peeweep/python-defusedxml
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: peeweep:el6
Branches Tags
peeweep:rawhide peeweep:f44 peeweep:main peeweep:f43 peeweep:f42 peeweep:epel10 peeweep:epel10.0 peeweep:epel10.1 peeweep:epel10.2 peeweep:f41 peeweep:f40 peeweep:epel7 peeweep:f39 peeweep:f38 peeweep:f37 peeweep:epel8-playground peeweep:f36 peeweep:epel9 peeweep:f35 peeweep:f33 peeweep:f34 peeweep:epel8 peeweep:f32 peeweep:f31 peeweep:f30 peeweep:f29 peeweep:f28 peeweep:f27 peeweep:f24 peeweep:f25 peeweep:f26 peeweep:el6 peeweep:f21 peeweep:f22 peeweep:f23 peeweep:f20 peeweep:f17 peeweep:f18 peeweep:f19
..
compare: peeweep:f20
Branches Tags
peeweep:f44 peeweep:main peeweep:rawhide peeweep:f43 peeweep:f42 peeweep:epel10 peeweep:epel10.0 peeweep:epel10.1 peeweep:epel10.2 peeweep:f41 peeweep:f40 peeweep:epel7 peeweep:f39 peeweep:f38 peeweep:f37 peeweep:epel8-playground peeweep:f36 peeweep:epel9 peeweep:f35 peeweep:f33 peeweep:f34 peeweep:epel8 peeweep:f32 peeweep:f31 peeweep:f30 peeweep:f29 peeweep:f28 peeweep:f27 peeweep:f24 peeweep:f25 peeweep:f26 peeweep:el6 peeweep:f21 peeweep:f22 peeweep:f23 peeweep:f20 peeweep:f17 peeweep:f18 peeweep:f19

1 Commits
el6 ... f20

Author SHA1 Message Date
Dennis Gilmore
eac516ac24 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild 2013-08-04 01:56:54 -05:00
7 changed files with 10 additions and 317 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1,2 +1 @@
/defusedxml-0.4.tar.gz
/defusedxml-0.4.1.tar.gz

101
0001-Fully-fix-iterparse-defusing-on-Python-3.6.patch
View File

@@ -1,101 +0,0 @@
From 9b9517ec7dfac674052d41ec96e4c85e197f3228 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Thu, 22 Dec 2016 12:38:03 -0800
Subject: [PATCH] Fully fix iterparse() defusing on Python 3.6
Python 3.3 did a very thorough job of hiding the pure-Python
iterparse() from defusedxml, so we had to not use iterparse()
directly, but find and use the pure-Python _IterParseIterator
instead. This trick breaks with Python 3.6, though, because
_IterParseIterator is no longer accessible externally at all.
However, it turns out Python 3.3's approach to iterparse() was
a one-off: the implementation of the C accelerator stuff was
changed again in 3.4, and from 3.4 onwards we should be getting
the pure-Python iterparse() again. So we can make the private
iterator access dodge specific to Python 3.3, and just use the
simple code which uses iterparse() directly - which we were
only using for Python 2.7 until now - for Python 3.2 and 3.4+.
---
defusedxml/ElementTree.py | 16 ++++++++++------
defusedxml/common.py | 7 +++++--
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/defusedxml/ElementTree.py b/defusedxml/ElementTree.py
index 8c46064..28ffce0 100644
--- a/defusedxml/ElementTree.py
+++ b/defusedxml/ElementTree.py
@@ -8,7 +8,7 @@
from __future__ import print_function, absolute_import
import sys
-from .common import PY3, PY26, PY31
+from .common import PY3, PY26, PY31, PY33
if PY3:
import importlib
else:
@@ -29,7 +29,7 @@ from .common import (DTDForbidden, EntitiesForbidden,
__origin__ = "xml.etree.ElementTree"
def _get_py3_cls():
- """Python 3.3 hides the pure Python code but defusedxml requires it.
+ """Python 3.3+ hide the pure Python code but defusedxml requires it.
The code is based on test.support.import_fresh_module().
"""
@@ -49,12 +49,16 @@ def _get_py3_cls():
_XMLParser = pure_pymod.XMLParser
_iterparse = pure_pymod.iterparse
- if PY31 or sys.version_info >= (3, 6):
- _IterParseIterator = None
+ ParseError = pure_pymod.ParseError
+ _IterParseIterator = None
+ if PY31:
from xml.parsers.expat import ExpatError as ParseError
- else:
+ if PY33:
+ # Python 3.3 specifically did some shenanigans to hide the
+ # pure-Python iterparse() entirely, so we need to use the
+ # this private iterator instead. All other Pythons don't have
+ # this problem
_IterParseIterator = pure_pymod._IterParseIterator
- ParseError = pure_pymod.ParseError
return _XMLParser, _iterparse, _IterParseIterator, ParseError
diff --git a/defusedxml/common.py b/defusedxml/common.py
index 5e5f8a2..53a5326 100644
--- a/defusedxml/common.py
+++ b/defusedxml/common.py
@@ -11,6 +11,7 @@ from types import MethodType
PY3 = sys.version_info[0] == 3
PY26 = sys.version_info[:2] == (2, 6)
PY31 = sys.version_info[:2] == (3, 1)
+PY33 = sys.version_info[:2] == (3, 3)
class DefusedXmlException(ValueError):
@@ -126,7 +127,9 @@ def _generate_etree_functions(DefusedXMLParser, _TreeBuilder,
bind(xmlparser, "defused_external_entity_ref_handler",
"ExternalEntityRefHandler")
return it
- elif PY3:
+ elif PY33:
+ # pure-Python iterparse() is completely hidden on Python 3.3,
+ # we have to use the backing _IterParseIterator
def iterparse(source, events=None, parser=None, forbid_dtd=False,
forbid_entities=True, forbid_external=True):
close_source = False
@@ -140,7 +143,7 @@ def _generate_etree_functions(DefusedXMLParser, _TreeBuilder,
forbid_external=forbid_external)
return _IterParseIterator(source, events, parser, close_source)
else:
- # Python 2.7
+ # Python 2.7, Python 3.2, Python 3.4+
def iterparse(source, events=None, parser=None, forbid_dtd=False,
forbid_entities=True, forbid_external=True):
if parser is None:
--
2.11.0

