--- lxml-3.5.0.orig/debian/changelog +++ lxml-3.5.0/debian/changelog @@ -0,0 +1,444 @@ +lxml (3.5.0-1ubuntu0.4) xenial-security; urgency=medium + + * SECURITY UPDATE: incorrect formaction attribute input sanitization + - Add HTML-5 formaction attribute to defs.link_attrs in + src/lxml/html/defs.py, src/lxml/html/tests/test_clean.py. + - CVE-2021-28957 + + -- Marc Deslauriers Mon, 29 Mar 2021 12:05:53 -0400 + +lxml (3.5.0-1ubuntu0.3) xenial-security; urgency=medium + + * SECURITY UPDATE: XSS vulnerability + - This adds the missing part reported from upstream + Prevent combinations of

to sneak + JS through the HTML cleaner in src/lxml/html/clean.py, + src/lxml/html/tests/test_clean.py. + - CVE-2020-27783 + + -- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Wed, 09 Dec 2020 22:01:26 -0300 + +lxml (3.5.0-1ubuntu0.2) xenial-security; urgency=medium + + * SECURITY UPDATE: XSS vulnerability + - Prevent combinations of <noscript> and <style> to sneak + JS through the HTML cleaner in src/lxml/html/clean.py, + src/lxml/html/tests/test_clean.py. + - CVE-2020-27783 + + -- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Tue, 08 Dec 2020 13:51:53 -0300 + +lxml (3.5.0-1ubuntu0.1) xenial-security; urgency=medium + + * SECURITY UPDATE: XSS attacks + - Make the cleaner remove javascript URLs + that use espacing in in src/lxml/html/clean.py, + src/lxml/html/tests/test_clean.txt. + - CVE-2018-19787 + + -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Fri, 07 Dec 2018 08:28:49 -0300 + +lxml (3.5.0-1build1) xenial; urgency=medium + + * No-change rebuild to drop python3.4 support. + + -- Matthias Klose <doko@ubuntu.com> Tue, 19 Jan 2016 11:45:55 +0000 + +lxml (3.5.0-1) unstable; urgency=medium + + * New upstream version 3.5.0. + + -- Matthias Klose <doko@debian.org> Fri, 04 Dec 2015 13:03:31 +0100 + +lxml (3.4.4-2) unstable; urgency=medium + + * Update watch file. + * Build using cython. Closes: #792295. + + -- Matthias Klose <doko@debian.org> Sun, 13 Sep 2015 14:21:16 +0200 + +lxml (3.4.4-1) unstable; urgency=medium + + * New upstream version 3.4.4. + + -- Matthias Klose <doko@debian.org> Mon, 03 Aug 2015 14:13:30 +0200 + +lxml (3.4.2-1) unstable; urgency=medium + + * New upstream version 3.4.2. + * python-lxml, python3-lxml: Suggest python-lxml-doc. Closes: #741214. + * Build-depend on python-bs4 python3-bs4 python-html5lib python3-html5lib. + * python-lxml: Recommend python-bs4, python-html5lib. + * python3-lxml: Recommend python3-bs4, python3-html5lib. + + -- Matthias Klose <doko@debian.org> Fri, 27 Feb 2015 05:11:23 +0100 + +lxml (3.4.0-1) unstable; urgency=medium + + * New upstream version 3.4.0. + + -- Matthias Klose <doko@debian.org> Thu, 11 Sep 2014 21:17:44 +0200 + +lxml (3.3.6-0ubuntu1) utopic; urgency=medium + + * New upstrea version 3.3.6. + + -- Matthias Klose <doko@ubuntu.com> Thu, 11 Sep 2014 21:02:59 +0200 + +lxml (3.3.5-1) unstable; urgency=medium + + * New upstrea version 3.3.5. + + -- Matthias Klose <doko@debian.org> Sun, 18 May 2014 20:03:12 +0200 + +lxml (3.3.2-1) unstable; urgency=medium + + * New upstrea version 3.3.2. + - Re-add lost properties of iterparse objects. Closes: #740226, + #740102. + + -- Matthias Klose <doko@ubuntu.com> Mon, 03 Mar 2014 23:22:35 +0100 + +lxml (3.3.1-1) unstable; urgency=medium + + * New upstream version 3.3.1. + + -- Matthias Klose <doko@debian.org> Mon, 17 Feb 2014 11:20:43 +0100 + +lxml (3.3.0~beta4-1) experimental; urgency=medium + + * New upstream version 3.3.0 beta4. + * Update homepage. Closes: #698851. + + -- Matthias Klose <doko@debian.org> Tue, 14 Jan 2014 09:27:36 +0100 + +lxml (3.3.0~beta2-1) experimental; urgency=low + + * New upstream version 3.3.0 beta2. + + -- Matthias Klose <doko@debian.org> Thu, 26 Dec 2013 00:37:23 +0100 + +lxml (3.2.0-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Sat, 11 May 2013 16:53:02 +0200 + +lxml (3.1.0-1) experimental; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Tue, 19 Feb 2013 21:47:31 +0100 + +lxml (3.1~beta1-1) experimental; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Sun, 27 Jan 2013 22:14:53 +0100 + +lxml (3.0.1-1) experimental; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Sun, 21 Oct 2012 19:29:34 +0200 + +lxml (2.3.5-1) unstable; urgency=low + + * New upstream version. + - Features added: + * lxml.html.tostring() gained new serialisation options + ``with_tail`` and ``doctype``. + - Bugs fixed: + * Crash when merging text nodes in ``element.remove()``. + * Crash in sax/target parser when reporting empty doctype. + * Crash when building an nsmap (Element property) with empty + namespace URIs. + * Crash due to race condition when errors (or user messages) occur + during threaded XSLT processing. + * XSLT stylesheet compilation could ignore compilation errors. + * Fixed a crash when using ``iterparse()`` for HTML parsing and + requesting start events. + * Fixed parsing of more selectors in cssselect. Whitespace before + pseudo-elements and pseudo-classes is significant as it is a + descendant combinator. + * lxml.html.diff no longer raises an exception when hitting + 'img' tags without 'src' attribute. + + -- Matthias Klose <doko@debian.org> Mon, 17 Sep 2012 13:29:26 +0200 + +lxml (2.3.2-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Wed, 04 Jan 2012 13:29:53 +0100 + +lxml (2.3-0.1) unstable; urgency=low + + * Upload 2.3 final to unstable as NMU at maintainer request + + -- Scott Kitterman <scott@kitterman.com> Mon, 07 Mar 2011 13:17:25 -0500 + +lxml (2.3~beta1-1) experimental; urgency=low + + * lxml-2.3 beta1 release. + + -- Matthias Klose <doko@debian.org> Sun, 05 Dec 2010 13:07:46 +0100 + +lxml (2.3~alpha2-1) experimental; urgency=low + + * lxml-2.3 alpha2 release. + - Fix build failure with python3.2. + + -- Matthias Klose <doko@debian.org> Mon, 18 Oct 2010 18:05:26 +0200 + +lxml (2.2.8-2) unstable; urgency=low + + * Add copyright and license information for test.py. Closes: #597547. + * Build using distribute. + + -- Matthias Klose <doko@debian.org> Thu, 23 Sep 2010 19:42:55 +0200 + +lxml (2.2.8-1) experimental; urgency=low + + * New upstream version (bug fix release): + - Crash in newer libxml2 versions when moving elements between + documents that had attributes on replaced XInclude nodes. + + -- Matthias Klose <doko@debian.org> Sun, 12 Sep 2010 19:10:50 +0200 + +lxml (2.2.7-1) experimental; urgency=low + + * New upstream version (bug fix release): + - Crash in XSLT when generating text-only result documents with a + stylesheet created in a different thread. + * Build python3 packages. Closes: #589333. + * Update package description. Closes: #579246. + * Remove empty directory from package: Closes: #569687. + + -- Matthias Klose <doko@debian.org> Sun, 12 Sep 2010 19:07:32 +0200 + +lxml (2.2.6-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@ubuntu.com> Wed, 10 Mar 2010 11:32:29 +0100 + +lxml (2.2.4-1) unstable; urgency=low + + * New upstream version. + * Build a python-lxml-doc package. Closes: #488258. + * Tighten build dependency. Closes: #551698. + + -- Matthias Klose <doko@debian.org> Sun, 03 Jan 2010 14:14:10 +0100 + +lxml (2.2.2-2) unstable; urgency=low + + * Call setup.py install with --install-layout=deb. Closes: #547831. + + -- Matthias Klose <doko@debian.org> Fri, 09 Oct 2009 00:46:15 +0200 + +lxml (2.2.2-1) unstable; urgency=low + + * New upstream version. Closes: #525961. + - Includes html5parser. Closes: #521714. + + -- Matthias Klose <doko@debian.org> Thu, 27 Aug 2009 09:09:23 +0200 + +lxml (2.1.5-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Tue, 06 Jan 2009 21:57:07 +0100 + +lxml (2.1.4-1) unstable; urgency=low + + * New upstream version. + * Remove the build dependency on cython, because cython doesn't have + support for python debug builds. + + -- Matthias Klose <doko@debian.org> Sun, 04 Jan 2009 15:01:17 +0000 + +lxml (2.1.3-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Sun, 30 Nov 2008 14:36:53 +0000 + +lxml (2.1.2-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Sun, 28 Sep 2008 23:33:48 +0200 + +lxml (2.1.1-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Generate src/lxml/lxml.