Hello community, here is the log from the commit of package python-markdown2 for openSUSE:Factory checked in at 2020-05-08 23:07:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-markdown2 (Old) and /work/SRC/openSUSE:Factory/.python-markdown2.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-markdown2" Fri May 8 23:07:02 2020 rev:5 rq:801323 version:2.3.8 Changes: -------- --- /work/SRC/openSUSE:Factory/python-markdown2/python-markdown2.changes 2019-07-24 20:35:45.438572624 +0200 +++ /work/SRC/openSUSE:Factory/.python-markdown2.new.2738/python-markdown2.changes 2020-05-08 23:07:08.422081484 +0200 @@ -1,0 +2,8 @@ +Thu May 7 14:35:38 UTC 2020 - Petr Cervinka <p...@cervinka.net> + +- Add patch to fix unsanitized input for cross-site scripting (boo#1171379) + 0001-Fix-for-issue-348-incomplete-tags-with-punctuation-a.patch +- Add patch to fix faling unit test + 0002-Fixed-code-highlighting-unit-tests.patch + +------------------------------------------------------------------- New: ---- 0001-Fix-for-issue-348-incomplete-tags-with-punctuation-a.patch 0002-Fixed-code-highlighting-unit-tests.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-markdown2.spec ++++++ --- /var/tmp/diff_new_pack.XSaJnC/_old 2020-05-08 23:07:09.610083911 +0200 +++ /var/tmp/diff_new_pack.XSaJnC/_new 2020-05-08 23:07:09.610083911 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-markdown2 # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,6 +25,8 @@ Group: Development/Languages/Python URL: https://github.com/trentm/python-markdown2 Source: https://files.pythonhosted.org/packages/source/m/markdown2/markdown2-%{version}.tar.gz +Patch0: 0001-Fix-for-issue-348-incomplete-tags-with-punctuation-a.patch +Patch1: 0002-Fixed-code-highlighting-unit-tests.patch BuildRequires: %{python_module pygments} BuildRequires: %{python_module setuptools} BuildRequires: fdupes @@ -44,6 +46,8 @@ %prep %setup -q -n markdown2-%{version} +%patch0 -p1 +%patch1 -p1 %build %python_build ++++++ 0001-Fix-for-issue-348-incomplete-tags-with-punctuation-a.patch ++++++ >From 9144d0fc5d5249cc4d81287ee79091806e6dde52 Mon Sep 17 00:00:00 2001 From: Gareth Simpson <gareth.simp...@zoodigital.com> Date: Fri, 1 May 2020 19:31:21 +0100 Subject: [PATCH] Fix for issue 348 - incomplete tags with punctuation after as part of the tag name are a source of XSS --- lib/markdown2.py | 2 +- test/tm-cases/issue348_incomplete_tag.html | 1 + test/tm-cases/issue348_incomplete_tag.opts | 1 + test/tm-cases/issue348_incomplete_tag.text | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 test/tm-cases/issue348_incomplete_tag.html create mode 100644 test/tm-cases/issue348_incomplete_tag.opts create mode 100644 test/tm-cases/issue348_incomplete_tag.text diff --git a/lib/markdown2.py b/lib/markdown2.py index 3a5d5d9..636bf07 100755 --- a/lib/markdown2.py +++ b/lib/markdown2.py @@ -2164,7 +2164,7 @@ class Markdown(object): text = self._naked_gt_re.sub('>', text) return text - _incomplete_tags_re = re.compile("<(/?\w+[\s/]+?)") + _incomplete_tags_re = re.compile("<(/?\w+?(?!://).?[\s/]+?)") def _encode_incomplete_tags(self, text): if self.safe_mode not in ("replace", "escape"): diff --git a/test/tm-cases/issue348_incomplete_tag.html b/test/tm-cases/issue348_incomplete_tag.html new file mode 100644 index 0000000..46059cc --- /dev/null +++ b/test/tm-cases/issue348_incomplete_tag.html @@ -0,0 +1 @@ +<p><lol@/ //id="pwn"//onclick="alert(1)"//<strong>abc</strong></p> diff --git a/test/tm-cases/issue348_incomplete_tag.opts b/test/tm-cases/issue348_incomplete_tag.opts new file mode 100644 index 0000000..ad487c0 --- /dev/null +++ b/test/tm-cases/issue348_incomplete_tag.opts @@ -0,0 +1 @@ +{"safe_mode": "escape"} diff --git a/test/tm-cases/issue348_incomplete_tag.text b/test/tm-cases/issue348_incomplete_tag.text new file mode 100644 index 0000000..bb4a0de --- /dev/null +++ b/test/tm-cases/issue348_incomplete_tag.text @@ -0,0 +1 @@ +<lol@/ //id="pwn"//onclick="alert(1)"//**abc** -- 2.26.2 ++++++ 0002-Fixed-code-highlighting-unit-tests.patch ++++++ >From 55ba78e29ac983978806970ce4b81718fe68275b Mon Sep 17 00:00:00 2001 From: ryanvilbrandt <ryan.vilbra...