From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/1] package/python-markdown2: drop patches
Date: Fri, 5 Jun 2020 23:41:02 +0200 [thread overview]
Message-ID: <20200605214102.GS13972@scaer> (raw)
In-Reply-To: <20200605210351.153252-1-fontaine.fabrice@gmail.com>
Fabrice, All,
On 2020-06-05 23:03 +0200, Fabrice Fontaine spake thusly:
> Commit a6569f2b3dd8b774683fdc0f7df3fcfde0b31f64 forgot to drop patches
> when merging next branch
>
> Fixes:
> - http://autobuild.buildroot.org/results/bf305c78dddd035b97e88943a1d19a8ceb6b41f7
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master with an expanded commit log, thanks.
Regards,
Yann E. MORIN.
> ---
> ...gs-with-punctuation-after-as-part-of.patch | 53 -------------------
> .../0002-Better-fix-for-issue-348.patch | 32 -----------
> package/python-markdown2/python-markdown2.mk | 4 --
> 3 files changed, 89 deletions(-)
> delete mode 100644 package/python-markdown2/0001-Fix-for-issue-348-incomplete-tags-with-punctuation-after-as-part-of.patch
> delete mode 100644 package/python-markdown2/0002-Better-fix-for-issue-348.patch
>
> diff --git a/package/python-markdown2/0001-Fix-for-issue-348-incomplete-tags-with-punctuation-after-as-part-of.patch b/package/python-markdown2/0001-Fix-for-issue-348-incomplete-tags-with-punctuation-after-as-part-of.patch
> deleted file mode 100644
> index ee980e22e8..0000000000
> --- a/package/python-markdown2/0001-Fix-for-issue-348-incomplete-tags-with-punctuation-after-as-part-of.patch
> +++ /dev/null
> @@ -1,53 +0,0 @@
> -From 9144d0fc5d5249cc4d81287ee79091806e6dde52 Mon Sep 17 00:00:00 2001
> -From: Gareth Simpson <gareth.simpson@zoodigital.com>
> -Date: Fri, 1 May 2020 19:31:21 +0100
> -Subject: [PATCH] Fix for issue 348 - incomplete tags with punctuation after as
> - part of the tag name are a source of XSS
> -
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> -[Retrieved from:
> -https://github.com/trentm/python-markdown2/commit/9144d0fc5d5249cc4d81287ee79091806e6dde52]
> ----
> - lib/markdown2.py | 2 +-
> - test/tm-cases/issue348_incomplete_tag.html | 1 +
> - test/tm-cases/issue348_incomplete_tag.opts | 1 +
> - test/tm-cases/issue348_incomplete_tag.text | 1 +
> - 4 files changed, 4 insertions(+), 1 deletion(-)
> - create mode 100644 test/tm-cases/issue348_incomplete_tag.html
> - create mode 100644 test/tm-cases/issue348_incomplete_tag.opts
> - create mode 100644 test/tm-cases/issue348_incomplete_tag.text
> -
> -diff --git a/lib/markdown2.py b/lib/markdown2.py
> -index 3a5d5d9..636bf07 100755
> ---- a/lib/markdown2.py
> -+++ b/lib/markdown2.py
> -@@ -2164,7 +2164,7 @@ def _encode_amps_and_angles(self, text):
> - text = self._naked_gt_re.sub('>', text)
> - return text
> -
> -- _incomplete_tags_re = re.compile("<(/?\w+[\s/]+?)")
> -+ _incomplete_tags_re = re.compile("<(/?\w+?(?!://).?[\s/]+?)")