52
python-defusedxml-entity_loop.patch
View File

@@ -1,52 +0,0 @@
diff -ru defusedxml-0.4.1-orig/tests.py defusedxml-0.4.1/tests.py
--- defusedxml-0.4.1-orig/tests.py 2015-07-17 05:28:36.501213026 +0000
+++ defusedxml-0.4.1/tests.py 2015-07-17 05:21:51.633843568 +0000
@@ -133,11 +133,12 @@
self.iterparse(self.xml_simple_ns)
def test_entities_forbidden(self):
- self.assertRaises(EntitiesForbidden, self.parse, self.xml_bomb)
+ self.assertRaises((EntitiesForbidden, XMLSyntaxError),
+ self.parse, self.xml_bomb)
self.assertRaises(EntitiesForbidden, self.parse, self.xml_quadratic)
self.assertRaises(EntitiesForbidden, self.parse, self.xml_external)
- self.assertRaises(EntitiesForbidden, self.parseString,
+ self.assertRaises((EntitiesForbidden, XMLSyntaxError), self.parseString,
self.get_content(self.xml_bomb))
self.assertRaises(EntitiesForbidden, self.parseString,
self.get_content(self.xml_quadratic))
@@ -157,8 +158,8 @@
forbid_entities=False)
def test_dtd_forbidden(self):
- self.assertRaises(DTDForbidden, self.parse, self.xml_bomb,
- forbid_dtd=True)
+ self.assertRaises((DTDForbidden, XMLSyntaxError), self.parse,
+ self.xml_bomb, forbid_dtd=True)
self.assertRaises(DTDForbidden, self.parse, self.xml_quadratic,
forbid_dtd=True)
self.assertRaises(DTDForbidden, self.parse, self.xml_external,
@@ -166,7 +167,7 @@
self.assertRaises(DTDForbidden, self.parse, self.xml_dtd,
forbid_dtd=True)
- self.assertRaises(DTDForbidden, self.parseString,
+ self.assertRaises((DTDForbidden, XMLSyntaxError), self.parseString,
self.get_content(self.xml_bomb),
forbid_dtd=True)
self.assertRaises(DTDForbidden, self.parseString,
@@ -355,8 +356,11 @@
pass
def test_restricted_element1(self):
- tree = self.module.parse(self.xml_bomb, forbid_dtd=False,
- forbid_entities=False)
+ try:
+ tree = self.module.parse(self.xml_bomb, forbid_dtd=False,
+ forbid_entities=False)
+ except XMLSyntaxError:
+ return
root = tree.getroot()
self.assertEqual(root.text, None)

