Hello community, here is the log from the commit of package python3-mistune for openSUSE:Factory checked in at 2016-02-29 09:14:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python3-mistune (Old) and /work/SRC/openSUSE:Factory/.python3-mistune.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python3-mistune" Changes: -------- --- /work/SRC/openSUSE:Factory/python3-mistune/python3-mistune.changes 2015-10-20 00:06:51.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python3-mistune.new/python3-mistune.changes 2016-02-29 09:16:01.000000000 +0100 @@ -1,0 +2,12 @@ +Sat Feb 27 16:33:51 UTC 2016 - arun@gmx.de + +- specfile: + * update copyright year + +- update to version 0.7.2: + * Fix hard_wrap options on renderer. + * Fix emphasis regex pattern + * Fix base64 image link #80. + * Fix link security per #87. + +------------------------------------------------------------------- Old: ---- mistune-0.7.1.tar.gz New: ---- mistune-0.7.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python3-mistune.spec ++++++ --- /var/tmp/diff_new_pack.lXnUoR/_old 2016-02-29 09:16:03.000000000 +0100 +++ /var/tmp/diff_new_pack.lXnUoR/_new 2016-02-29 09:16:03.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package python3-mistune # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: python3-mistune -Version: 0.7.1 +Version: 0.7.2 Release: 0 Summary: The fastest markdown parser in pure Python License: BSD-3-Clause ++++++ mistune-0.7.1.tar.gz -> mistune-0.7.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/CHANGES.rst new/mistune-0.7.2/CHANGES.rst --- old/mistune-0.7.1/CHANGES.rst 2015-08-22 17:28:24.000000000 +0200 +++ new/mistune-0.7.2/CHANGES.rst 2016-02-26 02:41:10.000000000 +0100 @@ -3,6 +3,18 @@ Here is the full history of mistune. +Version 0.7.2 +~~~~~~~~~~~~~ + +* Fix `hard_wrap` options on renderer. +* Fix emphasis regex pattern +* Fix base64 image link `#80`_. +* Fix link security per `#87`_. + +.. _`#80`: https://github.com/lepture/mistune/issues/80 +.. _`#87`: https://github.com/lepture/mistune/issues/87 + + Version 0.7.1 ~~~~~~~~~~~~~ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/PKG-INFO new/mistune-0.7.2/PKG-INFO --- old/mistune-0.7.1/PKG-INFO 2015-08-22 17:44:33.000000000 +0200 +++ new/mistune-0.7.2/PKG-INFO 2016-02-26 02:43:24.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: mistune -Version: 0.7.1 +Version: 0.7.2 Summary: The fastest markdown parser in pure Python Home-page: https://github.com/lepture/mistune Author: Hsiaoming Yang @@ -119,7 +119,7 @@ import mistune from pygments import highlight from pygments.lexers import get_lexer_by_name - from pygments.formatters import HtmlFormatter + from pygments.formatters import html class HighlightRenderer(mistune.Renderer): def block_code(self, code, lang): @@ -127,7 +127,7 @@ return '\n<pre><code>%s</code></pre>\n' % \ mistune.escape(code) lexer = get_lexer_by_name(lang, stripall=True) - formatter = HtmlFormatter() + formatter = html.HtmlFormatter() return highlight(code, lexer, formatter) renderer = HighlightRenderer() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/README.rst new/mistune-0.7.2/README.rst --- old/mistune-0.7.1/README.rst 2015-08-11 09:55:52.000000000 +0200 +++ new/mistune-0.7.2/README.rst 2015-11-08 09:30:41.000000000 +0100 @@ -111,7 +111,7 @@ import mistune from pygments import highlight from pygments.lexers import get_lexer_by_name - from pygments.formatters import HtmlFormatter + from pygments.formatters import html class HighlightRenderer(mistune.Renderer): def block_code(self, code, lang): @@ -119,7 +119,7 @@ return '\n<pre><code>%s</code></pre>\n' % \ mistune.escape(code) lexer = get_lexer_by_name(lang, stripall=True) - formatter = HtmlFormatter() + formatter = html.HtmlFormatter() return highlight(code, lexer, formatter) renderer = HighlightRenderer() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/mistune.egg-info/PKG-INFO new/mistune-0.7.2/mistune.egg-info/PKG-INFO --- old/mistune-0.7.1/mistune.egg-info/PKG-INFO 2015-08-22 17:44:30.000000000 +0200 +++ new/mistune-0.7.2/mistune.egg-info/PKG-INFO 2016-02-26 02:43:22.