*.[ch] from the .pyx files. + Closes: #497324. + + -- Thomas Viehmann <tv@beamnet.de> Wed, 10 Sep 2008 20:55:19 +0200 + +lxml (2.1.1-2) unstable; urgency=low + + * Fix import, when python-stats is installed (Andrew Deason). + Closes: #497324. + + -- Matthias Klose <doko@debian.org> Sat, 06 Sep 2008 12:34:24 +0000 + +lxml (2.1.1-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Sun, 27 Jul 2008 00:22:27 +0200 + +lxml (2.1-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Fri, 18 Jul 2008 16:04:45 +0000 + +lxml (2.0.7-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Mon, 30 Jun 2008 23:41:38 +0200 + +lxml (2.0.6-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@ubuntu.com> Fri, 06 Jun 2008 01:46:44 +0200 + +lxml (2.0.5-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Sat, 10 May 2008 11:31:36 +0200 + +lxml (2.0.4-1) unstable; urgency=low + + * New upstream version. + - Fixes crash with iterparse + root substitution. Closes: #473977. + + -- Matthias Klose <doko@debian.org> Sat, 19 Apr 2008 00:59:06 +0200 + +lxml (2.0.3-1) unstable; urgency=low + + * New upstream version. + * src/lxml/lxml.etree.{c,h}: Regenerated. + + -- Matthias Klose <doko@debian.org> Sun, 30 Mar 2008 15:12:58 +0200 + +lxml (2.0.2-2) unstable; urgency=low + + * Fix crash when using XML schema in iterparse (free-while-still-in-use bug). + Closes: #471840. + + -- Matthias Klose <doko@debian.org> Mon, 24 Mar 2008 19:00:36 +0100 + +lxml (2.0.2-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Wed, 12 Mar 2008 19:05:46 +0100 + +lxml (1.3.6-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Sat, 26 Jan 2008 22:33:10 +0100 + +lxml (1.3.4-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Sat, 20 Oct 2007 14:22:05 +0200 + +lxml (1.3.3-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Wed, 01 Aug 2007 20:41:48 +0200 + +lxml (1.3.2-2) unstable; urgency=low + + * Build-depend on zlib1g-dev. Closes: #434591. + + -- Matthias Klose <doko@debian.org> Wed, 25 Jul 2007 09:26:09 +0200 + +lxml (1.3.2-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Wed, 25 Jul 2007 02:02:51 +0200 + +lxml (1.2.1-1) unstable; urgency=low + + * New upstream version. + * Merge changes from Ubuntu: + - Build a python-lxml-dbg package. + + -- Matthias Klose <doko@debian.org> Sat, 02 Jun 2007 09:05:43 +0200 + +lxml (1.1.2-1) unstable; urgency=medium + + * New upstream version. + - fix import of lxml.objectify. Closes: #401644. + + -- Matthias Klose <doko@debian.org> Thu, 7 Dec 2006 19:24:53 +0100 + +lxml (1.1.1-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Tue, 24 Oct 2006 00:39:24 +0200 + +lxml (1.0.3-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Sat, 19 Aug 2006 22:37:14 +0200 + +lxml (1.0.2-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Fri, 7 Jul 2006 22:19:48 +0000 + +lxml (1.0.1-2) unstable; urgency=low + + * Add python-setuptools as a build dependency. + + -- Matthias Klose <doko@debian.org> Sat, 17 Jun 2006 11:41:10 +0000 + +lxml (1.0.1-1) unstable; urgency=low + + * New upstream version. + * Convert to new Python policy. Closes: #373460. + + -- Matthias Klose <doko@debian.org> Fri, 16 Jun 2006 22:04:16 +0200 + +lxml (0.9.1-1) unstable; urgency=low + + * New upstream version (closes: #362415). + + -- Matthias Klose <doko@debian.org> Fri, 14 Apr 2006 22:10:18 +0000 + +lxml (0.8-1) unstable; urgency=low + + * New upstream version. + + -- Matthias Klose <doko@debian.org> Thu, 15 Dec 2005 22:36:10 +0100 + +lxml (0.7-1) unstable; urgency=low + + * Upload to unstable. + + -- Matthias Klose <doko@debian.org> Sat, 8 Oct 2005 14:13:41 +0000 + +lxml (0.7-0ubuntu1) breezy; urgency=low + + * Initial release. + + -- Matthias Klose <doko@ubuntu.com> Thu, 6 Oct 2005 20:09:26 +0200 + --- lxml-3.5.0.orig/debian/compat +++ lxml-3.5.0/debian/compat @@ -0,0 +1 @@ +5 --- lxml-3.5.0.orig/debian/control +++ lxml-3.5.0/debian/control @@ -0,0 +1,92 @@ +Source: lxml +Section: python +Priority: optional +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Matthias Klose <doko@debian.org> +Build-Depends: debhelper (>= 5.0.37.1), + python-all-dev (>= 2.6.6-1~), python-all-dbg, + python3-all-dev (>= 3.3.3), python3-all-dbg, + python-pyrex (>= 0.9.4.1), + libxml2-dev, libxslt1-dev, zlib1g-dev, + python-setuptools, python3-setuptools (>= 0.6.29), + python-bs4, python3-bs4, + python-html5lib, python3-html5lib, + cython, cython-dbg, cython3, cython3-dbg +X-Python-Version: all +Standards-Version: 3.9.6 +Homepage: http://lxml.de/ + +Package: python-lxml +Architecture: any +Depends: ${python:Depends}, ${shlibs:Depends}, ${misc:Depends} +Provides: ${python:Provides} +Recommends: python-bs4, python-html5lib +Suggests: python-lxml-dbg, python-lxml-doc +Description: pythonic binding for the libxml2 and libxslt libraries + lxml is a new Python binding for libxml2 and libxslt, completely + independent from existing Python bindings. Its aim: + . + * Pythonic API. + * Documented. + * Use Python unicode strings in API. + * Safe (no segfaults). + * No manual memory management! + . + lxml aims to provide a Pythonic API by following as much as possible + the ElementTree API, trying to avoid inventing too many new APIs, + or the user's having to learn new things -- XML is complicated enough. + +Package: python-lxml-dbg +Priority: extra +Section: debug +Architecture: any +Depends: python-lxml (= ${binary:Version}), python-dbg, ${shlibs:Depends}, ${misc:Depends} +Description: pythonic binding for the libxml2 and libxslt libraries (debug extension) + lxml is a new Python binding for libxml2 and libxslt, completely + independent from existing Python bindings. + . + This package contains the extension built for the Python debug interpreter. + +Package: python3-lxml +Architecture: any +Depends: ${python3:Depends}, ${shlibs:Depends}, ${misc:Depends} +Recommends: python3-bs4, python3-html5lib +Suggests: python3-lxml-dbg, python-lxml-doc +Provides: ${python3:Provides} +Description: pythonic binding for the libxml2 and libxslt libraries + lxml is a new Python binding for libxml2 and libxslt, completely + independent from existing Python bindings. Its aim: + . + * Pythonic API. + * Documented. + * Use Python unicode strings in API. + * Safe (no segfaults). + * No manual memory management! + . + lxml aims to provide a Pythonic API by following as much as possible + the ElementTree API, trying to avoid inventing too many new APIs, + or the user's having to learn new things -- XML is complicated enough. + +Package: python3-lxml-dbg +Priority: extra +Section: debug +Architecture: any +Depends: python3-lxml (= ${binary:Version}), python3-dbg, ${shlibs:Depends}, ${misc:Depends} +Provides: ${python3:Provides} +Description: pythonic binding for the libxml2 and libxslt libraries (debug extension) + lxml is a new Python binding for libxml2 and libxslt, completely + independent from existing Python bindings. + . + This package contains the extension built for the Python3 debug interpreter. + +Package: python-lxml-doc +Priority: extra +Section: doc +Architecture: all +Depends: ${misc:Depends} +Recommends: python-lxml +Description: pythonic binding for the libxml2 and libxslt libraries (documentation) + lxml is a new Python binding for libxml2 and libxslt, completely + independent from these existing Python bindings. + . + This package contains the html documentation. --- lxml-3.5.0.orig/debian/copyright +++ lxml-3.5.0/debian/copyright @@ -0,0 +1,110 @@ +This package was debianized by Matthias Klose <doko@ubuntu.com> +on Thu, 6 Oct 2005 20:09:26 +0200. + +It was downloaded from http://codespeak.net/lxml/ + +Copyright Holder: Martijn Faassen and others. + +License: + +Copyright (c) 2004 Infrae. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + 3. Neither the name of Infrae nor the names of its contributors may + be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INFRAE OR +CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +Some code, such a selftest.py, selftest2.py and +src/lxml/_elementpath.py are derived from ElementTree and +cElementTree. See doc/licenses/elementtree.txt for the license text. + +test.py, the test-runner script, is GPL and copyright Shuttleworth +Foundation. See doc/licenses/GPL.txt. It is believed the unchanged +inclusion of test.py to run the unit test suite falls under the +"aggregation" clause of the GPL and thus does not affect the license +of the rest of the package. + +the doctest.py module is taken from the Python library and falls under +the PSF Python License. + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. + +PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 +-------------------------------------------- + +1. This LICENSE AGREEMENT is between the Python Software Foundation +("PSF"), and the Individual or Organization ("Licensee") accessing and +otherwise using this software ("Python") in source or binary form and +its associated documentation. + +2. Subject to the terms and conditions of this License Agreement, PSF +hereby grants Licensee a nonexclusive, royalty-free, world-wide +license to reproduce, analyze, test, perform and/or display publicly, +prepare derivative works, distribute, and otherwise use Python +alone or in any derivative version, provided, however, that PSF's +License Agreement and PSF's notice of copyright, i.e., "Copyright (c) +2001, 2002, 2003, 2004 Python Software Foundation; All Rights Reserved" +are retained in Python alone or in any derivative version prepared +by Licensee. + +3. In the event Licensee prepares a derivative work that is based on +or incorporates Python or any part thereof, and wants to make +the derivative work available to others as provided herein, then +Licensee hereby agrees to include in any such work a brief summary of +the changes made to Python. + +4. PSF is making Python available to Licensee on an "AS IS" +basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR +IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND +DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS +FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT +INFRINGE ANY THIRD PARTY RIGHTS. + +5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON +FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS +A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, +OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. + +6. This License Agreement will automatically terminate upon a material +breach of its terms and conditions. + +7. Nothing in this License Agreement shall be deemed to create any +relationship of agency, partnership, or joint venture between PSF and +Licensee. This License Agreement does not grant permission to use PSF +trademarks or trade name in a trademark sense to endorse or promote +products or services of Licensee, or any third party. + +8. By copying, installing or otherwise using Python, Licensee +agrees to be bound by the