63
python-defusedxml-format_strings.patch
View File

@@ -1,63 +0,0 @@
diff -ru defusedxml-0.4.1-orig/defusedxml/common.py defusedxml-0.4.1/defusedxml/common.py
--- defusedxml-0.4.1-orig/defusedxml/common.py 2015-07-17 05:28:36.502213030 +0000
+++ defusedxml-0.4.1/defusedxml/common.py 2015-07-22 11:22:24.203648541 +0000
@@ -30,7 +30,7 @@
self.pubid = pubid
def __str__(self):
- tpl = "DTDForbidden(name='{}', system_id={!r}, public_id={!r})"
+ tpl = "DTDForbidden(name='{0}', system_id={1!r}, public_id={2!r})"
return tpl.format(self.name, self.sysid, self.pubid)
@@ -47,7 +47,7 @@
self.notation_name = notation_name
def __str__(self):
- tpl = "EntitiesForbidden(name='{}', system_id={!r}, public_id={!r})"
+ tpl = "EntitiesForbidden(name='{0}', system_id={1!r}, public_id={2!r})"
return tpl.format(self.name, self.sysid, self.pubid)
@@ -62,7 +62,7 @@
self.pubid = pubid
def __str__(self):
- tpl = "ExternalReferenceForbidden(system_id='{}', public_id={})"
+ tpl = "ExternalReferenceForbidden(system_id='{0}', public_id={1})"
return tpl.format(self.sysid, self.pubid)
diff -ru defusedxml-0.4.1-orig/other/exploit_webdav.py defusedxml-0.4.1/other/exploit_webdav.py
--- defusedxml-0.4.1-orig/other/exploit_webdav.py 2015-07-17 05:28:36.503213033 +0000
+++ defusedxml-0.4.1/other/exploit_webdav.py 2015-07-22 11:23:15.893964297 +0000
@@ -9,7 +9,7 @@
import httplib
if len(sys.argv) != 2:
- sys.exit("{} http://user:password@host:port/".format(sys.argv[0]))
+ sys.exit("{0} http://user:password@host:port/".format(sys.argv[0]))
url = urlparse.urlparse(sys.argv[1])
diff -ru defusedxml-0.4.1-orig/other/exploit_xmlrpc.py defusedxml-0.4.1/other/exploit_xmlrpc.py
--- defusedxml-0.4.1-orig/other/exploit_xmlrpc.py 2015-07-17 05:28:36.502213030 +0000
+++ defusedxml-0.4.1/other/exploit_xmlrpc.py 2015-07-22 11:23:59.536230889 +0000
@@ -7,7 +7,7 @@
import urllib2
if len(sys.argv) != 2:
- sys.exit("{} url".format(sys.argv[0]))
+ sys.exit("{0} url".format(sys.argv[0]))
url = sys.argv[1]
@@ -32,7 +32,7 @@
req = urllib2.Request(url, data=xml, headers=headers)
-print("Sending request to {}".format(url))
+print("Sending request to {0}".format(url))
resp = urllib2.urlopen(req)

22
python-defusedxml-python36-broken.patch
View File

@@ -1,22 +0,0 @@
From 1d342237b560e29e8401d0a22a776b52b09e0ae2 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Wed, 24 Aug 2016 10:08:34 +0200
Subject: [PATCH] Python 3.6 no _IterParseIterator class
---
defusedxml/ElementTree.py | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/defusedxml/ElementTree.py b/defusedxml/ElementTree.py
index a2f1f58..8c46064 100644
--- a/defusedxml/ElementTree.py
+++ b/defusedxml/ElementTree.py
@@ -49,7 +49,7 @@ def _get_py3_cls():
_XMLParser = pure_pymod.XMLParser
_iterparse = pure_pymod.iterparse
- if PY31:
+ if PY31 or sys.version_info >= (3, 6):
_IterParseIterator = None
from xml.parsers.expat import ExpatError as ParseError
else:

