Hello community,
here is the log from the commit of package python3-mistune for openSUSE:Factory checked in at 2016-02-29 09:14:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python3-mistune (Old)
and /work/SRC/openSUSE:Factory/.python3-mistune.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python3-mistune"
Changes:
--------
--- /work/SRC/openSUSE:Factory/python3-mistune/python3-mistune.changes 2015-10-20 00:06:51.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.python3-mistune.new/python3-mistune.changes 2016-02-29 09:16:01.000000000 +0100
@@ -1,0 +2,12 @@
+Sat Feb 27 16:33:51 UTC 2016 - arun@gmx.de
+
+- specfile:
+ * update copyright year
+
+- update to version 0.7.2:
+ * Fix hard_wrap options on renderer.
+ * Fix emphasis regex pattern
+ * Fix base64 image link #80.
+ * Fix link security per #87.
+
+-------------------------------------------------------------------
Old:
----
mistune-0.7.1.tar.gz
New:
----
mistune-0.7.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python3-mistune.spec ++++++
--- /var/tmp/diff_new_pack.lXnUoR/_old 2016-02-29 09:16:03.000000000 +0100
+++ /var/tmp/diff_new_pack.lXnUoR/_new 2016-02-29 09:16:03.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python3-mistune
#
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: python3-mistune
-Version: 0.7.1
+Version: 0.7.2
Release: 0
Summary: The fastest markdown parser in pure Python
License: BSD-3-Clause
++++++ mistune-0.7.1.tar.gz -> mistune-0.7.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/CHANGES.rst new/mistune-0.7.2/CHANGES.rst
--- old/mistune-0.7.1/CHANGES.rst 2015-08-22 17:28:24.000000000 +0200
+++ new/mistune-0.7.2/CHANGES.rst 2016-02-26 02:41:10.000000000 +0100
@@ -3,6 +3,18 @@
Here is the full history of mistune.
+Version 0.7.2
+~~~~~~~~~~~~~
+
+* Fix `hard_wrap` options on renderer.
+* Fix emphasis regex pattern
+* Fix base64 image link `#80`_.
+* Fix link security per `#87`_.
+
+.. _`#80`: https://github.com/lepture/mistune/issues/80
+.. _`#87`: https://github.com/lepture/mistune/issues/87
+
+
Version 0.7.1
~~~~~~~~~~~~~
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/PKG-INFO new/mistune-0.7.2/PKG-INFO
--- old/mistune-0.7.1/PKG-INFO 2015-08-22 17:44:33.000000000 +0200
+++ new/mistune-0.7.2/PKG-INFO 2016-02-26 02:43:24.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: mistune
-Version: 0.7.1
+Version: 0.7.2
Summary: The fastest markdown parser in pure Python
Home-page: https://github.com/lepture/mistune
Author: Hsiaoming Yang
@@ -119,7 +119,7 @@
import mistune
from pygments import highlight
from pygments.lexers import get_lexer_by_name
- from pygments.formatters import HtmlFormatter
+ from pygments.formatters import html
class HighlightRenderer(mistune.Renderer):
def block_code(self, code, lang):
@@ -127,7 +127,7 @@
return '\n<pre><code>%s</code></pre>\n' % \
mistune.escape(code)
lexer = get_lexer_by_name(lang, stripall=True)
- formatter = HtmlFormatter()
+ formatter = html.HtmlFormatter()
return highlight(code, lexer, formatter)
renderer = HighlightRenderer()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/README.rst new/mistune-0.7.2/README.rst
--- old/mistune-0.7.1/README.rst 2015-08-11 09:55:52.000000000 +0200
+++ new/mistune-0.7.2/README.rst 2015-11-08 09:30:41.000000000 +0100
@@ -111,7 +111,7 @@
import mistune
from pygments import highlight
from pygments.lexers import get_lexer_by_name
- from pygments.formatters import HtmlFormatter
+ from pygments.formatters import html
class HighlightRenderer(mistune.Renderer):
def block_code(self, code, lang):
@@ -119,7 +119,7 @@
return '\n<pre><code>%s</code></pre>\n' % \
mistune.escape(code)
lexer = get_lexer_by_name(lang, stripall=True)
- formatter = HtmlFormatter()
+ formatter = html.HtmlFormatter()
return highlight(code, lexer, formatter)
renderer = HighlightRenderer()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/mistune.egg-info/PKG-INFO new/mistune-0.7.2/mistune.egg-info/PKG-INFO
--- old/mistune-0.7.1/mistune.egg-info/PKG-INFO 2015-08-22 17:44:30.000000000 +0200
+++ new/mistune-0.7.2/mistune.egg-info/PKG-INFO 2016-02-26 02:43:22.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: mistune