terms and conditions of this License +Agreement. + + +Files: test.py +Copyright: Copyright (c) 2003 Shuttleworth Foundation +License: GPL2 or later + On Debian GNU/Linux systems, the complete text of the GNU General + Public License can be found in `/usr/share/common-licenses/GPL2' --- lxml-3.5.0.orig/debian/python-lxml-doc.doc-base +++ lxml-3.5.0/debian/python-lxml-doc.doc-base @@ -0,0 +1,12 @@ +Document: lxml +Title: Pythonic binding for the libxml2 and libxslt libraries +Author: Martijn Faassen and others +Abstract: lxml is a Pythonic binding for the libxml2 and libxslt libraries. + It is unique in that it combines the speed and feature completeness of + these libraries with the simplicity of a native Python API, mostly + compatible but superior to the well-known ElementTree API. +Section: Programming/Python + +Format: html +Index: /usr/share/doc/python-lxml/html/index.html +Files: /usr/share/doc/python-lxml/html/*.html --- lxml-3.5.0.orig/debian/rules +++ lxml-3.5.0/debian/rules @@ -0,0 +1,138 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +PYVERS := $(shell pyversions -vs) +PYVER := $(shell pyversions -vd) + +PY3VERS := $(shell py3versions -vs) +PY3VER := $(shell py3versions -vd) + +UPSTREAMVER := $(subst lxml-,,$(notdir $(CURDIR))) + +include /usr/share/python3/python.mk + +prebuild: prebuild-stamp +prebuild-stamp: src/lxml/lxml.etree.pyx src/lxml/lxml.objectify.pyx +# cython src/lxml/lxml.etree.pyx src/lxml/lxml.objectify.pyx + touch $@ + +build-arch: build +build-indep: build +build: build-stamp build3-stamp +build-stamp: $(PYVERS:%=build-python%) $(PYVERS:%=dbg-build-python%) + touch $@ +build-python%: prebuild + python$* setup.py build + touch $@ +dbg-build-python%: prebuild + python$*-dbg setup.py build + touch $@ + +build3-stamp: $(PY3VERS:%=build3-python%) $(PY3VERS:%=dbg-build3-python%) + touch $@ +build3-python%: prebuild + python$* setup.py build + touch $@ +dbg-build3-python%: prebuild + python$*-dbg setup.py build + touch $@ + +clean: + dh_testdir + dh_testroot + rm -f build*-stamp build*-python* dbg-build*-python* prebuild-stamp + rm -rf build dist __pycache__ +# rm -f src/lxml/lxml.etree_api.h src/lxml/lxml.etree.c \ +# src/lxml/lxml.etree.h src/lxml/lxml.objectify.c + + -find -name '*.py[co]' | xargs rm -f + rm -rf [23].[0-9] + rm -f src/lxml/lxml-version.h + dh_clean + +install: build install-prereq $(PYVERS:%=install-python%) $(PYVERS:%=dbg-install-python%) $(PY3VERS:%=install3-python%) $(PY3VERS:%=dbg-install3-python%) + -find debian -name '*.py[co]' | xargs rm -f + -find debian -name __pycache__ | xargs rm -rf + rm -rf debian/python*-lxml/usr/lib/python + +install-prereq: + dh_testdir + dh_testroot + dh_clean -k + +install-python%: + mkdir -p debian/python-lxml/usr/bin + mkdir -p debian/python-lxml/$(call py_libdir, $*) + python$* setup.py install \ + --root=$(CURDIR)/debian/python-lxml --install-layout=deb + +dbg-install-python%: + mkdir -p debian/python-lxml/usr/bin + mkdir -p debian/python-lxml-dbg/$(call py_libdir, $*) + python$*-dbg setup.py install \ + --root=$(CURDIR)/debian/python-lxml-dbg --install-layout=deb + find debian/python-*-dbg ! -type d ! -name '*.so' | xargs rm -f + find debian/python-*-dbg -depth -empty -exec rmdir {} \; + +install3-python%: + mkdir -p debian/python3-lxml/usr/bin + mkdir -p debian/python3-lxml/$(call py_libdir, $*) + python$* setup.py install \ + --root=$(CURDIR)/debian/python3-lxml --install-layout=deb + +dbg-install3-python%: + mkdir -p debian/python3-lxml/usr/bin + mkdir -p debian/python3-lxml-dbg/$(call py_libdir, $*) + python$*-dbg setup.py install \ + --root=$(CURDIR)/debian/python3-lxml-dbg --install-layout=deb + find debian/python3-*-dbg ! -type d ! -name '*.so' | xargs rm -f + find debian/python3-*-dbg -depth -empty -exec rmdir {} \; + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs -i + dh_installdocs -i + mkdir -p debian/python-lxml-doc/usr/share/doc/python-lxml + cp -r doc/html debian/python-lxml-doc/usr/share/doc/python-lxml/ + ln -sf ../python-lxml/html debian/python-lxml-doc/usr/share/doc/python-lxml-doc/html + dh_installexamples -i samples/* + dh_compress -i -X.xml -X.py \ + -X.html -X.css -X.asc -X.png -Xapi-objects.txt + dh_fixperms -i + dh_installdeb -i + dh_shlibdeps -i + dh_gencontrol -i + dh_md5sums -i + dh_builddeb -i + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs -a CHANGES.txt + dh_installdocs -a CREDITS.txt README.rst TODO.txt + dh_installexamples -a samples/* + dh_python2 -a + dh_python3 -a + dh_strip -ppython-lxml --dbg-package=python-lxml-dbg + rm -rf debian/python-lxml-dbg/usr/share/doc/python-lxml-dbg + ln -s python-lxml debian/python-lxml-dbg/usr/share/doc/python-lxml-dbg + dh_strip -ppython3-lxml --dbg-package=python3-lxml-dbg + rm -rf debian/python3-lxml-dbg/usr/share/doc/python3-lxml-dbg + ln -s python3-lxml debian/python3-lxml-dbg/usr/share/doc/python3-lxml-dbg + dh_compress -a -X.xml -X.py \ + -X.html -X.css -X.asc -X.png -Xapi-objects.txt + dh_fixperms -a + dh_installdeb -a + dh_shlibdeps -a + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- lxml-3.5.0.orig/debian/watch +++ lxml-3.5.0/debian/watch @@ -0,0 +1,3 @@ +version=3 +opts=uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha|b|a)[\-\.]?\d*)$/$1~$2/ \ +http://pypi.debian.net/lxml/lxml-(.*).tar.gz --- lxml-3.5.0.orig/src/lxml/html/clean.py +++ lxml-3.5.0/src/lxml/html/clean.py @@ -8,9 +8,11 @@ import copy try: from urlparse import urlsplit + from urllib import unquote_plus except ImportError: # Python 3 from urllib.parse import urlsplit + from urllib.parse import urlsplit, unquote_plus from lxml import etree from lxml.html import defs from lxml.html import fromstring, tostring, XHTML_NAMESPACE @@ -61,12 +63,19 @@ # This is an IE-specific construct you can have in a stylesheet to # run some Javascript: -_css_javascript_re = re.compile( - r'expression\s*$.*?$', re.S|re.I) +_replace_css_javascript = re.compile( + r'expression\s*$.*?$', re.S|re.I).sub # Do I have to worry about @\nimport? -_css_import_re = re.compile( - r'@\s*import', re.I) +_replace_css_import = re.compile( + r'@\s*import', re.I).sub + +try: + _looks_like_tag_content = re.compile( + r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search +except AttributeError: + _looks_like_tag_content = re.compile( + r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=').search # All kinds of schemes besides just javascript: that can cause # execution: @@ -285,8 +294,8 @@ # from styles, otherwise... for el in _find_styled_elements(doc): old = el.get('style') - new = _css_javascript_re.sub('', old) - new = _css_import_re.sub('', new) + new = _replace_css_javascript('', old) + new = _replace_css_import('', new) if self._has_sneaky_javascript(new): # Something tricky is going on... del el.attrib['style'] @@ -297,9 +306,9 @@ el.drop_tree() continue old = el.text or '' - new = _css_javascript_re.sub('', old) + new = _replace_css_javascript('', old) # The imported CSS can do anything; we just can't allow: - new = _css_import_re.sub('', old) + new = _replace_css_import('', new) if self._has_sneaky_javascript(new): # Something tricky is going on... el.text = '/* deleted */' @@ -473,7 +482,7 @@ def _remove_javascript_link(self, link): # links like "j a v a s c r i p t:" might be interpreted in IE - new = _substitute_whitespace('', link) + new = _substitute_whitespace('', unquote_plus(link)) if _is_javascript_scheme(new): # FIXME: should this be None to delete? return '' @@ -500,6 +509,12 @@ return True if 'expression(' in style: return True + if '</noscript' in style: + # e.g. '<noscript><style><a title="

