Bug#951907: Suggested Stable Fix

Scott Kitterman Sat, 22 Feb 2020 16:24:45 -0800

Debdiff for proposed stable security update attached.

The first hunk of the patch has the actual fix.  I would prefer to use the new 
ustream release rather than just patch the one line because of the test 
improvements, of the explanation of the issue in the upstream changeslog, and 
using the new upstream makes it clearer to external reviewers we've done the 
fix.  There are no unrelated changes.


Scott K

diff -Nru python-bleach-3.1.0/bleach/html5lib_shim.py python-bleach-3.1.1/bleach/html5lib_shim.py
--- python-bleach-3.1.0/bleach/html5lib_shim.py	2019-01-09 10:09:26.000000000 -0500
+++ python-bleach-3.1.1/bleach/html5lib_shim.py	2020-02-19 12:34:12.000000000 -0500
@@ -376,7 +376,12 @@
         self.consume_entities = consume_entities
         super(BleachHTMLParser, self).__init__(**kwargs)
 
-    def _parse(self, stream, innerHTML=False, container='div', scripting=False, **kwargs):
+    def _parse(self, stream, innerHTML=False, container='div', scripting=True, **kwargs):
+        # set scripting=True to parse <noscript> as though JS is enabled to
+        # match the expected context in browsers
+        #
+        # https://html.spec.whatwg.org/multipage/scripting.html#the-noscript-element
+        #
         # Override HTMLParser so we can swap out the tokenizer for our own.
         self.innerHTMLMode = innerHTML
         self.container = container
diff -Nru python-bleach-3.1.0/bleach/__init__.py python-bleach-3.1.1/bleach/__init__.py
--- python-bleach-3.1.0/bleach/__init__.py	2019-01-09 10:09:26.000000000 -0500
+++ python-bleach-3.1.1/bleach/__init__.py	2020-02-19 12:34:12.000000000 -0500
@@ -18,9 +18,9 @@
 
 
 # yyyymmdd
-__releasedate__ = '20190109'
+__releasedate__ = '20200213'
 # x.y.z or x.y.z.dev0 -- semver
-__version__ = '3.1.0'
+__version__ = '3.1.1'
 VERSION = parse_version(__version__)
 
 
diff -Nru python-bleach-3.1.0/CHANGES python-bleach-3.1.1/CHANGES
--- python-bleach-3.1.0/CHANGES	2019-01-09 10:09:26.000000000 -0500
+++ python-bleach-3.1.1/CHANGES	2020-02-19 12:34:12.000000000 -0500
@@ -1,6 +1,41 @@
 Bleach changes
 ==============
 
+Version 3.1.1 (February 13th, 2020)
+-----------------------------------
+
+**Security fixes**
+
+* ``bleach.clean`` behavior parsing ``noscript`` tags did not match
+  browser behavior.
+
+  Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
+  the raw text tags (``title``, ``textarea``, ``script``, ``style``,
+  ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
+  to a mutation XSS.
+
+  This security issue was confirmed in Bleach versions v2.1.4, v3.0.2,
+  and v3.1.0. Earlier versions are probably affected too.
+
+  Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.
+
+  https://bugzilla.mozilla.org/show_bug.cgi?id=1615315
+
+**Backwards incompatible changes**
+
+None
+
+**Features**
+
+None
+
+**Bug fixes**
+
+None
+
+Bleach changes
+==============
+
 Version 3.1.0 (January 9th, 2019)
 ---------------------------------
 
@@ -76,7 +111,7 @@
 
 * Fix ``list`` object has no attribute ``lower`` in ``clean``. (#398)
 * Fix ``abbr`` getting escaped in ``linkify``. (#400)
- 
+
 
 Version 3.0.0 (October 3rd, 2018)
 ---------------------------------
diff -Nru python-bleach-3.1.0/debian/changelog python-bleach-3.1.1/debian/changelog
--- python-bleach-3.1.0/debian/changelog	2019-01-15 00:46:11.000000000 -0500
+++ python-bleach-3.1.1/debian/changelog	2020-02-22 19:08:53.000000000 -0500
@@ -1,3 +1,9 @@
+python-bleach (3.1.1-0+deb10u1) buster-security; urgency=medium
+
+  * New upstream security release (Closes: #951907)
+
+ -- Scott Kitterman <sc...@kitterman.com>  Sat, 22 Feb 2020 19:08:53 -0500
+
 python-bleach (3.1.0-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru python-bleach-3.1.0/debian/gbp.conf python-bleach-3.1.1/debian/gbp.conf
--- python-bleach-3.1.0/debian/gbp.conf	2018-01-09 19:44:47.000000000 -0500
+++ python-bleach-3.1.1/debian/gbp.conf	2020-02-22 19:06:54.000000000 -0500
@@ -1,2 +1,2 @@
 [DEFAULT]
-debian-branch=debian/master
+debian-branch=debian/buster
diff -Nru python-bleach-3.1.0/tests/test_clean.py python-bleach-3.1.1/tests/test_clean.py
--- python-bleach-3.1.0/tests/test_clean.py	2019-01-09 10:09:26.000000000 -0500
+++ python-bleach-3.1.1/tests/test_clean.py	2020-02-19 12:34:12.000000000 -0500
@@ -769,6 +769,34 @@
     assert clean('<d {c}>') == '&lt;d {c}&gt;'
 
 
+# tags that get content passed through (i.e. parsed with parseRCDataRawtext)
+_raw_tags = [
+    "title",
+    "textarea",
+    "script",
+    "style",
+    "noembed",
+    "noframes",
+    "iframe",
+    "xmp",
+]
+
+@pytest.mark.parametrize(
+    "raw_tag, data, expected",
+    [
+        (
+            raw_tag,
+            "<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag,
+            "<noscript><%s></noscript>&lt;img src=x onerror=alert(1) /&gt;" % raw_tag,
+        )
+        for raw_tag in _raw_tags
+    ],
+)
+def test_noscript_rawtag_(raw_tag, data, expected):
+    # refs: bug 1615315 / GHSA-q65m-pv3f-wr5r
+    assert clean(data, tags=["noscript", raw_tag]) == expected
+
+
 def get_ids_and_tests():
     """Retrieves regression tests from data/ directory

signature.asc
Description: This is a digitally signed message part.

Bug#951907: Suggested Stable Fix

Reply via email to