Upstream's 3.1.2 release had just the security fix in it. I propose updating
buster with it (I put 3.1.3 in unstable, but it had non-security fixes in it.
I'm not 100% sure about if we need to modify the import path for the new test
since we don't use the vendored html5lib, but other than that (which I will
investigate), this should be good.
Scott Kdiff -Nru python-bleach-3.1.1/bleach/html5lib_shim.py python-bleach-3.1.2/bleach/html5lib_shim.py
--- python-bleach-3.1.1/bleach/html5lib_shim.py 2020-02-19 12:34:12.0 -0500
+++ python-bleach-3.1.2/bleach/html5lib_shim.py 2020-03-17 10:26:44.0 -0400
@@ -533,7 +533,18 @@
class BleachHTMLSerializer(HTMLSerializer):
-"""HTMLSerializer that undoes & -> in attributes"""
+"""HTMLSerializer that undoes & -> in attributes and sets
+escape_rcdata to True
+"""
+
+# per the HTMLSerializer.__init__ docstring:
+#
+# Whether to escape characters that need to be
+# escaped within normal elements within rcdata elements such as
+# style.
+#
+escape_rcdata = True
+
def escape_base_amp(self, stoken):
"""Escapes just bare & in HTML attribute values"""
# First, undo escaping of &. We need to do this because html5lib's
diff -Nru python-bleach-3.1.1/bleach/__init__.py python-bleach-3.1.2/bleach/__init__.py
--- python-bleach-3.1.1/bleach/__init__.py 2020-02-19 12:34:12.0 -0500
+++ python-bleach-3.1.2/bleach/__init__.py 2020-03-17 10:26:44.0 -0400
@@ -18,9 +18,9 @@
# mmdd
-__releasedate__ = '20200213'
+__releasedate__ = '20200311'
# x.y.z or x.y.z.dev0 -- semver
-__version__ = '3.1.1'
+__version__ = '3.1.2'
VERSION = parse_version(__version__)
diff -Nru python-bleach-3.1.1/CHANGES python-bleach-3.1.2/CHANGES
--- python-bleach-3.1.1/CHANGES 2020-02-19 12:34:12.0 -0500
+++ python-bleach-3.1.2/CHANGES 2020-03-17 10:26:44.0 -0400
@@ -1,6 +1,40 @@
Bleach changes
==
+Version 3.1.2 (March 11th, 2020)
+
+
+**Security fixes**
+
+* ``bleach.clean`` behavior parsing embedded MathML and SVG content
+ with RCDATA tags did not match browser behavior and could result in
+ a mutation XSS.
+
+ Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or
+ ``svg`` tags and one or more of the RCDATA tags ``script``,
+ ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or
+ ``xmp`` in the allowed tags whitelist were vulnerable to a mutation
+ XSS.
+
+ This security issue was confirmed in Bleach version v3.1.1. Earlier
+ versions are likely affected too.
+
+ Anyone using Bleach <=v3.1.1 is encouraged to upgrade.
+
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1621692
+
+**Backwards incompatible changes**
+
+None
+
+**Features**
+
+None
+
+**Bug fixes**
+
+None
+
Version 3.1.1 (February 13th, 2020)
---
diff -Nru python-bleach-3.1.1/debian/changelog python-bleach-3.1.2/debian/changelog
--- python-bleach-3.1.1/debian/changelog 2020-02-27 05:53:52.0 -0500
+++ python-bleach-3.1.2/debian/changelog 2020-03-19 00:14:11.0 -0400
@@ -1,3 +1,9 @@
+python-bleach (3.1.2-0+deb10u1) buster; urgency=medium
+
+ * New upstream security release (Closes: #954236)
+
+ -- Scott Kitterman Thu, 19 Mar 2020 00:14:11 -0400
+
python-bleach (3.1.1-0+deb10u1) buster-security; urgency=high
* New upstream security release (Closes: #951907)
diff -Nru python-bleach-3.1.1/requirements-dev.txt python-bleach-3.1.2/requirements-dev.txt
--- python-bleach-3.1.1/requirements-dev.txt 2020-02-19 12:34:12.0 -0500
+++ python-bleach-3.1.2/requirements-dev.txt 2020-03-17 10:26:44.0 -0400
@@ -11,3 +11,6 @@
# Requirements for updating package
twine
+
+# Requirements for running setup.py bdist_wheel
+wheel
diff -Nru python-bleach-3.1.1/tests/test_clean.py python-bleach-3.1.2/tests/test_clean.py
--- python-bleach-3.1.1/tests/test_clean.py 2020-02-19 12:34:12.0 -0500
+++ python-bleach-3.1.2/tests/test_clean.py 2020-03-17 10:26:44.0 -0400
@@ -5,7 +5,7 @@
from bleach import clean
from bleach.html5lib_shim import Filter
from bleach.sanitizer import Cleaner
-
+from bleach._vendor.html5lib.constants import rcdataElements
def test_clean_idempotent():
"""Make sure that applying the filter twice doesn't change anything."""
@@ -787,7 +787,7 @@
(
raw_tag,
"<%s>" % raw_tag,
-"<%s>img src=x onerror=alert(1) /" % raw_tag,
+"%simg src=x onerror=alert(1) /" % raw_tag,
)
for raw_tag in _raw_tags
],
@@ -797,6 +797,29 @@
assert clean(data, tags=["noscript", raw_tag]) == expected
+@pytest.mark.parametrize(
+"namespace_tag, rc_data_element_tag, data, expected",
+[
+(
+namespace_tag,
+rc_data_element_tag,
+"<%s><%s>" % (namespace_tag, rc_data_element_tag),
+"<%s><%s>img src=x onerror=alert(1)" %