5 년 전 · 604fe08806
--- a/package/python-markdown2/0001-Fix-for-issue-348-incomplete-tags-with-punctuation-after-as-part-of.patch
+++ b/package/python-markdown2/0001-Fix-for-issue-348-incomplete-tags-with-punctuation-after-as-part-of.patch
@@ -0,0 +1,53 @@
 
				+From 9144d0fc5d5249cc4d81287ee79091806e6dde52 Mon Sep 17 00:00:00 2001
			
 
				+From: Gareth Simpson <gareth.simpson@zoodigital.com>
			
 
				+Date: Fri, 1 May 2020 19:31:21 +0100
			
 
				+Subject: [PATCH] Fix for issue 348 - incomplete tags with punctuation after as
			
 
				+ part of the tag name are a source of XSS
			
 
				+
			
 
				+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
			
 
				+[Retrieved from:
			
 
				+https://github.com/trentm/python-markdown2/commit/9144d0fc5d5249cc4d81287ee79091806e6dde52]
			
 
				+---
			
 
				+ lib/markdown2.py                           | 2 +-
			
 
				+ test/tm-cases/issue348_incomplete_tag.html | 1 +
			
 
				+ test/tm-cases/issue348_incomplete_tag.opts | 1 +
			
 
				+ test/tm-cases/issue348_incomplete_tag.text | 1 +
			
 
				+ 4 files changed, 4 insertions(+), 1 deletion(-)
			
 
				+ create mode 100644 test/tm-cases/issue348_incomplete_tag.html
			
 
				+ create mode 100644 test/tm-cases/issue348_incomplete_tag.opts
			
 
				+ create mode 100644 test/tm-cases/issue348_incomplete_tag.text
			
 
				+
			
 
				+diff --git a/lib/markdown2.py b/lib/markdown2.py
			
 
				+index 3a5d5d9..636bf07 100755
			
 
				+--- a/lib/markdown2.py
			
 
				++++ b/lib/markdown2.py
			
 
				+@@ -2164,7 +2164,7 @@ def _encode_amps_and_angles(self, text):
			
 
				+         text = self._naked_gt_re.sub('&gt;', text)
			
 
				+         return text
			
 
				+ 
			
 
				+-    _incomplete_tags_re = re.compile("<(/?\w+[\s/]+?)")
			
 
				++    _incomplete_tags_re = re.compile("<(/?\w+?(?!://).?[\s/]+?)")
			
 
				+ 
			
 
				+     def _encode_incomplete_tags(self, text):
			
 
				+         if self.safe_mode not in ("replace", "escape"):
			
 
				+diff --git a/test/tm-cases/issue348_incomplete_tag.html b/test/tm-cases/issue348_incomplete_tag.html
			
 
				+new file mode 100644
			
 
				+index 0000000..46059cc
			
 
				+--- /dev/null
			
 
				++++ b/test/tm-cases/issue348_incomplete_tag.html
			
 
				+@@ -0,0 +1 @@
			
 
				++<p>&lt;lol@/ //id="pwn"//onclick="alert(1)"//<strong>abc</strong></p>
			
 
				+diff --git a/test/tm-cases/issue348_incomplete_tag.opts b/test/tm-cases/issue348_incomplete_tag.opts
			
 
				+new file mode 100644
			
 
				+index 0000000..ad487c0
			
 
				+--- /dev/null
			
 
				++++ b/test/tm-cases/issue348_incomplete_tag.opts
			
 
				+@@ -0,0 +1 @@
			
 
				++{"safe_mode": "escape"}
			
 
				+diff --git a/test/tm-cases/issue348_incomplete_tag.text b/test/tm-cases/issue348_incomplete_tag.text
			
 
				+new file mode 100644
			
 
				+index 0000000..bb4a0de
			
 
				+--- /dev/null
			
 
				++++ b/test/tm-cases/issue348_incomplete_tag.text
			
 
				+@@ -0,0 +1 @@
			
 
				++<lol@/ //id="pwn"//onclick="alert(1)"//**abc**
			
--- a/package/python-markdown2/0002-Better-fix-for-issue-348.patch
+++ b/package/python-markdown2/0002-Better-fix-for-issue-348.patch
@@ -0,0 +1,32 @@
 
				+From 0c0543846fa54281e2269b0bff841a0b9ffe23fe Mon Sep 17 00:00:00 2001
			
 
				+From: Gareth Simpson <gareth.simpson@zoodigital.com>
			
 
				+Date: Sat, 2 May 2020 21:22:36 +0100
			
 
				+Subject: [PATCH] Better fix for issue 348
			
 
				+
			
 
				+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
			
 
				+[Retrieved from:
			
 
				+https://github.com/trentm/python-markdown2/commit/0c0543846fa54281e2269b0bff841a0b9ffe23fe]
			
 
				+---
			
 
				+ lib/markdown2.py | 5 ++++-
			
 
				+ 1 file changed, 4 insertions(+), 1 deletion(-)
			
 
				+
			
 
				+diff --git a/lib/markdown2.py b/lib/markdown2.py
			
 
				+index 636bf07..be86502 100755
			
 
				+--- a/lib/markdown2.py
			
 
				++++ b/lib/markdown2.py
			
 
				+@@ -2164,11 +2164,14 @@ def _encode_amps_and_angles(self, text):
			
 
				+         text = self._naked_gt_re.sub('&gt;', text)
			
 
				+         return text
			
 
				+ 
			
 
				+-    _incomplete_tags_re = re.compile("<(/?\w+?(?!://).?[\s/]+?)")
			
 
				++    _incomplete_tags_re = re.compile("<(/?\w+?(?!\w).+?[\s/]+?)")
			
 
				+ 
			
 
				+     def _encode_incomplete_tags(self, text):
			
 
				+         if self.safe_mode not in ("replace", "escape"):
			
 
				+             return text
			
 
				++            
			
 
				++        if text.endswith(">"):
			
 
				++            return text  # this is not an incomplete tag, this is a link in the form <http://x.y.z>
			
 
				+ 
			
 
				+         return self._incomplete_tags_re.sub("&lt;\\1", text)
			
 
				+ 
			
--- a/package/python-markdown2/python-markdown2.mk
+++ b/package/python-markdown2/python-markdown2.mk
@@ -11,4 +11,8 @@ PYTHON_MARKDOWN2_SETUP_TYPE = setuptools
 
				 PYTHON_MARKDOWN2_LICENSE = MIT
			
 
				 PYTHON_MARKDOWN2_LICENSE_FILES = LICENSE.txt
			
 
				 
			
 
				+# 0001-Fix-for-issue-348-incomplete-tags-with-punctuation-after-as-part-of.patch
			
 
				+# 0002-Better-fix-for-issue-348.patch
			
 
				+PYTHON_MARKDOWN2_IGNORE_CVES += CVE-2020-11888
			
 
				+
			
 
				 $(eval $(python-package))