diff options
| author |   Li xin <lixin.fnst@cn.fujitsu.com> | 2015-08-17 13:25:22 +0800 |
|---|---|---|
| committer |   Martin Jansa <Martin.Jansa@gmail.com> | 2015-08-24 13:56:26 +0200 |
| commit | 8a924ab5ce83732f06f7a3349a83416a6b4a09ba (patch) | |
| tree | 69f708bf3f2319f13157c0c74ce8dbf90d4f0cdf | |
| parent | 4946d2013d57e0c3dfbf6b3191af1a0db6dbc4f8 (diff) | |
| download | meta-python2-8a924ab5ce83732f06f7a3349a83416a6b4a09ba.tar.gz | |
python-lxml: upgrade 3.2.5 -> 3.4.4
* Dropped backported python-lxml-3.2.5-fix-CVE-2014-3146.patch
* Modify DISTUTILS_INSTALL_ARGS to avoid errors in the step of do_install
| ValueError: invalid literal for int() with base 10:
'--should-not-have-used-/usr/bin/xml2-config'
| ERROR: python setup.py install execution failed.
(From meta-openembedded commit: f13f3b2f20d5a4d14c084a7965034570bdc56319)
Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Tim Orling <ticotimo@gmail.com>
| -rw-r--r-- | recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch | 91 | ||||
| -rw-r--r-- | recipes-devtools/python/python-lxml_3.4.4.bb (renamed from recipes-devtools/python/python-lxml_3.2.5.bb) | 9 |
2 files changed, 4 insertions, 96 deletions
diff --git a/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch b/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch deleted file mode 100644 index 0a8e211..0000000 --- a/recipes-devtools/python/python-lxml/python-lxml-3.2.5-fix-CVE-2014-3146.patch +++ /dev/null @@ -1,91 +0,0 @@ -Upstream-status:Backport - ---- a/src/lxml/html/clean.py -+++ b/src/lxml/html/clean.py -@@ -70,9 +70,10 @@ _css_import_re = re.compile( - - # All kinds of schemes besides just javascript: that can cause - # execution: --_javascript_scheme_re = re.compile( -- r'\s*(?:javascript|jscript|livescript|vbscript|data|about|mocha):', re.I) --_substitute_whitespace = re.compile(r'\s+').sub -+_is_javascript_scheme = re.compile( -+ r'(?:javascript|jscript|livescript|vbscript|data|about|mocha):', -+ re.I).search -+_substitute_whitespace = re.compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub - # FIXME: should data: be blocked? - - # FIXME: check against: http://msdn2.microsoft.com/en-us/library/ms537512.aspx -@@ -467,7 +468,7 @@ class Cleaner(object): - def _remove_javascript_link(self, link): - # links like "j a v a s c r i p t:" might be interpreted in IE - new = _substitute_whitespace('', link) -- if _javascript_scheme_re.search(new): -+ if _is_javascript_scheme(new): - # FIXME: should this be None to delete? - return '' - return link ---- a/src/lxml/html/tests/test_clean.txt -+++ b/src/lxml/html/tests/test_clean.txt -@@ -1,3 +1,4 @@ -+>>> import re - >>> from lxml.html import fromstring, tostring - >>> from lxml.html.clean import clean, clean_html, Cleaner - >>> from lxml.html import usedoctest -@@ -17,6 +18,7 @@ - ... <body onload="evil_function()"> - ... <!-- I am interpreted for EVIL! --> - ... <a href="javascript:evil_function()">a link</a> -+... <a href="j\x01a\x02v\x03a\x04s\x05c\x06r\x07i\x0Ep t:evil_function()">a control char link</a> - ... <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a> - ... <a href="#" onclick="evil_function()">another link</a> - ... <p onclick="evil_function()">a paragraph</p> -@@ -33,7 +35,7 @@ - ... </body> - ... </html>''' - -->>> print(doc) -+>>> print(re.sub('[\x00-\x07\x0E]', '', doc)) - <html> - <head> - <script type="text/javascript" src="evil-site"></script> -@@ -49,6 +51,7 @@ - <body onload="evil_function()"> - <!-- I am interpreted for EVIL! --> - <a href="javascript:evil_function()">a link</a> -+ <a href="javascrip t:evil_function()">a control char link</a> - <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a> - <a href="#" onclick="evil_function()">another link</a> - <p onclick="evil_function()">a paragraph</p> -@@ -81,6 +84,7 @@ - <body onload="evil_function()"> - <!-- I am interpreted for EVIL! --> - <a href="javascript:evil_function()">a link</a> -+ <a href="javascrip%20t:evil_function()">a control char link</a> - <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0Pg==">data</a> - <a href="#" onclick="evil_function()">another link</a> - <p onclick="evil_function()">a paragraph</p> -@@ -104,6 +108,7 @@ - </head> - <body> - <a href="">a link</a> -+ <a href="">a control char link</a> - <a href="">data</a> - <a href="#">another link</a> - <p>a paragraph</p> -@@ -123,6 +128,7 @@ - </head> - <body> - <a href="">a link</a> -+ <a href="">a control char link</a> - <a href="">data</a> - <a href="#">another link</a> - <p>a paragraph</p> -@@ -146,6 +152,7 @@ - </head> - <body> - <a href="">a link</a> -+ <a href="">a control char link</a> - <a href="">data</a> - <a href="#">another link</a> - <p>a paragraph</p> diff --git a/recipes-devtools/python/python-lxml_3.2.5.bb b/recipes-devtools/python/python-lxml_3.4.4.bb index 68e3677..2480e4d 100644 --- a/recipes-devtools/python/python-lxml_3.2.5.bb +++ b/recipes-devtools/python/python-lxml_3.4.4.bb @@ -8,11 +8,10 @@ SRCNAME = "lxml" DEPENDS = "libxml2 libxslt" -SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz \ - file://python-lxml-3.2.5-fix-CVE-2014-3146.patch " +SRC_URI = "http://pypi.python.org/packages/source/l/${SRCNAME}/${SRCNAME}-${PV}.tar.gz" -SRC_URI[md5sum] = "6c4fb9b1840631cff09b8229a12a9ef7" -SRC_URI[sha256sum] = "2bf072808a6546d0e56bf1ad3b98a43cca828724360d7419fad135141bd31f7e" +SRC_URI[md5sum] = "a9a65972afc173ec7a39c585f4eea69c" +SRC_URI[sha256sum] = "b3d362bac471172747cda3513238f115cbd6c5f8b8e6319bf6a97a7892724099" S = "${WORKDIR}/${SRCNAME}-${PV}" @@ -25,7 +24,7 @@ DISTUTILS_BUILD_ARGS += " \ DISTUTILS_INSTALL_ARGS += " \ --with-xslt-config='${STAGING_BINDIR_NATIVE}/pkg-config libxslt' \ - --with-xml2-config='${STAGING_BINDIR_CROSS}/xml2-config' \ + --with-xml2-config='${STAGING_BINDIR_CROSS}/pkg-config libxml2' \ " BBCLASSEXTEND = "native nativesdk" |