Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
python-CairoSVG.18071
CVE-2023-27586.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-27586.patch of Package python-CairoSVG.18071
From 12d31c653c0254fa9d9853f66b04ea46e7397255 Mon Sep 17 00:00:00 2001 From: Guillaume Ayoub <guillaume@courtbouillon.org> Date: Fri, 10 Mar 2023 16:11:22 +0100 Subject: [PATCH] =?UTF-8?q?Don=E2=80=99t=20allow=20fetching=20external=20f?= =?UTF-8?q?iles=20unless=20explicitly=20asked=20for?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cairosvg/__main__.py | 4 ++-- cairosvg/parser.py | 6 ++++++ cairosvg/surface.py | 3 ++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/cairosvg/__main__.py b/cairosvg/__main__.py index 3ff6b5d1..0aad3d78 100644 --- a/cairosvg/__main__.py +++ b/cairosvg/__main__.py @@ -42,8 +42,8 @@ def main(argv=None, stdout=None, stdin=None): help='replace every raster pixel with its complementary color') parser.add_argument( '-u', '--unsafe', action='store_true', - help='resolve XML entities and allow very large files ' - '(WARNING: vulnerable to XXE attacks and various DoS)') + help='fetch external files, resolve XML entities and allow very large ' + 'files (WARNING: vulnerable to XXE attacks and various DoS)') parser.add_argument( '--output-width', default=None, type=float, help='desired output width in pixels') diff --git a/cairosvg/parser.py b/cairosvg/parser.py index f0f3a825..61275f0a 100644 --- a/cairosvg/parser.py +++ b/cairosvg/parser.py @@ -390,6 +390,12 @@ def __init__(self, **kwargs): tree = ElementTree.fromstring( bytestring, forbid_entities=not unsafe, forbid_external=not unsafe) + + # Don’t allow fetching external files unless explicitly asked for + if 'url_fetcher' not in kwargs and not unsafe: + self.url_fetcher = ( + lambda *args, **kwargs: b'<svg width="1" height="1"></svg>') + self.xml_tree = tree root = cssselect2.ElementWrapper.from_xml_root(tree) style = parent.style if parent else css.parse_stylesheets(self, url) diff --git a/cairosvg/surface.py b/cairosvg/surface.py index c5569e76..a2f7736a 100644 --- a/cairosvg/surface.py +++ b/cairosvg/surface.py @@ -113,7 +113,8 @@ def convert(cls, bytestring=None, *, file_obj=None, url=None, dpi=96, :param parent_width: The width of the parent container in pixels. :param parent_height: The height of the parent container in pixels. :param scale: The ouptut scaling factor. - :param unsafe: A boolean allowing XML entities and very large files + :param unsafe: A boolean allowing external file access, XML entities + and very large files (WARNING: vulnerable to XXE attacks and various DoS). Specifiy the output with:
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor