From 35b0b094edebf0c13d87ed9c140f81bdb877698d Mon Sep 17 00:00:00 2001
From: sxt1001 <shixuantong@huawei.com>
Date: Fri, 5 Feb 2021 10:54:40 +0800
Subject: [PATCH 1/2] fix CVE-2020-27783

(cherry picked from commit aa459788cf73b99b1022b2d8f9c93bdb8d2f095a)
---
 backport-CVE-2020-27783-1.patch |  49 ++++++++++++
 backport-CVE-2020-27783-2.patch | 136 ++++++++++++++++++++++++++++++++
 python-lxml.spec                |  21 ++++-
 3 files changed, 202 insertions(+), 4 deletions(-)
 create mode 100644 backport-CVE-2020-27783-1.patch
 create mode 100644 backport-CVE-2020-27783-2.patch

diff --git a/backport-CVE-2020-27783-1.patch b/backport-CVE-2020-27783-1.patch
new file mode 100644
index 0000000..3ae5153
--- /dev/null
+++ b/backport-CVE-2020-27783-1.patch
@@ -0,0 +1,49 @@
+From 89e7aad6e7ff9ecd88678ff25f885988b184b26e Mon Sep 17 00:00:00 2001
+From: Stefan Behnel <stefan_ml@behnel.de>
+Date: Sun, 18 Oct 2020 10:06:46 +0200
+Subject: [PATCH] Prevent combinations of <noscript> and <style> to sneak
+ JavaScript through the HTML cleaner.
+
+---
+ src/lxml/html/clean.py            |  3 +++
+ src/lxml/html/tests/test_clean.py | 10 ++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
+index 6b19213..6775ac3 100644
+--- a/src/lxml/html/clean.py
++++ b/src/lxml/html/clean.py
+@@ -537,6 +537,9 @@ class Cleaner(object):
+             return True
+         if 'expression(' in style:
+             return True
++        if '</noscript' in style:
++            # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
++            return True
+         return False
+ 
+     def clean_html(self, html):
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index 4477337..3c8ee25 100644
+--- a/src/lxml/html/tests/test_clean.py
++++ b/src/lxml/html/tests/test_clean.py
+@@ -103,6 +103,16 @@ class CleanerTest(unittest.TestCase):
+             '<p><span>Cy<!-- xx -->an</span><!-- XXX --></p>',
+             cleaner.clean_html(html))
+ 
++    def test_sneaky_noscript_in_style(self):
++        # This gets parsed as <noscript> -> <style>"...</noscript>..."</style>
++        # thus passing the </noscript> through into the output.
++        html = '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
++        s = lxml.html.fragment_fromstring(html)
++
++        self.assertEqual(
++            b'<noscript><style>/* deleted */</style></noscript>',
++            lxml.html.tostring(clean_html(s)))
++
+ 
+ def test_suite():
+     suite = unittest.TestSuite()
+-- 
+1.8.3.1
+
diff --git a/backport-CVE-2020-27783-2.patch b/backport-CVE-2020-27783-2.patch
new file mode 100644
index 0000000..69a3070
--- /dev/null
+++ b/backport-CVE-2020-27783-2.patch
@@ -0,0 +1,136 @@
+From a105ab8dc262ec6735977c25c13f0bdfcdec72a7 Mon Sep 17 00:00:00 2001
+From: Stefan Behnel <stefan_ml@behnel.de>
+Date: Thu, 26 Nov 2020 09:20:52 +0100
+Subject: [PATCH] Prevent combinations of <math/svg> and <style> to sneak
+ JavaScript through the HTML cleaner.
+
+---
+ src/lxml/html/clean.py             | 22 ++++++++++++++--------
+ src/lxml/html/tests/test_clean.py  | 10 ++++++++++
+ src/lxml/html/tests/test_clean.txt | 18 +++++++++++++++---
+ 3 files changed, 39 insertions(+), 11 deletions(-)
+
+diff --git a/src/lxml/html/clean.py b/src/lxml/html/clean.py
+index 6775ac3..272b4a1 100644
+--- a/src/lxml/html/clean.py
++++ b/src/lxml/html/clean.py
+@@ -61,12 +61,15 @@ __all__ = ['clean_html', 'clean', 'Cleaner', 'autolink', 'autolink_html',
+ 
+ # This is an IE-specific construct you can have in a stylesheet to
+ # run some Javascript:
+-_css_javascript_re = re.compile(
+-    r'expression\s*\(.*?\)', re.S|re.I)
++_replace_css_javascript = re.compile(
++    r'expression\s*\(.*?\)', re.S|re.I).sub
+ 
+ # Do I have to worry about @\nimport?
+-_css_import_re = re.compile(
+-    r'@\s*import', re.I)
++_replace_css_import = re.compile(
++    r'@\s*import', re.I).sub
++
++_looks_like_tag_content = re.compile(
++    r'</?[a-zA-Z]+|\son[a-zA-Z]+\s*=', re.ASCII).search
+ 
+ # All kinds of schemes besides just javascript: that can cause
+ # execution:
