-
-
Notifications
You must be signed in to change notification settings - Fork 567
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Prevent combinations of <math/svg> and <style> to sneak JavaScript th…
…rough the HTML cleaner.
- Loading branch information
Showing
4 changed files
with
50 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a105ab8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doing a backporting of this patch and would like some advice, if possible. For versions running with Python2, is removing the re.ASCII part in line 72 ok? Since python2 versions hasn't that flag.
thanks!
a105ab8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Never mind, sounds py2 is default re.ASCII , and that flag is only required in py3.
a105ab8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See 4cb5736
a105ab8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @scoder, was this part of the fix of CVE-2020-27783 or is this a new separate issue?
Asking this because CVE-2020-27783 was assigned to the issue fixed in 89e7aad which are the noscript and style vectors and this commit added math/svg as well.
Also, looks like the CVE-2020-27783 was fixed in 4.6.1 version and it is on 4.6.2 ChangeLog as well.
Could you please clarify? Thank you.
a105ab8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I consider both issues part of the same (kind of) vulnerability, and they were discovered together.
Thus, use 4.6.2.