> -
> - def _encode_incomplete_tags(self, text):
> - if self.safe_mode not in ("replace", "escape"):
> -diff --git a/test/tm-cases/issue348_incomplete_tag.html b/test/tm-cases/issue348_incomplete_tag.html
> -new file mode 100644
> -index 0000000..46059cc
> ---- /dev/null
> -+++ b/test/tm-cases/issue348_incomplete_tag.html
> -@@ -0,0 +1 @@
> -+<p><lol@/ //id="pwn"//onclick="alert(1)"//<strong>abc</strong></p>
> -diff --git a/test/tm-cases/issue348_incomplete_tag.opts b/test/tm-cases/issue348_incomplete_tag.opts
> -new file mode 100644
> -index 0000000..ad487c0
> ---- /dev/null
> -+++ b/test/tm-cases/issue348_incomplete_tag.opts
> -@@ -0,0 +1 @@
> -+{"safe_mode": "escape"}
> -diff --git a/test/tm-cases/issue348_incomplete_tag.text b/test/tm-cases/issue348_incomplete_tag.text
> -new file mode 100644
> -index 0000000..bb4a0de
> ---- /dev/null
> -+++ b/test/tm-cases/issue348_incomplete_tag.text
> -@@ -0,0 +1 @@
> -+<lol@/ //id="pwn"//onclick="alert(1)"//**abc**
> diff --git a/package/python-markdown2/0002-Better-fix-for-issue-348.patch b/package/python-markdown2/0002-Better-fix-for-issue-348.patch
> deleted file mode 100644
> index 127bb51da2..0000000000
> --- a/package/python-markdown2/0002-Better-fix-for-issue-348.patch
> +++ /dev/null
> @@ -1,32 +0,0 @@
> -From 0c0543846fa54281e2269b0bff841a0b9ffe23fe Mon Sep 17 00:00:00 2001
> -From: Gareth Simpson <gareth.simpson@zoodigital.com>
> -Date: Sat, 2 May 2020 21:22:36 +0100
> -Subject: [PATCH] Better fix for issue 348
> -
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> -[Retrieved from:
> -https://github.com/trentm/python-markdown2/commit/0c0543846fa54281e2269b0bff841a0b9ffe23fe]
> ----
> - lib/markdown2.py | 5 ++++-
> - 1 file changed, 4 insertions(+), 1 deletion(-)
> -
> -diff --git a/lib/markdown2.py b/lib/markdown2.py
> -index 636bf07..be86502 100755
> ---- a/lib/markdown2.py
> -+++ b/lib/markdown2.py
> -@@ -2164,11 +2164,14 @@ def _encode_amps_and_angles(self, text):
> - text = self._naked_gt_re.sub('>', text)
> - return text
> -
> -- _incomplete_tags_re = re.compile("<(/?\w+?(?!://).?[\s/]+?)")
> -+ _incomplete_tags_re = re.compile("<(/?\w+?(?!\w).+?[\s/]+?)")
> -
> - def _encode_incomplete_tags(self, text):
> - if self.safe_mode not in ("replace", "escape"):
> - return text
> -+
> -+ if text.endswith(">"):
> -+ return text # this is not an incomplete tag, this is a link in the form <http://x.y.z>
> -
> - return self._incomplete_tags_re.sub("<\\1", text)
> -
> diff --git a/package/python-markdown2/python-markdown2.mk b/package/python-markdown2/python-markdown2.mk
> index 095f672028..c7858a3966 100644
> --- a/package/python-markdown2/python-markdown2.mk
> +++ b/package/python-markdown2/python-markdown2.mk
> @@ -11,8 +11,4 @@ PYTHON_MARKDOWN2_SETUP_TYPE = setuptools
> PYTHON_MARKDOWN2_LICENSE = MIT
> PYTHON_MARKDOWN2_LICENSE_FILES = LICENSE.txt
>
> -# 0001-Fix-for-issue-348-incomplete-tags-with-punctuation-after-as-part-of.patch
> -# 0002-Better-fix-for-issue-348.patch
> -PYTHON_MARKDOWN2_IGNORE_CVES += CVE-2020-11888
> -
> $(eval $(python-package))
> --
> 2.26.2
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
prev parent reply other threads:[~2020-06-05 21:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-05 21:03 [Buildroot] [PATCH 1/1] package/python-markdown2: drop patches Fabrice Fontaine
2020-06-05 21:41 ` Yann E. MORIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200605214102.GS13972@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.