+@@ -304,8 +307,8 @@ class Cleaner(object):
+             if not self.inline_style:
+                 for el in _find_styled_elements(doc):
+                     old = el.get('style')
+-                    new = _css_javascript_re.sub('', old)
+-                    new = _css_import_re.sub('', new)
++                    new = _replace_css_javascript('', old)
++                    new = _replace_css_import('', new)
+                     if self._has_sneaky_javascript(new):
+                         # Something tricky is going on...
+                         del el.attrib['style']
+@@ -317,9 +320,9 @@ class Cleaner(object):
+                         el.drop_tree()
+                         continue
+                     old = el.text or ''
+-                    new = _css_javascript_re.sub('', old)
++                    new = _replace_css_javascript('', old)
+                     # The imported CSS can do anything; we just can't allow:
+-                    new = _css_import_re.sub('', old)
++                    new = _replace_css_import('', new)
+                     if self._has_sneaky_javascript(new):
+                         # Something tricky is going on...
+                         el.text = '/* deleted */'
+@@ -540,6 +543,9 @@ class Cleaner(object):
+         if '</noscript' in style:
+             # e.g. '<noscript><style><a title="</noscript><img src=x onerror=alert(1)>">'
+             return True
++        if _looks_like_tag_content(style):
++            # e.g. '<math><style><img src=x onerror=alert(1)></style></math>'
++            return True
+         return False
+ 
+     def clean_html(self, html):
+diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
+index 3c8ee25..0e669f9 100644
+--- a/src/lxml/html/tests/test_clean.py
++++ b/src/lxml/html/tests/test_clean.py
+@@ -113,6 +113,16 @@ class CleanerTest(unittest.TestCase):
+             b'<noscript><style>/* deleted */</style></noscript>',
+             lxml.html.tostring(clean_html(s)))
+ 
++    def test_sneaky_js_in_math_style(self):
++        # This gets parsed as <math> -> <style>"..."</style>
++        # thus passing any tag/script/whatever content through into the output.
++        html = '<math><style><img src=x onerror=alert(1)></style></math>'
++        s = lxml.html.fragment_fromstring(html)
++
++        self.assertEqual(
++            b'<math><style>/* deleted */</style></math>',
++            lxml.html.tostring(clean_html(s)))
++
+ 
+ def test_suite():
+     suite = unittest.TestSuite()
+diff --git a/src/lxml/html/tests/test_clean.txt b/src/lxml/html/tests/test_clean.txt
+index 275be07..18e6c7e 100644
+--- a/src/lxml/html/tests/test_clean.txt
++++ b/src/lxml/html/tests/test_clean.txt
+@@ -104,7 +104,11 @@
+ >>> print(Cleaner(page_structure=False, comments=False).clean_html(doc))
+ <html>
+   <head>
+-    <style>/* deleted */</style>
++    <style>
++      body {background-image: url()};
++      div {background-image: url()};
++      div {color: };
++    </style>
+   </head>
+   <body>
+     <!-- I am interpreted for EVIL! -->
+@@ -126,7 +130,11 @@
+ >>> print(Cleaner(page_structure=False, safe_attrs_only=False).clean_html(doc))
+ <html>
+   <head>
+-    <style>/* deleted */</style>
++    <style>
++      body {background-image: url()};
++      div {background-image: url()};
++      div {color: };
++    </style>
+   </head>
+   <body>
+     <a href="">a link</a>
+@@ -190,7 +198,11 @@
+     <link rel="alternate" type="text/rss" src="evil-rss">
+     <link rel="alternate" type="text/rss" href="http://example.com">
+     <link rel="stylesheet" type="text/rss" href="http://example.com">
+-    <style>/* deleted */</style>
++    <style>
++      body {background-image: url()};
++      div {background-image: url()};
++      div {color: };
++    </style>
+   </head>
+   <body>
+     <a href="">a link</a>
+-- 
+1.8.3.1
+
diff --git a/python-lxml.spec b/python-lxml.spec
index 7464362..00b7c56 100644
--- a/python-lxml.spec
+++ b/python-lxml.spec
@@ -7,12 +7,15 @@ The latest release works with all CPython versions from 2.7 to 3.7.
 
