godotengine/buildroot
1
0
Fork 0
mirror of https://github.com/godotengine/buildroot.git synced 2026-01-02 21:48:20 +03:00
Code Issues Packages Projects Releases Wiki Activity

package/python-markdown2: drop patches

Browse Source 
On master, commit 544007dcc4 itroduced patches to fix CVE-2020-11888.
On next, commit 604fe08806 itroduced the exact same patches for the
exact same reason.

But on next, commit 81b3fd8654 bumped the version and dropped the
patches.

When next was merged into master in commit a6569f2b3d, the patches
introduced by 544007dcc4 (on master) were retained.

Fixes:
 - http://autobuild.buildroot.org/results/bf305c78dddd035b97e88943a1d19a8ceb6b41f7

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: rewrite commit log with detailed explanations]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
Fabrice Fontaine
2020-06-05 23:03:51 +02:00
committed by Yann E. MORIN
parent 7592cc4ad2
commit cae6c8b57f
3 changed files with 0 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
package/python-markdown2/0001-Fix-for-issue-348-incomplete-tags-with-punctuation-after-as-part-of.patch
View File

@@ -1,53 +0,0 @@
From 9144d0fc5d5249cc4d81287ee79091806e6dde52 Mon Sep 17 00:00:00 2001
From: Gareth Simpson <gareth.simpson@zoodigital.com>
Date: Fri, 1 May 2020 19:31:21 +0100
Subject: [PATCH] Fix for issue 348 - incomplete tags with punctuation after as
part of the tag name are a source of XSS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Retrieved from:
https://github.com/trentm/python-markdown2/commit/9144d0fc5d5249cc4d81287ee79091806e6dde52]
---
lib/markdown2.py | 2 +-
test/tm-cases/issue348_incomplete_tag.html | 1 +
test/tm-cases/issue348_incomplete_tag.opts | 1 +
test/tm-cases/issue348_incomplete_tag.text | 1 +
4 files changed, 4 insertions(+), 1 deletion(-)
create mode 100644 test/tm-cases/issue348_incomplete_tag.html
create mode 100644 test/tm-cases/issue348_incomplete_tag.opts
create mode 100644 test/tm-cases/issue348_incomplete_tag.text
diff --git a/lib/markdown2.py b/lib/markdown2.py
index 3a5d5d9..636bf07 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -2164,7 +2164,7 @@ def _encode_amps_and_angles(self, text):
text = self._naked_gt_re.sub('&gt;', text)
return text
- _incomplete_tags_re = re.compile("<(/?\w+[\s/]+?)")
+ _incomplete_tags_re = re.compile("<(/?\w+?(?!://).?[\s/]+?)")
def _encode_incomplete_tags(self, text):
if self.safe_mode not in ("replace", "escape"):
diff --git a/test/tm-cases/issue348_incomplete_tag.html b/test/tm-cases/issue348_incomplete_tag.html
new file mode 100644
index 0000000..46059cc
--- /dev/null
+++ b/test/tm-cases/issue348_incomplete_tag.html
@@ -0,0 +1 @@
+<p>&lt;lol@/ //id="pwn"//onclick="alert(1)"//<strong>abc</strong></p>
diff --git a/test/tm-cases/issue348_incomplete_tag.opts b/test/tm-cases/issue348_incomplete_tag.opts
new file mode 100644
index 0000000..ad487c0
--- /dev/null
+++ b/test/tm-cases/issue348_incomplete_tag.opts
@@ -0,0 +1 @@
+{"safe_mode": "escape"}
diff --git a/test/tm-cases/issue348_incomplete_tag.text b/test/tm-cases/issue348_incomplete_tag.text
new file mode 100644
index 0000000..bb4a0de
--- /dev/null
+++ b/test/tm-cases/issue348_incomplete_tag.text
@@ -0,0 +1 @@
+<lol@/ //id="pwn"//onclick="alert(1)"//**abc**

32
package/python-markdown2/0002-Better-fix-for-issue-348.patch
View File

@@ -1,32 +0,0 @@
From 0c0543846fa54281e2269b0bff841a0b9ffe23fe Mon Sep 17 00:00:00 2001
From: Gareth Simpson <gareth.simpson@zoodigital.com>
Date: Sat, 2 May 2020 21:22:36 +0100
Subject: [PATCH] Better fix for issue 348
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Retrieved from:
https://github.com/trentm/python-markdown2/commit/0c0543846fa54281e2269b0bff841a0b9ffe23fe]
---
lib/markdown2.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/markdown2.py b/lib/markdown2.py
index 636bf07..be86502 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -2164,11 +2164,14 @@ def _encode_amps_and_angles(self, text):
text = self._naked_gt_re.sub('&gt;', text)
return text
- _incomplete_tags_re = re.compile("<(/?\w+?(?!://).?[\s/]+?)")
+ _incomplete_tags_re = re.compile("<(/?\w+?(?!\w).+?[\s/]+?)")
def _encode_incomplete_tags(self, text):
if self.safe_mode not in ("replace", "escape"):
return text
+
+ if text.endswith(">"):
+ return text # this is not an incomplete tag, this is a link in the form <http://x.y.z>
return self._incomplete_tags_re.sub("&lt;\\1", text)

4
package/python-markdown2/python-markdown2.mk
View File

@@ -11,8 +11,4 @@ PYTHON_MARKDOWN2_SETUP_TYPE = setuptools
PYTHON_MARKDOWN2_LICENSE = MIT
PYTHON_MARKDOWN2_LICENSE_FILES = LICENSE.txt
# 0001-Fix-for-issue-348-incomplete-tags-with-punctuation-after-as-part-of.patch
# 0002-Better-fix-for-issue-348.patch
PYTHON_MARKDOWN2_IGNORE_CVES += CVE-2020-11888
$(eval $(python-package))