From c79de61fed4cda88f1977b53418623a61b0ec14e Mon Sep 17 00:00:00 2001
From: Joe Slater <jslater@windriver.com>
Date: Mon, 19 Jan 2015 13:07:08 -0800
Subject: python-lxml: move to version 3.2.5

Remove version 3.0.2.

Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
---
 .../python-lxml-3.2.5-fix-CVE-2014-3146.patch      | 91 ++++++++++++++++++++++
 .../recipes-devtools/python/python-lxml_3.0.2.bb   | 33 --------
 .../recipes-devtools/python/python-lxml_3.2.5.bb   | 35 +++++++++
 3 files changed, 126 insertions(+), 33 deletions(-)
 create mode 100644 meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
 delete mode 100644 meta-python/recipes-devtools/python/python-lxml_3.0.2.bb
 create mode 100644 meta-python/recipes-devtools/python/python-lxml_3.2.5.bb

diff --git a/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
new file mode 100644
index 0000000000..0a8e211bd3
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch
@@ -0,0 +1,91 @@
+Upstream-status:Backport
+
+--- a/src/lxml/html/clean.py
++++ b/src/lxml/html/clean.py
+@@ -70,9 +70,10 @@ _css_import_re = re.compile(
+ 
+ # All kinds of schemes besides just javascript: that can cause
+ # execution:
+-_javascript_scheme_re = re.compile(
+-    r'\s*(?:javascript|jscript|livescript|vbscript|data|about|mocha):', re.I)
+-_substitute_whitespace = re.compile(r'\s+').sub
++_is_javascript_scheme = re.compile(
++    r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):',
++    re.I).search
++_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
+ # FIXME: should data: be blocked?
+ 
+ # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx
+@@ -467,7 +468,7 @@ class Cleaner(object):
+     def _remove_javascript_link(self, link):
+         # links like "j a v a s c r i p t:" might be interpreted in IE
+         new = _substitute_whitespace('', link)
+-        if _javascript_scheme_re.search(new):
++        if _is_javascript_scheme(new):
+             # FIXME: should this be None to delete?
+             return ''
+         return link
+--- a/src/lxml/html/tests/test_clean.txt
++++ b/src/lxml/html/tests/test_clean.txt
+@@ -1,3 +1,4 @@
++>>> import re
+ >>> from lxml.html import fromstring, tostring
+ >>> from lxml.html.clean import clean, clean_html, Cleaner
+ >>> from lxml.html import usedoctest
+@@ -17,6 +18,7 @@
+ ...   <body onload="evil_function()">
+ ...     <!-- I am interpreted for EVIL! -->
+ ...     <a href="javascript:evil_function()">a link</a>
++...     <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a>
+ ...     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+ ...     <a href="#" onclick="evil_function()">another link</a>
+ ...     <p onclick="evil_function()">a paragraph</p>
+@@ -33,7 +35,7 @@
+ ...   </body>
+ ... </html>'''
+ 
+->>> print(doc)
++>>> print(re.sub('[\x00-\x07\x0E]', '', doc))
+ <html>
+   <head>
+     <script type="text/javascript" src="evil-site"></script>
+@@ -49,6 +51,7 @@
+   <body onload="evil_function()">
+     <!-- I am interpreted for EVIL! -->
+     <a href="javascript:evil_function()">a link</a>
++    <a href="javascrip t:evil_function()">a control char link</a>
+     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+     <a href="#" onclick="evil_function()">another link</a>
+     <p onclick="evil_function()">a paragraph</p>
+@@ -81,6 +84,7 @@
+   <body onload="evil_function()">
+     <!-- I am interpreted for EVIL! -->
+     <a href="javascript:evil_function()">a link</a>
++    <a href="javascrip%20t:evil_function()">a control char link</a>
+     <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a>
+     <a href="#" onclick="evil_function()">another link</a>
+     <p onclick="evil_function()">a paragraph</p>
