Hello community, here is the log from the commit of package python-lxml.2838 for openSUSE:13.1:Update checked in at 2014-05-30 16:50:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/python-lxml.2838 (Old) and /work/SRC/openSUSE:13.1:Update/.python-lxml.2838.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-lxml.2838" Changes: -------- New Changes file: --- /dev/null 2014-05-19 01:51:27.372033255 +0200 +++ /work/SRC/openSUSE:13.1:Update/.python-lxml.2838.new/python-lxml.changes 2014-05-30 16:50:56.000000000 +0200 @@ -0,0 +1,767 @@ +------------------------------------------------------------------- +Thu May 22 13:53:20 UTC 2014 - toms@opensuse.org + +- Fixed bnc#877258: + CVE-2014-3146: python-lxml: clean_html input sanitization flaw + (patch file python-lxml-html.clean.diff) + +------------------------------------------------------------------- +Wed Oct 23 08:54:33 UTC 2013 - toddrme2178@gmail.com + +- Remove old source file + +------------------------------------------------------------------- +Tue Aug 13 09:58:19 UTC 2013 - dmueller@suse.com + +- update to 3.2.3: +* LP#1185701: spurious XMLSyntaxError after finishing iterparse(). +* Crash in lxml.objectify during xsi annotation. + +------------------------------------------------------------------- +Mon May 13 08:34:19 UTC 2013 - dmueller@suse.com + +- update to 3.2.1: +* The methods ``apply_templates()`` and ``process_children()`` of XSLT + extension elements have gained two new boolean options ``elements_only`` + and ``remove_blank_text`` that discard either all strings or whitespace-only + strings from the result list. +* When moving Elements to another tree, the namespace cleanup mechanism + no longer drops namespace prefixes from attributes for which it finds + a default namespace declaration, to prevent them from appearing as + unnamespaced attributes after serialisation. +* Returning non-type objects from a custom class lookup method could lead + to a crash. +* Instantiating and using subtypes of Comments and ProcessingInstructions + crashed. + +------------------------------------------------------------------- +Mon Apr 29 12:25:39 UTC 2013 - dmueller@suse.com + +- update to 3.2.0: + * Leading whitespace could change the behaviour of the string + parsing functions in ``lxml.html``. + * LP#599318: The string parsing functions in ``lxml.html`` are more robust + in the face of uncommon HTML content like framesets or missing body tags. + Patch by Stefan Seelmann. + * LP#712941: I/O errors while trying to access files with paths that contain + non-ASCII characters could raise ``UnicodeDecodeError`` instead of properly + reporting the ``IOError``. + * LP#673205: Parsing from in-memory strings disabled network access in the + default parser and made subsequent attempts to parse from a URL fail. + * LP#971754: lxml.html.clean appends 'nofollow' to 'rel' attributes instead + of overwriting the current value. + * LP#715687: lxml.html.clean no longer discards scripts that are explicitly + allowed by the user provided whitelist. Patch by Christine Koppelt. + +------------------------------------------------------------------- +Sat Mar 30 17:29:03 UTC 2013 - arun@gmx.de + +- update to 3.1.1: + (changes taken from http://lxml.de/3.1/changes-3.1.1.html) + + * 3.1.1 (2013-03-29) + ** Bugs fixed + - LP#1160386: Write access to lxml.html.FormElement.fields raised an AttributeError in Py3. + - Illegal memory access during cleanup in incremental xmlfile writer. + ** Other changes + - The externally useless class lxml.etree._BaseParser was removed from the module dict. + + * 3.1.0 (2013-02-10) + ** Features added + - GH#89: lxml.html.clean allows overriding the set of attributes that it considers 'safe'. + Patch by Francis Devereux. + ** Bugs fixed + - LP#1104370: copy.copy(el.attrib) raised an exception. It now returns a copy of the + attributes as a plain Python dict. + - GH#95: When used with namespace prefixes, the el.find*() methods always used the first + namespace mapping that was provided for each path expression instead of using the one that + was actually passed in for the current run. + - LP#1092521, GH#91: Fix undefined C symbol in Python runtimes compiled without threading + support. Patch by Ulrich Seidl. + + * 3.1beta1 (2012-12-21) + ** Features added + - New build-time option --with-unicode-strings for Python 2 that makes the API always + return Unicode strings for names and text instead of byte strings for plain ASCII content. + - New incremental XML file writing API etree.xmlfile(). + - E factory in lxml.objectify is callable to simplify the creation of tags with + non-identifier names without having to resort to getattr(). + ** Bugs fixed + - When starting from a non-namespaced element in lxml.objectify, searching for a + child without explicitly specifying a namespace incorrectly found namespaced + elements with the