRaises(EntitiesForbidden, self.parse, self.xml_quadratic)
+ self.assertRaises(EntitiesForbidden, self.parse, self.xml_external)
+
+- self.assertRaises(EntitiesForbidden, self.parseString,
++ self.assertRaises((EntitiesForbidden, XMLSyntaxError),
self.parseString,
+ self.get_content(self.xml_bomb))
+ self.assertRaises(EntitiesForbidden, self.parseString,
+ self.get_content(self.xml_quadratic))
+@@ -157,8 +158,8 @@
+ forbid_entities=False)
+
+ def test_dtd_forbidden(self):
+- self.assertRaises(DTDForbidden, self.parse, self.xml_bomb,
+- forbid_dtd=True)
++ self.assertRaises((DTDForbidden, XMLSyntaxError), self.parse,
++ self.xml_bomb, forbid_dtd=True)
+ self.assertRaises(DTDForbidden, self.parse, self.xml_quadratic,
+ forbid_dtd=True)
+ self.assertRaises(DTDForbidden, self.parse, self.xml_external,
+@@ -166,7 +167,7 @@
+ self.assertRaises(DTDForbidden, self.parse, self.xml_dtd,
+ forbid_dtd=True)
+
+- self.assertRaises(DTDForbidden, self.parseString,
++ self.assertRaises((DTDForbidden, XMLSyntaxError), self.parseString,
+ self.get_content(self.xml_bomb),
+ forbid_dtd=True)
+ self.assertRaises(DTDForbidden, self.parseString,
+@@ -355,8 +356,11 @@
+ pass
+
+ def test_restricted_element1(self):
+- tree = self.module.parse(self.xml_bomb, forbid_dtd=False,
+- forbid_entities=False)
++ try:
++ tree = self.module.parse(self.xml_bomb, forbid_dtd=False,
++ forbid_entities=False)
++ except XMLSyntaxError:
++ return
+ root = tree.getroot()
+ self.assertEqual(root.text, None)
+
diff --git a/python-defusedxml-format_strings.patch
b/python-defusedxml-format_strings.patch
new file mode 100644
index 0000000..67a6f71
--- /dev/null
+++ b/python-defusedxml-format_strings.patch
@@ -0,0 +1,63 @@
+diff -ru defusedxml-0.4.1-orig/defusedxml/common.py
defusedxml-0.4.1/defusedxml/common.py
+--- defusedxml-0.4.1-orig/defusedxml/common.py 2015-07-17 05:28:36.502213030
+0000
++++ defusedxml-0.4.1/defusedxml/common.py 2015-07-22 11:22:24.203648541
+0000
+@@ -30,7 +30,7 @@
+ self.pubid = pubid
+
+ def __str__(self):
+- tpl = "DTDForbidden(name='{}', system_id={!r}, public_id={!r})"
++ tpl = "DTDForbidden(name='{0}', system_id={1!r}, public_id={2!r})"
+ return tpl.format(self.name, self.sysid, self.pubid)
+
+
+@@ -47,7 +47,7 @@
+ self.notation_name = notation_name
+
+ def __str__(self):
+- tpl = "EntitiesForbidden(name='{}', system_id={!r}, public_id={!r})"
++ tpl = "EntitiesForbidden(name='{0}', system_id={1!r},
public_id={2!r})"
+ return tpl.format(self.name, self.sysid, self.pubid)
+
+
+@@ -62,7 +62,7 @@
+ self.pubid = pubid
+
+ def __str__(self):
+- tpl = "ExternalReferenceForbidden(system_id='{}', public_id={})"
++ tpl = "ExternalReferenceForbidden(system_id='{0}', public_id={1})"
+ return tpl.format(self.sysid, self.pubid)
+
+
+diff -ru defusedxml-0.4.1-orig/other/exploit_webdav.py
defusedxml-0.4.1/other/exploit_webdav.py
+--- defusedxml-0.4.1-orig/other/exploit_webdav.py 2015-07-17
05:28:36.503213033 +0000
++++ defusedxml-0.4.1/other/exploit_webdav.py 2015-07-22 11:23:15.893964297
+0000
+@@ -9,7 +9,7 @@
+ import httplib
+
+ if len(sys.argv) != 2:
+- sys.exit("{} http://user:password@host:port/".format(sys.argv[0]))
++ sys.exit("{0} http://user:password@host:port/".format(sys.argv[0]))
+
+ url = urlparse.urlparse(sys.argv[1])
+
+diff -ru defusedxml-0.4.1-orig/other/exploit_xmlrpc.py
defusedxml-0.4.1/other/exploit_xmlrpc.py
+--- defusedxml-0.4.1-orig/other/exploit_xmlrpc.py 2015-07-17
05:28:36.502213030 +0000
++++ defusedxml-0.4.1/other/exploit_xmlrpc.py 2015-07-22 11:23:59.536230889
+0000
+@@ -7,7 +7,7 @@
+ import urllib2
+
+ if len(sys.argv) != 2:
+- sys.exit("{} url".format(sys.argv[0]))
++ sys.exit("{0} url".format(sys.argv[0]))
+
+ url = sys.argv[1]
+
+@@ -32,7 +32,7 @@
+
+ req = urllib2.Request(url, data=xml, headers=headers)
+
+-print("Sending request to {}".format(url))
++print("Sending request to {0}".format(url))
+
+ resp = urllib2.urlopen(req)
+
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/python-defusedxml.git/commitdiff/039e98b00ec0707675e3b5b7422f06249e3d83b2
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