86
python-defusedxml.spec
View File

@@ -1,26 +1,13 @@
%global with_python3 0
%global with_python3 1
%global pypi_name defusedxml
Name: python-%{pypi_name}
Version: 0.4.1
Release: 9%{?dist}
Version: 0.4
Release: 2%{?dist}
Summary: XML bomb protection for Python stdlib modules
License: Python
# Note: upstream git now appears to be at https://github.com/tiran/defusedxml
# not bitbucket as pypi says
URL: https://bitbucket.org/tiran/defusedxml
Source0: http://pypi.python.org/packages/source/d/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
# https://bugzilla.redhat.com/show_bug.cgi?id=927883#c14
Patch0: %{name}-entity_loop.patch
Patch1: %{name}-format_strings.patch
# This is https://github.com/tiran/defusedxml/commit/1d342237b560e29e8401d0a22a776b52b09e0ae2
# rediffed on 0.4.1 . It doesn't really fix anything, but is necessary
# for the real fix to apply without rediffing.
Patch2: %{name}-python36-broken.patch
# Real fix for Python 3.6: https://github.com/tiran/defusedxml/pull/4
Patch3: 0001-Fully-fix-iterparse-defusing-on-Python-3.6.patch
BuildArch: noarch
BuildRequires: python2-devel
@@ -31,6 +18,7 @@ BuildRequires: python3-devel
BuildRequires: python3-setuptools
%endif
%description
The defusedxml package contains several Python-only workarounds and fixes for
denial of service and other vulnerabilities in Python's XML libraries. In order
@@ -38,21 +26,9 @@ to benefit from the protection you just have to import and use the listed
functions / classes from the right defusedxml module instead of the original
module.
%package -n python2-%{pypi_name}
Summary: XML bomb protection for Python stdlib modules
%{?python_provide:%python_provide python2-%{pypi_name}}
%description -n python2-%{pypi_name}
The defusedxml package contains several Python-only workarounds and fixes for
denial of service and other vulnerabilities in Python's XML libraries. In order
to benefit from the protection you just have to import and use the listed
functions / classes from the right defusedxml module instead of the original
module.
%if 0%{?with_python3}
%package -n python3-%{pypi_name}
Summary: XML bomb protection for Python stdlib modules
%{?python_provide:%python_provide python3-%{pypi_name}}
%description -n python3-%{pypi_name}
The defusedxml package contains several Python-only workarounds and fixes for
@@ -64,13 +40,6 @@ module.
%prep
%setup -q -n %{pypi_name}-%{version}
%if 0%{?rhel}
%patch0 -p1
%endif
%patch1 -p1
%patch2 -p1
%patch3 -p1
%if 0%{?with_python3}
rm -rf %{py3dir}
cp -a . %{py3dir}
@@ -101,56 +70,19 @@ pushd %{py3dir}
popd
%endif # with_python3
%files -n python2-%{pypi_name}
%doc README.txt README.html CHANGES.txt
%license LICENSE
%{python2_sitelib}/%{pypi_name}
%{python2_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info
%files
%doc README.txt README.html LICENSE CHANGES.txt
%{python_sitelib}/%{pypi_name}
%{python_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info
%if 0%{?with_python3}
%files -n python3-%{pypi_name}
%doc README.txt README.html CHANGES.txt
%license LICENSE
%doc README.txt README.html LICENSE CHANGES.txt
%{python3_sitelib}/%{pypi_name}
%{python3_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info
%endif # with_python3
%changelog
* Thu Dec 22 2016 Adam Williamson <awilliam@redhat.com> - 0.4.1-9
- Fix incompatibility with Python 3.6 (gh#3 / gh#4)
* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com>
- Rebuild for Python 3.6
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-8
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Sun Nov 15 2015 Ralph Bean <rbean@redhat.com> - 0.4.1-6
- Added explicit python2 subpackage with modern provides statement.
- Only apply the entity_loop patch on enterprisey builds.
* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-5
- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
* Wed Aug 05 2015 Miro Hrončok <mhroncok@redhat.com> - 0.4.1-4
- Add patches by Avram Lubkin
- https://bugzilla.redhat.com/show_bug.cgi?id=927883#c14
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Mon May 26 2014 Miro Hrončok <mhroncok@redhat.com> - 0.4.1-1
- Updated to 0.4.1 (#1100730)
* Tue May 13 2014 Bohuslav Kabrda <bkabrda@redhat.com> - 0.4-3
- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

2
sources
View File

@@ -1 +1 @@
230a5eff64f878b392478e30376d673a defusedxml-0.4.1.tar.gz
09873c31ce773d48b8a4759571655a2c defusedxml-0.4.tar.gz