kumquat-buildroot/package/python-markdown2/0002-Better-fix-for-issue-348.patch
Fabrice Fontaine 544007dcc4 package/python-markdown2: fix CVE-2020-11888
python-markdown2 through 2.3.8 allows XSS because element names are
mishandled unless a \w+ match succeeds. For example, an attack might use
elementname@ or elementname- with an onclick attribute.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-12 10:00:34 +02:00

33 lines
1.2 KiB
Diff

From 0c0543846fa54281e2269b0bff841a0b9ffe23fe Mon Sep 17 00:00:00 2001
From: Gareth Simpson <gareth.simpson@zoodigital.com>
Date: Sat, 2 May 2020 21:22:36 +0100
Subject: [PATCH] Better fix for issue 348
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Retrieved from:
https://github.com/trentm/python-markdown2/commit/0c0543846fa54281e2269b0bff841a0b9ffe23fe]
---
lib/markdown2.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/markdown2.py b/lib/markdown2.py
index 636bf07..be86502 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -2164,11 +2164,14 @@ def _encode_amps_and_angles(self, text):
text = self._naked_gt_re.sub('&gt;', text)
return text
- _incomplete_tags_re = re.compile("<(/?\w+?(?!://).?[\s/]+?)")
+ _incomplete_tags_re = re.compile("<(/?\w+?(?!\w).+?[\s/]+?)")
def _encode_incomplete_tags(self, text):
if self.safe_mode not in ("replace", "escape"):
return text
+
+ if text.endswith(">"):
+ return text # this is not an incomplete tag, this is a link in the form <http://x.y.z>
return self._incomplete_tags_re.sub("&lt;\\1", text)