-Version: 0.7.1
+Version: 0.7.2
Summary: The fastest markdown parser in pure Python
Home-page: https://github.com/lepture/mistune
Author: Hsiaoming Yang
@@ -119,7 +119,7 @@
import mistune
from pygments import highlight
from pygments.lexers import get_lexer_by_name
- from pygments.formatters import HtmlFormatter
+ from pygments.formatters import html
class HighlightRenderer(mistune.Renderer):
def block_code(self, code, lang):
@@ -127,7 +127,7 @@
return '\n<pre><code>%s</code></pre>\n' % \
mistune.escape(code)
lexer = get_lexer_by_name(lang, stripall=True)
- formatter = HtmlFormatter()
+ formatter = html.HtmlFormatter()
return highlight(code, lexer, formatter)
renderer = HighlightRenderer()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/mistune.py new/mistune-0.7.2/mistune.py
--- old/mistune-0.7.1/mistune.py 2015-08-22 17:28:46.000000000 +0200
+++ new/mistune-0.7.2/mistune.py 2016-02-26 02:41:36.000000000 +0100
@@ -11,7 +11,7 @@
import re
import inspect
-__version__ = '0.7.1'
+__version__ = '0.7.2'
__author__ = 'Hsiaoming Yang '
__all__ = [
'BlockGrammar', 'BlockLexer',
@@ -22,10 +22,11 @@
_key_pattern = re.compile(r'\s+')
+_nonalpha_pattern = re.compile(r'\W')
_escape_pattern = re.compile(r'&(?!#?\w+;)')
_newline_pattern = re.compile(r'\r\n|\r')
_block_quote_leading_pattern = re.compile(r'^ *> ?', flags=re.M)
-_block_code_leadning_pattern = re.compile(r'^ {4}', re.M)
+_block_code_leading_pattern = re.compile(r'^ {4}', re.M)
_inline_tags = [
'a', 'em', 'strong', 'small', 's', 'cite', 'q', 'dfn', 'abbr', 'data',
'time', 'code', 'var', 'samp', 'kbd', 'sub', 'sup', 'i', 'b', 'u', 'mark',
@@ -36,6 +37,7 @@
_valid_end = r'(?!:/|[^\w\s@]*@)\b'
_valid_attr = r'''"[^"]*"|'[^']*'|[^'">]'''
_block_tag = r'(?!(?:%s)\b)\w+%s' % ('|'.join(_inline_tags), _valid_end)
+_scheme_blacklist = ('javascript', 'data', 'vbscript')
def _pure_pattern(regex):
@@ -70,6 +72,19 @@
return text
+def escape_link(url, **kwargs):
+ """Remove dangerous URL schemes like javascript: and escape afterwards."""
+ if ':' in url:
+ scheme, _ = url.split(':', 1)
+ scheme = _nonalpha_pattern.sub('', scheme)
+ # whitelist would be better but mistune's use case is too general
+ if scheme.lower() in _scheme_blacklist:
+ return ''
+ # escape &entities; to &entities;
+ kwargs['smart_amp'] = False
+ return escape(url, **kwargs)
+
+
def preprocessing(text, tab=4):
text = _newline_pattern.sub('\n', text)
text = text.replace('\t', ' ' * tab)
@@ -224,7 +239,7 @@
def parse_block_code(self, m):
# clean leading whitespace
- code = _block_code_leadning_pattern.sub('', m.group(0))
+ code = _block_code_leading_pattern.sub('', m.group(0))
self.tokens.append({
'type': 'code',
'lang': None,
@@ -285,7 +300,7 @@
pattern = re.compile(r'^ {1,%d}' % space, flags=re.M)
item = pattern.sub('', item)
- # determin whether item is loose or not
+ # determine whether item is loose or not
loose = _next
if not loose and re.search(r'\n\n(?!\s*$)', item):
loose = True
@@ -459,9 +474,9 @@
r'^\*{2}([\s\S]+?)\*{2}(?!\*)' # **word**
)
emphasis = re.compile(
- r'^\b_((?:__|[\s\S])+?)_\b' # _word_
+ r'^\b_((?:__|[^_])+?)_\b' # _word_
r'|'
- r'^\*((?:\*\*|[\s\S])+?)\*(?!\*)' # *word*
+ r'^\*((?:\*\*|[^\*])+?)\*(?!\*)' # *word*
)
code = re.compile(r'^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)') # `code`
linebreak = re.compile(r'^ {2,}\n(?!\s*$)')
@@ -504,12 +519,14 @@
if not rules:
rules = self.grammar_class()
+ kwargs.update(self.renderer.options)
+ if kwargs.get('hard_wrap'):
+ rules.hard_wrap()
+
self.rules = rules
self._in_link = False
self._in_footnote = False
-
- kwargs.update(self.renderer.options)
self._parse_inline_html = kwargs.get('parse_inline_html')
def __call__(self, text, rules=None):
@@ -836,8 +853,7 @@
:param title: title content for `title` attribute.
:param text: text content for description.
"""
- if link.startswith('javascript:'):
- link = ''
+ link = escape_link(link, quote=True)
if not title:
return '<a href="%s">%s</a>' % (link, text)
title = escape(title, quote=True)
@@ -850,8 +866,7 @@
:param title: title text of the image.
:param text: alt text of the image.