 Name:           python-%{modname}
 Version:        4.5.2
-Release:        1
+Release:        2
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
 License:        BSD
 URL:            http://lxml.de
 Source0:        http://lxml.de/files/%{modname}-%{version}.tgz
 
+Patch6000:      backport-CVE-2020-27783-1.patch
+Patch6001:      backport-CVE-2020-27783-2.patch
+
 BuildRequires:  gcc libxml2-devel libxslt-devel
 
 %description %{_description}
@@ -34,7 +37,7 @@ BuildRequires:  python3-devel python3-setuptools python3-Cython
 %package_help
 
 %prep
-%autosetup -n %{modname}-%{version}
+%autosetup -n %{modname}-%{version} -p1
 
 %build
 export WITH_CYTHON=true
@@ -63,7 +66,17 @@ export WITH_CYTHON=true
 %doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
 
 %changelog
-* Thu Jul 23 2020 tianwei  <tianwei12@huawei.com> - 4.5.2-1
-- Package update to release 4.5.2
+* Fri Feb 05 2021 shixuantong <shixuantong@huawei.com> - 4.5.2-2
+- fix CVE-2020-27783
+
+* Tue Jan 05 2020 shixuantong <shixuantong@huawei.com> - 4.5.2-1
+- update version to 4.5.2
+
+* Fri Aug 21 2020 shixuantong <shixuantong@huawei.com> - 4.2.3-5
+- add release version for rebuild
+
+* Mon May 18 2020 wangchen <wangchen137@huawei.com> - 4.2.3-4
+- rebuild for python-lxml
+
 * Mon Sep 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 4.2.3-3
 - Package init
-- 
Gitee


From d5d695b795a6d8651b1f1d5958e4c8edce3b6d35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=A1=90=E5=B0=8F=E5=93=A5?= <shixuantong@huawei.com>
Date: Sun, 7 Feb 2021 16:18:52 +0800
Subject: [PATCH 2/2] update python-lxml.spec.

---
 python-lxml.spec | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/python-lxml.spec b/python-lxml.spec
index 00b7c56..be77013 100644
--- a/python-lxml.spec
+++ b/python-lxml.spec
@@ -69,14 +69,8 @@ export WITH_CYTHON=true
 * Fri Feb 05 2021 shixuantong <shixuantong@huawei.com> - 4.5.2-2
 - fix CVE-2020-27783
 
-* Tue Jan 05 2020 shixuantong <shixuantong@huawei.com> - 4.5.2-1
-- update version to 4.5.2
-
-* Fri Aug 21 2020 shixuantong <shixuantong@huawei.com> - 4.2.3-5
-- add release version for rebuild
-
-* Mon May 18 2020 wangchen <wangchen137@huawei.com> - 4.2.3-4
-- rebuild for python-lxml
+* Thu Jul 23 2020 tianwei  <tianwei12@huawei.com> - 4.5.2-1
+- Package update to release 4.5.2
 
 * Mon Sep 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 4.2.3-3
 - Package init
-- 
Gitee