[libhtml-scrubber-perl] 01/01: Fix CVE-2015-5667 in squeeze-lts
Raphaël Hertzog
hertzog at moszumanska.debian.org
Tue Nov 3 14:12:22 UTC 2015
This is an automated email from the git hooks/post-receive script.
hertzog pushed a commit to branch squeeze
in repository libhtml-scrubber-perl.
commit f48c0a9389d35e59253bbb0ba4bd2cff0cb7eaf0
Author: Raphaël Hertzog <hertzog at debian.org>
Date: Tue Nov 3 11:07:52 2015 +0000
Fix CVE-2015-5667 in squeeze-lts
---
Scrubber.pm | 16 +++++---
debian/changelog | 9 +++++
debian/patches/CVE-2015-5667.patch | 80 ++++++++++++++++++++++++++++++++++++++
t/jvn53973084.t | 21 ++++++++++
4 files changed, 121 insertions(+), 5 deletions(-)
diff --git a/Scrubber.pm b/Scrubber.pm
index a6d990c..af5ce54 100644
--- a/Scrubber.pm
+++ b/Scrubber.pm
@@ -444,10 +444,13 @@ sub _scrub_fh {
}
elsif ( $e eq 'comment' )
{
- print
- {$s->{_out}}
- $text
- if $s->{_comment};
+ if ($s->{_comment}) {
+ # only copy comments through if they are well formed...
+ print
+ {$s->{_out}}
+ $text
+ if ( $text =~ m|^<!--.*-->$|ms );
+ }
}
elsif ( $e eq 'process' )
{
@@ -507,7 +510,10 @@ sub _scrub {
}
elsif ( $e eq 'comment' )
{
- $s->{_r} .= $text if $s->{_comment};
+ if ($s->{_comment}) {
+ # only copy comments through if they are well formed...
+ $s->{_r} .= $text if ( $text =~ m|^<!--.*-->$|ms );
+ }
}
elsif ( $e eq 'process' )
{
diff --git a/debian/changelog b/debian/changelog
index fac42be..861daff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+libhtml-scrubber-perl (0.08-4+deb6u1) squeeze-lts; urgency=low
+
+ * Non maintainer upload by the Debian LTS team.
+ * Backport upstream fix for CVE-2015-5667. Apply the patch
+ directly in the source package but keep a copy for reference
+ in debian/patches/CVE-2015-5667.patch.
+
+ -- Raphaël Hertzog <hertzog at debian.org> Tue, 03 Nov 2015 11:06:14 +0000
+
libhtml-scrubber-perl (0.08-4) unstable; urgency=low
* New maintainer.
diff --git a/debian/patches/CVE-2015-5667.patch b/debian/patches/CVE-2015-5667.patch
new file mode 100644
index 0000000..fe0a6a5
--- /dev/null
+++ b/debian/patches/CVE-2015-5667.patch
@@ -0,0 +1,80 @@
+From: Nigel Metheringham <nigelm at cpan.org>
+Date: Sat, 10 Oct 2015 15:01:14 +0100
+Subject: [PATCH] Test and fix for JVN53973084
+
+Malformed tags can pass through as comments.
+Thus comments are now only passed through if
+they are well formed - currently defined as
+matching a regular expression.
+
+[hertzog at debian.org:
+Backported to version 0.08 by implementing the new check
+in _scrub_fh() and _scrub() and adapted the test case
+to use "Test" instead of Test::More.
+
+Fixes CVE-2015-5667.
+]
+
+Origin: backport, https://github.com/nigelm/html-scrubber/commit/e1978cc37867e85c06a84a4651745235010cd6cd
+
+diff --git a/Scrubber.pm b/Scrubber.pm
+index a6d990c..af5ce54 100644
+--- a/Scrubber.pm
++++ b/Scrubber.pm
+@@ -444,10 +444,13 @@ sub _scrub_fh {
+ }
+ elsif ( $e eq 'comment' )
+ {
+- print
+- {$s->{_out}}
+- $text
+- if $s->{_comment};
++ if ($s->{_comment}) {
++ # only copy comments through if they are well formed...
++ print
++ {$s->{_out}}
++ $text
++ if ( $text =~ m|^<!--.*-->$|ms );
++ }
+ }
+ elsif ( $e eq 'process' )
+ {
+@@ -507,7 +510,10 @@ sub _scrub {
+ }
+ elsif ( $e eq 'comment' )
+ {
+- $s->{_r} .= $text if $s->{_comment};
++ if ($s->{_comment}) {
++ # only copy comments through if they are well formed...
++ $s->{_r} .= $text if ( $text =~ m|^<!--.*-->$|ms );
++ }
+ }
+ elsif ( $e eq 'process' )
+ {
+diff --git a/t/jvn53973084.t b/t/jvn53973084.t
+new file mode 100644
+index 0000000..955de0d
+--- /dev/null
++++ b/t/jvn53973084.t
+@@ -0,0 +1,21 @@
++# Tests related to JVN53973084
++
++use strict;
++use warnings;
++use Test;
++
++BEGIN { plan tests => 4 }
++
++use HTML::Scrubber;
++
++my @allow = qw[
++ hr
++];
++
++my $html_1 = q[<hr><a href="javascript:alert(1)"<hr>abc];
++my $html_2 = q[<img src="javascript:alert(1)"];
++foreach my $comment_value ( 0, 1 ) {
++ my $scrubber = HTML::Scrubber->new( allow => \@allow, comment => $comment_value );
++ ok( $scrubber->scrub($html_1), '<hr>abc', "correct result (1) - with comment => $comment_value" );
++ ok( $scrubber->scrub($html_2), '', "correct result (2) - with comment => $comment_value" );
++}
diff --git a/t/jvn53973084.t b/t/jvn53973084.t
new file mode 100644
index 0000000..955de0d
--- /dev/null
+++ b/t/jvn53973084.t
@@ -0,0 +1,21 @@
+# Tests related to JVN53973084
+
+use strict;
+use warnings;
+use Test;
+
+BEGIN { plan tests => 4 }
+
+use HTML::Scrubber;
+
+my @allow = qw[
+ hr
+];
+
+my $html_1 = q[<hr><a href="javascript:alert(1)"<hr>abc];
+my $html_2 = q[<img src="javascript:alert(1)"];
+foreach my $comment_value ( 0, 1 ) {
+ my $scrubber = HTML::Scrubber->new( allow => \@allow, comment => $comment_value );
+ ok( $scrubber->scrub($html_1), '<hr>abc', "correct result (1) - with comment => $comment_value" );
+ ok( $scrubber->scrub($html_2), '', "correct result (2) - with comment => $comment_value" );
+}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libhtml-scrubber-perl.git
More information about the Pkg-perl-cvs-commits
mailing list