commit python-markdown2 for openSUSE:Factory

root Fri, 08 May 2020 14:07:26 -0700

Hello community,

here is the log from the commit of package python-markdown2 for 
openSUSE:Factory checked in at 2020-05-08 23:07:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-markdown2 (Old)
 and      /work/SRC/openSUSE:Factory/.python-markdown2.new.2738 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "python-markdown2"

Fri May  8 23:07:02 2020 rev:5 rq:801323 version:2.3.8

Changes:
--------
--- /work/SRC/openSUSE:Factory/python-markdown2/python-markdown2.changes        
2019-07-24 20:35:45.438572624 +0200
+++ 
/work/SRC/openSUSE:Factory/.python-markdown2.new.2738/python-markdown2.changes  
    2020-05-08 23:07:08.422081484 +0200
@@ -1,0 +2,8 @@
+Thu May  7 14:35:38 UTC 2020 - Petr Cervinka <p...@cervinka.net>
+
+- Add patch to fix unsanitized input for cross-site scripting (boo#1171379)
+  0001-Fix-for-issue-348-incomplete-tags-with-punctuation-a.patch
+- Add patch to fix faling unit test
+  0002-Fixed-code-highlighting-unit-tests.patch
+   
+-------------------------------------------------------------------

New:
----
  0001-Fix-for-issue-348-incomplete-tags-with-punctuation-a.patch
  0002-Fixed-code-highlighting-unit-tests.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ python-markdown2.spec ++++++
--- /var/tmp/diff_new_pack.XSaJnC/_old  2020-05-08 23:07:09.610083911 +0200
+++ /var/tmp/diff_new_pack.XSaJnC/_new  2020-05-08 23:07:09.610083911 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package python-markdown2
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,6 +25,8 @@
 Group:          Development/Languages/Python
 URL:            https://github.com/trentm/python-markdown2
 Source:         
https://files.pythonhosted.org/packages/source/m/markdown2/markdown2-%{version}.tar.gz
+Patch0:         0001-Fix-for-issue-348-incomplete-tags-with-punctuation-a.patch
+Patch1:         0002-Fixed-code-highlighting-unit-tests.patch
 BuildRequires:  %{python_module pygments}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  fdupes
@@ -44,6 +46,8 @@
 
 %prep
 %setup -q -n markdown2-%{version}
+%patch0 -p1
+%patch1 -p1
 
 %build
 %python_build

++++++ 0001-Fix-for-issue-348-incomplete-tags-with-punctuation-a.patch ++++++
>From 9144d0fc5d5249cc4d81287ee79091806e6dde52 Mon Sep 17 00:00:00 2001
From: Gareth Simpson <gareth.simp...@zoodigital.com>
Date: Fri, 1 May 2020 19:31:21 +0100
Subject: [PATCH] Fix for issue 348 - incomplete tags with punctuation after as
 part of the tag name are a source of XSS

---
 lib/markdown2.py                           | 2 +-
 test/tm-cases/issue348_incomplete_tag.html | 1 +
 test/tm-cases/issue348_incomplete_tag.opts | 1 +
 test/tm-cases/issue348_incomplete_tag.text | 1 +
 4 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 test/tm-cases/issue348_incomplete_tag.html
 create mode 100644 test/tm-cases/issue348_incomplete_tag.opts
 create mode 100644 test/tm-cases/issue348_incomplete_tag.text

diff --git a/lib/markdown2.py b/lib/markdown2.py
index 3a5d5d9..636bf07 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -2164,7 +2164,7 @@ class Markdown(object):
         text = self._naked_gt_re.sub('&gt;', text)
         return text
 
-    _incomplete_tags_re = re.compile("<(/?\w+[\s/]+?)")
+    _incomplete_tags_re = re.compile("<(/?\w+?(?!://).?[\s/]+?)")
 
     def _encode_incomplete_tags(self, text):
         if self.safe_mode not in ("replace", "escape"):
diff --git a/test/tm-cases/issue348_incomplete_tag.html 
b/test/tm-cases/issue348_incomplete_tag.html
new file mode 100644
index 0000000..46059cc
--- /dev/null
+++ b/test/tm-cases/issue348_incomplete_tag.html
@@ -0,0 +1 @@
+<p>&lt;lol@/ //id="pwn"//onclick="alert(1)"//<strong>abc</strong></p>
diff --git a/test/tm-cases/issue348_incomplete_tag.opts 
b/test/tm-cases/issue348_incomplete_tag.opts
new file mode 100644
index 0000000..ad487c0
--- /dev/null
+++ b/test/tm-cases/issue348_incomplete_tag.opts
@@ -0,0 +1 @@
+{"safe_mode": "escape"}
diff --git a/test/tm-cases/issue348_incomplete_tag.text 
b/test/tm-cases/issue348_incomplete_tag.text
new file mode 100644
index 0000000..bb4a0de
--- /dev/null
+++ b/test/tm-cases/issue348_incomplete_tag.text
@@ -0,0 +1 @@
+<lol@/ //id="pwn"//onclick="alert(1)"//**abc**
-- 
2.26.2

