File CVE-2023-27586.patch of Package python-CairoSVG.18071

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2023-27586.patch of Package python-CairoSVG.18071

From 12d31c653c0254fa9d9853f66b04ea46e7397255 Mon Sep 17 00:00:00 2001
From: Guillaume Ayoub <guillaume@courtbouillon.org>
Date: Fri, 10 Mar 2023 16:11:22 +0100
Subject: [PATCH] =?UTF-8?q?Don=E2=80=99t=20allow=20fetching=20external=20f?=
 =?UTF-8?q?iles=20unless=20explicitly=20asked=20for?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cairosvg/__main__.py | 4 ++--
 cairosvg/parser.py   | 6 ++++++
 cairosvg/surface.py  | 3 ++-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/cairosvg/__main__.py b/cairosvg/__main__.py
index 3ff6b5d1..0aad3d78 100644
--- a/cairosvg/__main__.py
+++ b/cairosvg/__main__.py
@@ -42,8 +42,8 @@ def main(argv=None, stdout=None, stdin=None):
         help='replace every raster pixel with its complementary color')
     parser.add_argument(
         '-u', '--unsafe', action='store_true',
-        help='resolve XML entities and allow very large files '
-             '(WARNING: vulnerable to XXE attacks and various DoS)')
+        help='fetch external files, resolve XML entities and allow very large '
+             'files (WARNING: vulnerable to XXE attacks and various DoS)')
     parser.add_argument(
         '--output-width', default=None, type=float,
         help='desired output width in pixels')
diff --git a/cairosvg/parser.py b/cairosvg/parser.py
index f0f3a825..61275f0a 100644
--- a/cairosvg/parser.py
+++ b/cairosvg/parser.py
@@ -390,6 +390,12 @@ def __init__(self, **kwargs):
             tree = ElementTree.fromstring(
                 bytestring, forbid_entities=not unsafe,
                 forbid_external=not unsafe)
+
+        # Don’t allow fetching external files unless explicitly asked for
+        if 'url_fetcher' not in kwargs and not unsafe:
+            self.url_fetcher = (
+                lambda *args, **kwargs: b'<svg width="1" height="1"></svg>')
+
         self.xml_tree = tree
         root = cssselect2.ElementWrapper.from_xml_root(tree)
         style = parent.style if parent else css.parse_stylesheets(self, url)
diff --git a/cairosvg/surface.py b/cairosvg/surface.py
index c5569e76..a2f7736a 100644
--- a/cairosvg/surface.py
+++ b/cairosvg/surface.py
@@ -113,7 +113,8 @@ def convert(cls, bytestring=None, *, file_obj=None, url=None, dpi=96,
         :param parent_width: The width of the parent container in pixels.
         :param parent_height: The height of the parent container in pixels.
         :param scale: The ouptut scaling factor.
-        :param unsafe: A boolean allowing XML entities and very large files
+        :param unsafe: A boolean allowing external file access, XML entities
+                       and very large files
                        (WARNING: vulnerable to XXE attacks and various DoS).
 
         Specifiy the output with:

Places

File CVE-2023-27586.patch of Package python-CairoSVG.18071

Places