">' + return True + if _looks_like_tag_content(style): + # e.g. '

' + return True return False def clean_html(self, html): --- lxml-3.5.0.orig/src/lxml/html/defs.py +++ lxml-3.5.0/src/lxml/html/defs.py @@ -27,6 +27,8 @@ 'usemap', # Not standard: 'dynsrc', 'lowsrc', + # HTML5 formaction + 'formaction' ]) # Not in the HTML 4 spec: --- lxml-3.5.0.orig/src/lxml/html/tests/test_clean.py +++ lxml-3.5.0/src/lxml/html/tests/test_clean.py @@ -69,6 +69,41 @@ s = lxml.html.fromstring('child') self.assertEqual('child', clean_html(s).text_content()) + def test_sneaky_noscript_in_style(self): + # This gets parsed as ..." + # thus passing the through into the output. + html = '

">' + s = lxml.html.fragment_fromstring(html) + + self.assertEqual( + b'', + lxml.html.tostring(clean_html(s))) + + def test_sneaky_js_in_math_style(self): + # This gets parsed as

-> "..." +        # thus passing any tag/script/whatever content through into the output.
+        html = '

' + s = lxml.html.fragment_fromstring(html) + + self.assertEqual( + b'

/* deleted */

', + lxml.html.tostring(clean_html(s))) + + def test_formaction_attribute_in_button_input(self): + # The formaction attribute overrides the form's action and should be + # treated as a malicious link attribute + html = ('' + '') + expected = ('

' + '

') + cleaner = Cleaner( + forms=False, + safe_attrs_only=False, + ) + self.assertEqual( + expected, + cleaner.clean_html(html)) + def test_suite(): suite = unittest.TestSuite() --- lxml-3.5.0.orig/src/lxml/html/tests/test_clean.txt +++ lxml-3.5.0/src/lxml/html/tests/test_clean.txt @@ -18,7 +18,7 @@ ... ... ... a link -... a control char link +... a control char link ... data ... another link ...

a paragraph

@@ -51,7 +51,7 @@ a link - a control char link + a control char link data another link

a paragraph

@@ -84,7 +84,7 @@ a link - a control char link + a control char link data another link

a paragraph

@@ -104,7 +104,11 @@ >>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc)) - + a link @@ -148,7 +152,11 @@ - + a link