Upstream's 3.1.2 release had just the security fix in it. I propose updating buster with it (I put 3.1.3 in unstable, but it had non-security fixes in it.
I'm not 100% sure about if we need to modify the import path for the new test since we don't use the vendored html5lib, but other than that (which I will investigate), this should be good. Scott K
diff -Nru python-bleach-3.1.1/bleach/html5lib_shim.py python-bleach-3.1.2/bleach/html5lib_shim.py
--- python-bleach-3.1.1/bleach/html5lib_shim.py 2020-02-19 12:34:12.000000000 -0500
+++ python-bleach-3.1.2/bleach/html5lib_shim.py 2020-03-17 10:26:44.000000000 -0400
@@ -533,7 +533,18 @@
class BleachHTMLSerializer(HTMLSerializer):
- """HTMLSerializer that undoes & -> & in attributes"""
+ """HTMLSerializer that undoes & -> & in attributes and sets
+ escape_rcdata to True
+ """
+
+ # per the HTMLSerializer.__init__ docstring:
+ #
+ # Whether to escape characters that need to be
+ # escaped within normal elements within rcdata elements such as
+ # style.
+ #
+ escape_rcdata = True
+
def escape_base_amp(self, stoken):
"""Escapes just bare & in HTML attribute values"""
# First, undo escaping of &. We need to do this because html5lib's
diff -Nru python-bleach-3.1.1/bleach/__init__.py python-bleach-3.1.2/bleach/__init__.py
--- python-bleach-3.1.1/bleach/__init__.py 2020-02-19 12:34:12.000000000 -0500
+++ python-bleach-3.1.2/bleach/__init__.py 2020-03-17 10:26:44.000000000 -0400
@@ -18,9 +18,9 @@
# yyyymmdd
-__releasedate__ = '20200213'
+__releasedate__ = '20200311'
# x.y.z or x.y.z.dev0 -- semver
-__version__ = '3.1.1'
+__version__ = '3.1.2'
VERSION = parse_version(__version__)
diff -Nru python-bleach-3.1.1/CHANGES python-bleach-3.1.2/CHANGES
--- python-bleach-3.1.1/CHANGES 2020-02-19 12:34:12.000000000 -0500
+++ python-bleach-3.1.2/CHANGES 2020-03-17 10:26:44.000000000 -0400
@@ -1,6 +1,40 @@
Bleach changes
==============
+Version 3.1.2 (March 11th, 2020)
+--------------------------------
+
+**Security fixes**
+
+* ``bleach.clean`` behavior parsing embedded MathML and SVG content
+ with RCDATA tags did not match browser behavior and could result in
+ a mutation XSS.
+
+ Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or
+ ``svg`` tags and one or more of the RCDATA tags ``script``,
+ ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or
+ ``xmp`` in the allowed tags whitelist were vulnerable to a mutation
+ XSS.
+
+ This security issue was confirmed in Bleach version v3.1.1. Earlier
+ versions are likely affected too.
+
+ Anyone using Bleach <=v3.1.1 is encouraged to upgrade.
+
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1621692
+
+**Backwards incompatible changes**
+
+None
+
+**Features**
+
+None
+
+**Bug fixes**
+
+None
+
Version 3.1.1 (February 13th, 2020)
-----------------------------------
diff -Nru python-bleach-3.1.1/debian/changelog python-bleach-3.1.2/debian/changelog
--- python-bleach-3.1.1/debian/changelog 2020-02-27 05:53:52.000000000 -0500
+++ python-bleach-3.1.2/debian/changelog 2020-03-19 00:14:11.000000000 -0400
@@ -1,3 +1,9 @@
+python-bleach (3.1.2-0+deb10u1) buster; urgency=medium
+
+ * New upstream security release (Closes: #954236)
+
+ -- Scott Kitterman <sc...@kitterman.com> Thu, 19 Mar 2020 00:14:11 -0400
+
python-bleach (3.1.1-0+deb10u1) buster-security; urgency=high
* New upstream security release (Closes: #951907)
diff -Nru python-bleach-3.1.1/requirements-dev.txt python-bleach-3.1.2/requirements-dev.txt
--- python-bleach-3.1.1/requirements-dev.txt 2020-02-19 12:34:12.000000000 -0500
+++ python-bleach-3.1.2/requirements-dev.txt 2020-03-17 10:26:44.000000000 -0400
@@ -11,3 +11,6 @@
# Requirements for updating package
twine
+
+# Requirements for running setup.py bdist_wheel
+wheel
diff -Nru python-bleach-3.1.1/tests/test_clean.py python-bleach-3.1.2/tests/test_clean.py
--- python-bleach-3.1.1/tests/test_clean.py 2020-02-19 12:34:12.000000000 -0500
+++ python-bleach-3.1.2/tests/test_clean.py 2020-03-17 10:26:44.000000000 -0400
@@ -5,7 +5,7 @@
from bleach import clean
from bleach.html5lib_shim import Filter
from bleach.sanitizer import Cleaner
-
+from bleach._vendor.html5lib.constants import rcdataElements
def test_clean_idempotent():
"""Make sure that applying the filter twice doesn't change anything."""
@@ -787,7 +787,7 @@
(
raw_tag,
"<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag,
- "<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag,
+ "<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag,
)
for raw_tag in _raw_tags
],
@@ -797,6 +797,29 @@
assert clean(data, tags=["noscript", raw_tag]) == expected
+@pytest.mark.parametrize(
+ "namespace_tag, rc_data_element_tag, data, expected",
+ [
+ (
+ namespace_tag,
+ rc_data_element_tag,
+ "<%s><%s><img src=x onerror=alert(1)>" % (namespace_tag, rc_data_element_tag),
+ "<%s><%s><img src=x onerror=alert(1)></%s></%s>" % (namespace_tag, rc_data_element_tag, rc_data_element_tag, namespace_tag),
+ )
+ for namespace_tag in ["math", "svg"]
+ # https://dev.w3.org/html5/html-author/#rcdata-elements
+ # https://html.spec.whatwg.org/index.html#parsing-html-fragments
+ # in html5lib: 'style', 'script', 'xmp', 'iframe', 'noembed', 'noframes', and 'noscript'
+ for rc_data_element_tag in rcdataElements
+ ],
+)
+def test_namespace_rc_data_element_strip_false(namespace_tag, rc_data_element_tag, data, expected):
+ # refs: bug 1621692 / GHSA-m6xf-fq7q-8743
+ #
+ # browsers will pull the img out of the namespace and rc data tag resulting in XSS
+ assert clean(data, tags=[namespace_tag, rc_data_element_tag], strip=False) == expected
+
+
def get_ids_and_tests():
"""Retrieves regression tests from data/ directory
signature.asc
Description: This is a digitally signed message part.