+@@ -104,6 +108,7 @@
+   </head>
+   <body>
+     <a href="">a link</a>
++    <a href="">a control char link</a>
+     <a href="">data</a>
+     <a href="#">another link</a>
+     <p>a paragraph</p>
+@@ -123,6 +128,7 @@
+   </head>
+   <body>
+     <a href="">a link</a>
++    <a href="">a control char link</a>
+     <a href="">data</a>
+     <a href="#">another link</a>
+     <p>a paragraph</p>
+@@ -146,6 +152,7 @@
+   </head>
+   <body>
+     <a href="">a link</a>
++    <a href="">a control char link</a> 
+     <a href="">data</a>
+     <a href="#">another link</a>
+     <p>a paragraph</p>
diff --git a/meta-python/recipes-devtools/python/python-lxml_3.0.2.bb b/meta-python/recipes-devtools/python/python-lxml_3.0.2.bb
deleted file mode 100644
index 5ab7b4a793..0000000000
--- a/meta-python/recipes-devtools/python/python-lxml_3.0.2.bb
+++ /dev/null
@@ -1,33 +0,0 @@
-SUMMARY = "Python XML bindings for libxml2 and libxslt"
-DESCRIPTION = "Powerful and Pythonic XML processing library combining \
-libxml2/libxslt with the ElementTree API."
-HOMEPAGE = "http://codespeak.net/lxml"
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://LICENSES.txt;md5=f9f1dc24f720c143c2240df41fe5073b"
-SRCNAME = "lxml"
-
-DEPENDS = "libxml2 libxslt"
-
-SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz;name=lxml"
-SRC_URI[lxml.md5sum] = "38b15b0dd5e9292cf98be800e84a3ce4"
-SRC_URI[lxml.sha256sum] = "cadba4cf0e235127795f76a6f7092cb035da23a6e9ec4c93f8af43a6784cd101"
-
-S = "${WORKDIR}/${SRCNAME}-${PV}"
-
-inherit setuptools
-
-DISTUTILS_BUILD_ARGS += " \
-                     --with-xslt-config='${STAGING_BINDIR_NATIVE}/pkg-config libxslt' \
-                     --with-xml2-config='${STAGING_BINDIR_CROSS}/xml2-config' \
-"
-
-DISTUTILS_INSTALL_ARGS += " \
-                     --with-xslt-config='${STAGING_BINDIR_NATIVE}/pkg-config libxslt' \
-                     --with-xml2-config='${STAGING_BINDIR_CROSS}/xml2-config' \
-"
-
-BBCLASSEXTEND = "native nativesdk"
-
-RDEPENDS_${PN} += "libxml2 libxslt python-compression"
-RDEPENDS_${PN}_virtclass-native = "libxml2-native libxslt-native"
-
diff --git a/meta-python/recipes-devtools/python/python-lxml_3.2.5.bb b/meta-python/recipes-devtools/python/python-lxml_3.2.5.bb
new file mode 100644
index 0000000000..1fa2889958
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python-lxml_3.2.5.bb
@@ -0,0 +1,35 @@
+SUMMARY = "Python XML bindings for libxml2 and libxslt"
+DESCRIPTION = "Powerful and Pythonic XML processing library combining \
+libxml2/libxslt with the ElementTree API."
+HOMEPAGE = "http://codespeak.net/lxml"
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://LICENSES.txt;md5=f9f1dc24f720c143c2240df41fe5073b"
+SRCNAME = "lxml"
+
+DEPENDS = "libxml2 libxslt"
+
+SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz \
+		file://python-lxml-3.2.5-fix-CVE-2014-3146.patch "
+
+SRC_URI[md5sum] = "6c4fb9b1840631cff09b8229a12a9ef7"
+SRC_URI[sha256sum] = "2bf072808a6546d0e56bf1ad3b98a43cca828724360d7419fad135141bd31f7e"
+
+S = "${WORKDIR}/${SRCNAME}-${PV}"
+
+inherit setuptools
+
+DISTUTILS_BUILD_ARGS += " \
+                     --with-xslt-config='${STAGING_BINDIR_NATIVE}/pkg-config libxslt' \
+                     --with-xml2-config='${STAGING_BINDIR_CROSS}/xml2-config' \
+"
+
+DISTUTILS_INSTALL_ARGS += " \
+                     --with-xslt-config='${STAGING_BINDIR_NATIVE}/pkg-config libxslt' \
+                     --with-xml2-config='${STAGING_BINDIR_CROSS}/xml2-config' \
+"
+
+BBCLASSEXTEND = "native nativesdk"
+
+RDEPENDS_${PN} += "libxml2 libxslt python-compression"
+RDEPENDS_${PN}_virtclass-native = "libxml2-native libxslt-native"
+
-- 
cgit 1.2.3-korg