++++++ 0002-Fixed-code-highlighting-unit-tests.patch ++++++
>From 55ba78e29ac983978806970ce4b81718fe68275b Mon Sep 17 00:00:00 2001
From: ryanvilbrandt <ryan.vilbra...@gmail.com>
Date: Tue, 26 Nov 2019 13:54:27 -0800
Subject: [PATCH 2/2] Fixed code highlighting unit tests

Which broke for some reason??
---
 test/tm-cases/fenced_code_blocks_leading_lang_space.html  | 4 ++--
 test/tm-cases/fenced_code_blocks_safe_highlight.html      | 4 ++--
 test/tm-cases/fenced_code_blocks_syntax_highlighting.html | 4 ++--
 test/tm-cases/fenced_code_blocks_syntax_indentation.html  | 4 ++--
 test/tm-cases/issue3_bad_code_color_hack.html             | 4 ++--
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/test/tm-cases/fenced_code_blocks_leading_lang_space.html 
b/test/tm-cases/fenced_code_blocks_leading_lang_space.html
index 8f7a090..a61524b 100644
--- a/test/tm-cases/fenced_code_blocks_leading_lang_space.html
+++ b/test/tm-cases/fenced_code_blocks_leading_lang_space.html
@@ -1,3 +1,3 @@
-<div class="codehilite"><pre><span></span><code><span class="k">if</span> 
<span class="bp">True</span><span class="p">:</span>
-    <span class="k">print</span> <span class="s2">&quot;hi&quot;</span>
+<div class="codehilite"><pre><span></span><code><span class="k">if</span> 
<span class="kc">True</span><span class="p">:</span>
+    <span class="nb">print</span> <span class="s2">&quot;hi&quot;</span>
 </code></pre></div>
diff --git a/test/tm-cases/fenced_code_blocks_safe_highlight.html 
b/test/tm-cases/fenced_code_blocks_safe_highlight.html
index df5bbec..a08985a 100644
--- a/test/tm-cases/fenced_code_blocks_safe_highlight.html
+++ b/test/tm-cases/fenced_code_blocks_safe_highlight.html
@@ -1,5 +1,5 @@
-<div class="codehilite"><pre><span></span><code><span class="k">if</span> 
<span class="bp">True</span><span class="p">:</span>
-    <span class="k">print</span> <span class="s2">&quot;hi&quot;</span>
+<div class="codehilite"><pre><span></span><code><span class="k">if</span> 
<span class="kc">True</span><span class="p">:</span>
+    <span class="nb">print</span> <span class="s2">&quot;hi&quot;</span>
 </code></pre></div>
 
 <p>That's using the <em>fenced-code-blocks</em> extra with Python
diff --git a/test/tm-cases/fenced_code_blocks_syntax_highlighting.html 
b/test/tm-cases/fenced_code_blocks_syntax_highlighting.html
index df5bbec..a08985a 100644
--- a/test/tm-cases/fenced_code_blocks_syntax_highlighting.html
+++ b/test/tm-cases/fenced_code_blocks_syntax_highlighting.html
@@ -1,5 +1,5 @@
-<div class="codehilite"><pre><span></span><code><span class="k">if</span> 
<span class="bp">True</span><span class="p">:</span>
-    <span class="k">print</span> <span class="s2">&quot;hi&quot;</span>
+<div class="codehilite"><pre><span></span><code><span class="k">if</span> 
<span class="kc">True</span><span class="p">:</span>
+    <span class="nb">print</span> <span class="s2">&quot;hi&quot;</span>
 </code></pre></div>
 
 <p>That's using the <em>fenced-code-blocks</em> extra with Python
diff --git a/test/tm-cases/fenced_code_blocks_syntax_indentation.html 
b/test/tm-cases/fenced_code_blocks_syntax_indentation.html
index 11a7c24..37b5723 100644
--- a/test/tm-cases/fenced_code_blocks_syntax_indentation.html
+++ b/test/tm-cases/fenced_code_blocks_syntax_indentation.html
@@ -1,5 +1,5 @@
 <div class="codehilite"><pre><span></span><code><span class="k">def</span> 
<span class="nf">foo</span><span class="p">():</span>
-    <span class="k">print</span> <span class="s2">&quot;foo&quot;</span>
+    <span class="nb">print</span> <span class="s2">&quot;foo&quot;</span>
 
-    <span class="k">print</span> <span class="s2">&quot;bar&quot;</span>
+    <span class="nb">print</span> <span class="s2">&quot;bar&quot;</span>
 </code></pre></div>
diff --git a/test/tm-cases/issue3_bad_code_color_hack.html 
b/test/tm-cases/issue3_bad_code_color_hack.html
index 46f329a..8aedb76 100644
--- a/test/tm-cases/issue3_bad_code_color_hack.html
+++ b/test/tm-cases/issue3_bad_code_color_hack.html
@@ -7,6 +7,6 @@
 <p>Some python code:</p>
 
 <div class="codehilite"><pre><span></span><code><span class="c1"># 
комментарий</span>
-<span class="k">if</span> <span class="bp">True</span><span class="p">:</span>
-    <span class="k">print</span> <span class="s2">&quot;hi&quot;</span>
+<span class="k">if</span> <span class="kc">True</span><span class="p">:</span>
+    <span class="nb">print</span> <span class="s2">&quot;hi&quot;</span>
 </code></pre></div>
-- 
2.26.2

commit python-markdown2 for openSUSE:Factory

Reply via email to