requested local name, instead of restricting the search to + non-namespaced children. + - GH#85: Deprecation warnings were fixed for Python 3.x. + - GH#33: lxml.html.fromstring() failed to accept bytes input in Py3. + - LP#1080792: Static build of libxml2 2.9.0 failed due to missing file. + ** Other changes + - The externally useless class _ObjectifyElementMakerCaller was removed from the + module API of lxml.objectify. + - LP#1075622: lxml.builder is faster for adding text to elements with many children. + Patch by Anders Hammarquist. + + * 3.0.2 (2012-12-14) + ** Bugs fixed + - Fix crash during interpreter shutdown by switching to Cython 0.17.3 for building. + + * 3.0.1 (2012-10-14) + ** Bugs fixed + - LP#1065924: Element proxies could disappear during garbage collection in PyPy + without proper cleanup. + - GH#71: Failure to work with libxml2 2.6.x. + - LP#1065139: static MacOS-X build failed in Py3. + + * 3.0 (2012-10-08) + ** Bugs fixed + - End-of-file handling was incorrect in iterparse() when reading from a low-level + C file stream and failed in libxml2 2.9.0 due to its improved consistency checks. + ** Other changes + - The build no longer uses Cython by default unless the generated C files are + missing. To use Cython, pass the option "--with-cython". To ignore the fatal build + error when Cython is required but not available (e.g. to run special setup.py + commands that do not actually run a build), pass "--without-cython". + + * 3.0beta1 (2012-09-26) + ** Features added + - Python level access to (optional) libxml2 memory debugging features to simplify + debugging of memory leaks etc. + ** Bugs fixed + - Fix a memory leak in XPath by switching to Cython 0.17.1. + - Some tests were adapted to work with PyPy. + ** Other changes + - The code was adapted to work with the upcoming libxml2 2.9.0 release. + + * 3.0alpha2 (2012-08-23) + ** Features added + - The .iter() method of elements now accepts tag arguments like "{*}name" to search + for elements with a given local name in any namespace. With this addition, all + combinations of wildcards now work as expected: "{ns}name", "{}name", "{*}name", + "{ns}*", "{}*" and "{*}*". Note that "name" is equivalent to "{}name", but "*" is + "{*}*". The same change applies to the .getiterator(), .itersiblings(), .iterancestors(), + .iterdescendants(), .iterchildren() and .itertext() methods;the strip_attributes(), + strip_elements() and strip_tags() functions as well as the iterparse() class. + Patch by Simon Sapin. + - C14N allows specifying the inclusive prefixes to be promoted to top-level during + exclusive serialisation. + ** Bugs fixed + - Passing long Unicode strings into the feed() parser interface failed to read the entire string. + + * 3.0alpha1 (2012-07-31) + ** Features added + - Initial support for building in PyPy (through cpyext). + - DTD objects gained an API that allows read access to their declarations. + - xpathgrep.py gained support for parsing line-by-line (e.g. from grep output) and + for surrounding the output with a new root tag. + - E-factory in lxml.builder accepts subtypes of known data types (such as string + subtypes) when building elements around them. + - Tree iteration and iterparse() with a selective tag argument supports passing a + set of tags. Tree nodes will be returned by the iterators if they match any of the tags. + ** Bugs fixed + - The .find*() methods in lxml.objectify no longer use XPath internally, which makes + them faster in many cases (especially when short circuiting after a single or + couple of elements) and fixes some behavioural differences compared to lxml.etree. + Note that this means that they no longer support arbitrary XPath expressions but + only the subset that the ElementPath language supports. The previous implementation + was also redundant with the normal XPath support, which can be used as a replacement. + - el.find('*') could accidentally return a comment or processing instruction that + happened to be in the wrong spot. (Same for the other .find*() methods.) + - The error logging is less intrusive and avoids a global setup where possible. + - Fixed undefined names in html5lib parser. + - xpathgrep.py did not work in Python 3. + - Element.attrib.update() did not accept an attrib of another Element as parameter. + - For subtypes of ElementBase that make the .text or .tail properties immutable (as in + objectify, for example), inserting text when creating Elements through the E-Factory + feature of the class constructor would fail with an exception, stating that the text + cannot be modified. + ** Other changes + - The code base was overhauled to properly use 'const' where the API of libxml2 anders + libxslt requests it. This also has an impact on the public C-API of lxml itself, as + defined in etreepublic.pxd, as well as the provided declarations in the lxml/includes/ + directory. Code that uses these declarations may have to be adapted. On the plus side, + this fixes several C compiler warnings, also for user code, thus making it easier to + spot real problems again. + - The functionality of "lxml.cssselect" was moved into a separate PyPI package called + "cssselect". To continue using it, you must install that package separately. The + "lxml.cssselect" module is still available and provides the same interface, provided + the "cssselect" package can be imported at runtime. + - Element attributes passed in as an attrib dict or as keyword arguments are now sorted + by (namespaced) name before being created to make their order predictable for + serialisation and iteration. Note that adding or deleting attributes afterwards does + not take that order into account, i.e. setting a new attribute appends it after the + existing ones. + - Several classes that are for internal use only were removed from the lxml.etree module + dict: _InputDocument, _ResolverRegistry, _ResolverContext, _BaseContext, _ExsltRegExp, + _IterparseContext, _TempStore, _ExceptionContext, __ContentOnlyElement, _AttribIterator, + _NamespaceRegistry, _ClassNamespaceRegistry, _FunctionNamespaceRegistry, + _XPathFunctionNamespaceRegistry, _ParserDictionaryContext, _FileReaderContext, + _ParserContext, _PythonSaxParserTarget, _TargetParserContext, _ReadOnlyProxy, ++++ 570 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.python-lxml.2838.new/python-lxml.changes New: ---- lxml-3.2.3.tar.gz lxmldoc-3.2.3.pdf python-lxml-html.clean.diff python-lxml.changes python-lxml.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-lxml.spec ++++++ # # spec file for package python-lxml # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: python-lxml Version: 3.2.3 Release: 0 Summary: Powerful and Pythonic XML processing library License: BSD-3-Clause and GPL-2.0+ Group: Development/Languages/Python Url: http://lxml.de/ Source: http://pypi.python.org/packages/source/l/lxml/lxml-%{version}.tar.gz Source1: http://lxml.de/lxmldoc-%{version}.pdf # PATCH-FIX-UPSTREAM python-lxml-html.clean.diff bnc#877258 Fixed CVE-2014-3146 Patch0: %{name}-html.clean.diff BuildRequires: libxml2-devel BuildRequires: libxslt-devel BuildRequires: python-Cython BuildRequires: python-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} && 0%{?suse_version} <= 1110 %{!?python_sitearch: %global python_sitearch %(python -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} %endif %description lxml is a Pythonic, mature binding for the libxml2 and libxslt libraries. It provides safe and convenient access to these libraries using the ElementTree API. It extends the ElementTree API significantly to offer support for XPath, RelaxNG, XML Schema, XSLT, C14N and much more. %package doc Summary: Powerful and Pythonic XML processing library - Documentation Group: Development/Libraries/Python %if 0%{?suse_version} && 0%{?suse_version} > 1110 BuildArch: noarch %endif %description doc lxml is a Pythonic, mature binding for the libxml2 and libxslt libraries. It provides safe and convenient access to these libraries using the ElementTree API. It extends the ElementTree API significantly to offer support for XPath, RelaxNG, XML Schema, XSLT, C14N and much more. This package contains documentation for lxml (HTML and PDF). %prep %setup -q -n lxml-%{version} cp %{SOURCE1} . %patch0 %build CFLAGS="%{optflags}" python setup.py build %install python setup.py install --prefix=%{_prefix} --root=%{buildroot} %files %defattr(-,root,root) %doc CHANGES.txt CREDITS.txt LICENSES.txt README.rst %{python_sitearch}/lxml/ %{python_sitearch}/lxml-%{version}-py%{py_ver}.egg-info %exclude %{python_sitearch}/lxml/*.h %exclude %{python_sitearch}/lxml/includes/*.h %files doc %defattr(-,root,root) %doc doc/html lxmldoc-%{version}.pdf %changelog ++++++ python-lxml-html.clean.diff ++++++ --- src/lxml/html/clean.py.orig 2014-05-22 09:08:35.227652504 +0200 +++ src/lxml/html/clean.py 2014-05-22 09:11:36.334317035 +0200 @@ -70,9 +70,10 @@ # All kinds of schemes besides just javascript: that can cause # execution: -_javascript_scheme_re = re.compile( - r'\s*(?:javascript|jscript|livescript|vbscript|data|about|mocha):', re.I) -_substitute_whitespace = re.compile(r'\s+').sub +_is_javascript_scheme = re.compile( + r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):', + re.I).search +_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub # FIXME: should data: be blocked? # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx @@ -467,7 +468,7 @@ def _remove_javascript_link(self, link): # links like "j a v a s c r i p t:" might be interpreted in IE new = _substitute_whitespace('', link) - if _javascript_scheme_re.search(new): + if _is_javascript_scheme(new): # FIXME: should this be None to delete? return '' return link -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org