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: mistune -Version: 0.7.1 +Version: 0.7.2 Summary: The fastest markdown parser in pure Python Home-page: https://github.com/lepture/mistune Author: Hsiaoming Yang @@ -119,7 +119,7 @@ import mistune from pygments import highlight from pygments.lexers import get_lexer_by_name - from pygments.formatters import HtmlFormatter + from pygments.formatters import html class HighlightRenderer(mistune.Renderer): def block_code(self, code, lang): @@ -127,7 +127,7 @@ return '\n<pre><code>%s</code></pre>\n' % \ mistune.escape(code) lexer = get_lexer_by_name(lang, stripall=True) - formatter = HtmlFormatter() + formatter = html.HtmlFormatter() return highlight(code, lexer, formatter) renderer = HighlightRenderer() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/mistune.py new/mistune-0.7.2/mistune.py --- old/mistune-0.7.1/mistune.py 2015-08-22 17:28:46.000000000 +0200 +++ new/mistune-0.7.2/mistune.py 2016-02-26 02:41:36.000000000 +0100 @@ -11,7 +11,7 @@ import re import inspect -__version__ = '0.7.1' +__version__ = '0.7.2' __author__ = 'Hsiaoming Yang <me@lepture.com>' __all__ = [ 'BlockGrammar', 'BlockLexer', @@ -22,10 +22,11 @@ _key_pattern = re.compile(r'\s+') +_nonalpha_pattern = re.compile(r'\W') _escape_pattern = re.compile(r'&(?!#?\w+;)') _newline_pattern = re.compile(r'\r\n|\r') _block_quote_leading_pattern = re.compile(r'^ *> ?', flags=re.M) -_block_code_leadning_pattern = re.compile(r'^ {4}', re.M) +_block_code_leading_pattern = re.compile(r'^ {4}', re.M) _inline_tags = [ 'a', 'em', 'strong', 'small', 's', 'cite', 'q', 'dfn', 'abbr', 'data', 'time', 'code', 'var', 'samp', 'kbd', 'sub', 'sup', 'i', 'b', 'u', 'mark', @@ -36,6 +37,7 @@ _valid_end = r'(?!:/|[^\w\s@]*@)\b' _valid_attr = r'''"[^"]*"|'[^']*'|[^'">]''' _block_tag = r'(?!(?:%s)\b)\w+%s' % ('|'.join(_inline_tags), _valid_end) +_scheme_blacklist = ('javascript', 'data', 'vbscript') def _pure_pattern(regex): @@ -70,6 +72,19 @@ return text +def escape_link(url, **kwargs): + """Remove dangerous URL schemes like javascript: and escape afterwards.""" + if ':' in url: + scheme, _ = url.split(':', 1) + scheme = _nonalpha_pattern.sub('', scheme) + # whitelist would be better but mistune's use case is too general + if scheme.lower() in _scheme_blacklist: + return '' + # escape &entities; to &entities; + kwargs['smart_amp'] = False + return escape(url, **kwargs) + + def preprocessing(text, tab=4): text = _newline_pattern.sub('\n', text) text = text.replace('\t', ' ' * tab) @@ -224,7 +239,7 @@ def parse_block_code(self, m): # clean leading whitespace - code = _block_code_leadning_pattern.sub('', m.group(0)) + code = _block_code_leading_pattern.sub('', m.group(0)) self.tokens.append({ 'type': 'code', 'lang': None, @@ -285,7 +300,7 @@ pattern = re.compile(r'^ {1,%d}' % space, flags=re.M) item = pattern.sub('', item) - # determin whether item is loose or not + # determine whether item is loose or not loose = _next if not loose and re.search(r'\n\n(?!\s*$)', item): loose = True @@ -459,9 +474,9 @@ r'^\*{2}([\s\S]+?)\*{2}(?!\*)' # **word** ) emphasis = re.compile( - r'^\b_((?:__|[\s\S])+?)_\b' # _word_ + r'^\b_((?:__|[^_])+?)_\b' # _word_ r'|' - r'^\*((?:\*\*|[\s\S])+?)\*(?!\*)' # *word* + r'^\*((?:\*\*|[^\*])+?)\*(?!\*)' # *word* ) code = re.compile(r'^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)') # `code` linebreak = re.compile(r'^ {2,}\n(?!\s*$)') @@ -504,12 +519,14 @@ if not rules: rules = self.grammar_class() + kwargs.update(self.renderer.options) + if kwargs.get('hard_wrap'): + rules.hard_wrap() + self.rules = rules self._in_link = False self._in_footnote = False - - kwargs.update(self.renderer.options) self._parse_inline_html = kwargs.get('parse_inline_html') def __call__(self, text, rules=None): @@ -836,8 +853,7 @@ :param title: title content for `title` attribute. :param text: text content for description. """ - if link.startswith('javascript:'): - link = '' + link = escape_link(link, quote=True) if not title: return '<a href="%s">%s</a>' % (link, text) title = escape(title, quote=True) @@ -850,8 +866,7 @@ :param title: title text of the image. :param text: alt text of the image. """ - if src.startswith('javascript:'): - src = '' + src = escape_link(src, quote=True) text = escape(text, quote=True) if title: title = escape(title, quote=True) @@ -923,6 +938,8 @@ def __init__(self, renderer=None, inline=None, block=None, **kwargs): if not renderer: renderer = Renderer(**kwargs) + else: + kwargs.update(renderer.options) self.renderer = renderer @@ -934,13 +951,9 @@ if inline: self.inline = inline else: - rules = InlineGrammar() - if kwargs.get('hard_wrap'): - rules.hard_wrap() - self.inline = InlineLexer(renderer, rules=rules) + self.inline = InlineLexer(renderer, **kwargs) self.block = block or BlockLexer(BlockGrammar()) - self.options = kwargs self.footnotes = [] self.tokens = [] @@ -1134,7 +1147,7 @@ :param text: markdown formatted text content. :param escape: if set to False, all html tags will not be escaped. :param use_xhtml: output with xhtml tags. - :param hard_wrap: if set to True, it will has GFM line breaks feature. + :param hard_wrap: if set to True, it will use the GFM line breaks feature. :param parse_block_html: parse text only in block level html. :param parse_inline_html: parse text only in inline level html. """ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/tests/fixtures/normal/amps_and_angles_encoding.html new/mistune-0.7.2/tests/fixtures/normal/amps_and_angles_encoding.html --- old/mistune-0.7.1/tests/fixtures/normal/amps_and_angles_encoding.html 2014-10-11 04:12:04.000000000 +0200 +++ new/mistune-0.7.2/tests/fixtures/normal/amps_and_angles_encoding.html 2016-02-26 02:37:28.000000000 +0100 @@ -8,10 +8,10 @@ <p>6 > 5.</p> -<p>Here's a <a href="http://example.com/?foo=1&bar=2">link</a> with an ampersand in the URL.</p> +<p>Here's a <a href="http://example.com/?foo=1&bar=2">link</a> with an ampersand in the URL.</p> <p>Here's a link with an amersand in the link text: <a href="http://att.com/" title="AT&T">AT&T</a>.</p> -<p>Here's an inline <a href="/script?foo=1&bar=2">link</a>.</p> +<p>Here's an inline <a href="/script?foo=1&bar=2">link</a>.</p> -<p>Here's an inline <a href="/script?foo=1&bar=2">link</a>.</p> +<p>Here's an inline <a href="/script?foo=1&bar=2">link</a>.</p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/tests/test_cases.py new/mistune-0.7.2/tests/test_cases.py --- old/mistune-0.7.1/tests/test_cases.py 2015-07-12 05:48:00.000000000 +0200 +++ new/mistune-0.7.2/tests/test_cases.py 2015-11-02 15:56:50.000000000 +0100 @@ -5,12 +5,7 @@ root = os.path.dirname(__file__) known = [] - -rules = [ - 'table', 'fenced_code', 'footnotes', - 'autolink', 'strikethrough', -] -m = mistune.Markdown(rules=rules) +m = mistune.Markdown() def render(folder, name): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/tests/test_extra.py new/mistune-0.7.2/tests/test_extra.py --- old/mistune-0.7.1/tests/test_extra.py 2015-08-12 16:37:37.000000000 +0200 +++ new/mistune-0.7.2/tests/test_extra.py 2016-02-26 02:37:28.000000000 +0100 @@ -18,10 +18,27 @@ def test_safe_links(): - ret = mistune.markdown('javascript ![foo](<javascript:alert>) alert') - assert 'src=""' in ret - ret = mistune.markdown('javascript [foo](<javascript:alert>) alert') - assert 'href=""' in ret + attack_vectors = ( + # "standard" javascript pseudo protocol + ('javascript:alert`1`', ''), + # bypass attempt + ('jAvAsCrIpT:alert`1`', ''), + # javascript pseudo protocol with entities + ('javascript:alert`1`', 'javascript:alert`1`'), + # javascript pseudo protocol with prefix (dangerous in Chrome) + ('\x1Ajavascript:alert`1`', ''), + # data-URI (dangerous in Firefox) + ('data:text/html,<script>alert`1`</script>', ''), + # vbscript-URI (dangerous in Internet Explorer) + ('vbscript:msgbox', ''), + # breaking out of the attribute + ('"<>', '"<>'), + ) + for vector, expected in attack_vectors: + # image + assert 'src="%s"' % expected in mistune.markdown('![atk](%s)' % vector) + # link + assert 'href="%s"' % expected in mistune.markdown('[atk](%s)' % vector) def test_skip_style(): @@ -89,3 +106,10 @@ def test_not_escape_inline_tags(): text = '<a name="top"></a>' assert text in mistune.markdown(text, escape=False) + + +def test_hard_wrap_renderer(): + text = 'foo\nnewline' + renderer = mistune.Renderer(hard_wrap=True) + func = mistune.Markdown(renderer=renderer) + assert '<br>' in func(text)