"""
- if src.startswith('javascript:'):
- src = ''
+ src = escape_link(src, quote=True)
text = escape(text, quote=True)
if title:
title = escape(title, quote=True)
@@ -923,6 +938,8 @@
def __init__(self, renderer=None, inline=None, block=None, **kwargs):
if not renderer:
renderer = Renderer(**kwargs)
+ else:
+ kwargs.update(renderer.options)
self.renderer = renderer
@@ -934,13 +951,9 @@
if inline:
self.inline = inline
else:
- rules = InlineGrammar()
- if kwargs.get('hard_wrap'):
- rules.hard_wrap()
- self.inline = InlineLexer(renderer, rules=rules)
+ self.inline = InlineLexer(renderer, **kwargs)
self.block = block or BlockLexer(BlockGrammar())
- self.options = kwargs
self.footnotes = []
self.tokens = []
@@ -1134,7 +1147,7 @@
:param text: markdown formatted text content.
:param escape: if set to False, all html tags will not be escaped.
:param use_xhtml: output with xhtml tags.
- :param hard_wrap: if set to True, it will has GFM line breaks feature.
+ :param hard_wrap: if set to True, it will use the GFM line breaks feature.
:param parse_block_html: parse text only in block level html.
:param parse_inline_html: parse text only in inline level html.
"""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/tests/fixtures/normal/amps_and_angles_encoding.html new/mistune-0.7.2/tests/fixtures/normal/amps_and_angles_encoding.html
--- old/mistune-0.7.1/tests/fixtures/normal/amps_and_angles_encoding.html 2014-10-11 04:12:04.000000000 +0200
+++ new/mistune-0.7.2/tests/fixtures/normal/amps_and_angles_encoding.html 2016-02-26 02:37:28.000000000 +0100
@@ -8,10 +8,10 @@
<p>6 > 5.</p>
-<p>Here's a <a href="http://example.com/?foo=1&bar=2">link</a> with an ampersand in the URL.</p>
+<p>Here's a <a href="http://example.com/?foo=1&bar=2">link</a> with an ampersand in the URL.</p>
<p>Here's a link with an amersand in the link text: <a href="http://att.com/" title="AT&T">AT&T</a>.</p>
-<p>Here's an inline <a href="/script?foo=1&bar=2">link</a>.</p>
+<p>Here's an inline <a href="/script?foo=1&bar=2">link</a>.</p>
-<p>Here's an inline <a href="/script?foo=1&bar=2">link</a>.</p>
+<p>Here's an inline <a href="/script?foo=1&bar=2">link</a>.</p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/tests/test_cases.py new/mistune-0.7.2/tests/test_cases.py
--- old/mistune-0.7.1/tests/test_cases.py 2015-07-12 05:48:00.000000000 +0200
+++ new/mistune-0.7.2/tests/test_cases.py 2015-11-02 15:56:50.000000000 +0100
@@ -5,12 +5,7 @@
root = os.path.dirname(__file__)
known = []
-
-rules = [
- 'table', 'fenced_code', 'footnotes',
- 'autolink', 'strikethrough',
-]
-m = mistune.Markdown(rules=rules)
+m = mistune.Markdown()
def render(folder, name):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7.1/tests/test_extra.py new/mistune-0.7.2/tests/test_extra.py
--- old/mistune-0.7.1/tests/test_extra.py 2015-08-12 16:37:37.000000000 +0200
+++ new/mistune-0.7.2/tests/test_extra.py 2016-02-26 02:37:28.000000000 +0100
@@ -18,10 +18,27 @@
def test_safe_links():
- ret = mistune.markdown('javascript ![foo](javascript:alert) alert')
- assert 'src=""' in ret
- ret = mistune.markdown('javascript [foo](javascript:alert) alert')
- assert 'href=""' in ret
+ attack_vectors = (
+ # "standard" javascript pseudo protocol
+ ('javascript:alert`1`', ''),
+ # bypass attempt
+ ('jAvAsCrIpT:alert`1`', ''),
+ # javascript pseudo protocol with entities
+ ('javascript:alert`1`', 'javascript:alert`1`'),
+ # javascript pseudo protocol with prefix (dangerous in Chrome)
+ ('\x1Ajavascript:alert`1`', ''),
+ # data-URI (dangerous in Firefox)
+ ('data:text/html,<script>alert`1`</script>', ''),
+ # vbscript-URI (dangerous in Internet Explorer)
+ ('vbscript:msgbox', ''),
+ # breaking out of the attribute
+ ('"<>', '"<>'),
+ )
+ for vector, expected in attack_vectors:
+ # image
+ assert 'src="%s"' % expected in mistune.markdown('![atk](%s)' % vector)
+ # link
+ assert 'href="%s"' % expected in mistune.markdown('[atk](%s)' % vector)
def test_skip_style():
@@ -89,3 +106,10 @@
def test_not_escape_inline_tags():
text = '<a name="top"></a>'
assert text in mistune.markdown(text, escape=False)
+
+
+def test_hard_wrap_renderer():
+ text = 'foo\nnewline'
+ renderer = mistune.Renderer(hard_wrap=True)
+ func = mistune.Markdown(renderer=renderer)
+ assert '<br>' in func(text)