@gmail.com> Date: Tue, 26 Nov 2019 13:54:27 -0800 Subject: [PATCH 2/2] Fixed code highlighting unit tests Which broke for some reason?? --- test/tm-cases/fenced_code_blocks_leading_lang_space.html | 4 ++-- test/tm-cases/fenced_code_blocks_safe_highlight.html | 4 ++-- test/tm-cases/fenced_code_blocks_syntax_highlighting.html | 4 ++-- test/tm-cases/fenced_code_blocks_syntax_indentation.html | 4 ++-- test/tm-cases/issue3_bad_code_color_hack.html | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/test/tm-cases/fenced_code_blocks_leading_lang_space.html b/test/tm-cases/fenced_code_blocks_leading_lang_space.html index 8f7a090..a61524b 100644 --- a/test/tm-cases/fenced_code_blocks_leading_lang_space.html +++ b/test/tm-cases/fenced_code_blocks_leading_lang_space.html @@ -1,3 +1,3 @@ -<div class="codehilite"><pre><span></span><code><span class="k">if</span> <span class="bp">True</span><span class="p">:</span> - <span class="k">print</span> <span class="s2">"hi"</span> +<div class="codehilite"><pre><span></span><code><span class="k">if</span> <span class="kc">True</span><span class="p">:</span> + <span class="nb">print</span> <span class="s2">"hi"</span> </code></pre></div> diff --git a/test/tm-cases/fenced_code_blocks_safe_highlight.html b/test/tm-cases/fenced_code_blocks_safe_highlight.html index df5bbec..a08985a 100644 --- a/test/tm-cases/fenced_code_blocks_safe_highlight.html +++ b/test/tm-cases/fenced_code_blocks_safe_highlight.html @@ -1,5 +1,5 @@ -<div class="codehilite"><pre><span></span><code><span class="k">if</span> <span class="bp">True</span><span class="p">:</span> - <span class="k">print</span> <span class="s2">"hi"</span> +<div class="codehilite"><pre><span></span><code><span class="k">if</span> <span class="kc">True</span><span class="p">:</span> + <span class="nb">print</span> <span class="s2">"hi"</span> </code></pre></div> <p>That's using the <em>fenced-code-blocks</em> extra with Python diff --git a/test/tm-cases/fenced_code_blocks_syntax_highlighting.html b/test/tm-cases/fenced_code_blocks_syntax_highlighting.html index df5bbec..a08985a 100644 --- a/test/tm-cases/fenced_code_blocks_syntax_highlighting.html +++ b/test/tm-cases/fenced_code_blocks_syntax_highlighting.html @@ -1,5 +1,5 @@ -<div class="codehilite"><pre><span></span><code><span class="k">if</span> <span class="bp">True</span><span class="p">:</span> - <span class="k">print</span> <span class="s2">"hi"</span> +<div class="codehilite"><pre><span></span><code><span class="k">if</span> <span class="kc">True</span><span class="p">:</span> + <span class="nb">print</span> <span class="s2">"hi"</span> </code></pre></div> <p>That's using the <em>fenced-code-blocks</em> extra with Python diff --git a/test/tm-cases/fenced_code_blocks_syntax_indentation.html b/test/tm-cases/fenced_code_blocks_syntax_indentation.html index 11a7c24..37b5723 100644 --- a/test/tm-cases/fenced_code_blocks_syntax_indentation.html +++ b/test/tm-cases/fenced_code_blocks_syntax_indentation.html @@ -1,5 +1,5 @@ <div class="codehilite"><pre><span></span><code><span class="k">def</span> <span class="nf">foo</span><span class="p">():</span> - <span class="k">print</span> <span class="s2">"foo"</span> + <span class="nb">print</span> <span class="s2">"foo"</span> - <span class="k">print</span> <span class="s2">"bar"</span> + <span class="nb">print</span> <span class="s2">"bar"</span> </code></pre></div> diff --git a/test/tm-cases/issue3_bad_code_color_hack.html b/test/tm-cases/issue3_bad_code_color_hack.html index 46f329a..8aedb76 100644 --- a/test/tm-cases/issue3_bad_code_color_hack.html +++ b/test/tm-cases/issue3_bad_code_color_hack.html @@ -7,6 +7,6 @@ <p>Some python code:</p> <div class="codehilite"><pre><span></span><code><span class="c1"># комментарий</span> -<span class="k">if</span> <span class="bp">True</span><span class="p">:</span> - <span class="k">print</span> <span class="s2">"hi"</span> +<span class="k">if</span> <span class="kc">True</span><span class="p">:</span> + <span class="nb">print</span> <span class="s2">"hi"</span> </code></pre></div> -- 2.26.2