[Git][security-tracker-team/security-tracker][master] 2 commits: Add basic Unicode support to the web framework

Salvatore Bonaccorso carnil at debian.org
Fri May 1 15:38:03 BST 2020



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a1f8d448 by Florian Weimer at 2020-05-01T16:34:37+02:00
Add basic Unicode support to the web framework

As mentioned in Debian bug #959231 ("security-tracker: Proxy Error on
CVE-2020-11565 tracker page"):

* Florian Weimer:

> * Francesco Poli:
>
>> Please note that the CVE is mentioned in [DSA-4667-1].
>>
>> [DSA-4667-1]: <https://lists.debian.org/debian-security-announce/2020/msg00071.html>
>>
>> What's wrong with that tracker page?
>
> It's something in the NVD data that breaks the HTML escaping.

This patch adds basic Unicode support to the web framework.  I'm not
sure if it is the right direction to move in, but it fixes the issue.

An alternative fix would be to change the NVD importer not to put
Unicode strings into the database, by encoding them as byte strings
first.

[carnil: Slightly rewrite the commit message]
BugLink: https://bugs.debian.org/929228
BugLink: https://bugs.debian.org/959231
Signed-off-by: Florian Weimer <fw at deneb.enyo.de>
Signed-off-by: Salvatore Bonaccorso <carnil at debian.org>

- - - - -
223c1bdc by Salvatore Bonaccorso at 2020-05-01T16:37:46+02:00
Merge branch 'bugfix-959231'

- - - - -


1 changed file:

- lib/python/web_support.py


Changes:

=====================================
lib/python/web_support.py
=====================================
@@ -220,27 +220,25 @@ class URLFactory:
     def updateParams(self, **args):
         self.updateParamsDict(args)
 
-charToHTML = map(chr, range(256))
-charToHTMLattr = map(chr, range(256))
-def _initStringToHTML(s):
-    for (ch, repl) in (('<', '<'),
-                       ('>', '>'),
-                       ('&', '&')):
-        s[ord(ch)] = repl
-_initStringToHTML(charToHTML)
-_initStringToHTML(charToHTMLattr)
-charToHTMLattr[ord('"')] = '&34;'
-del _initStringToHTML
+charToHTML = {
+    '<' : '<',
+    '>' : '>',
+    '&' : '&',
+}
+charToHTMLattr = {
+    '&' : '&',
+    '"' : '&34;',
+}
 
 def escapeHTML(str):
-    '''Replaces the characters <>&" in the passed strings with their
+    '''Replaces the characters <>& in the passed strings with their
     HTML entities.'''
+    return ''.join([charToHTML.get(ch, ch) for ch in str])
 
-    result = []
-    append = result.append
-    for ch in str:
-        append(charToHTML[ord(ch)])
-    return ''.join(result)
+def escapeHTMLattr(str):
+    '''Replaces the characters &" in the passed strings with their
+    HTML entities.'''
+    return ''.join([charToHTMLattr.get(ch, ch) for ch in str])
 
 class HTMLBase:
     def flatten(self, write):
@@ -310,8 +308,7 @@ class Tag(HTMLBase):
             else:
                 append(key)
             append('="')
-            for ch in str(value):
-                append(charToHTMLattr[ord(ch)])
+            append(escapeHTMLattr(str(value)))
             append('"')
         self.__attribs = ''.join(attrs)
         self.contents = contents
@@ -659,7 +656,12 @@ class HTMLResult(Result):
         buf = cStringIO.StringIO()
         buf.write(self.doctype)
         buf.write('\n')
-        self.contents.flatten(buf.write)
+        def write_both(s):
+            if type(s) == types.UnicodeType:
+                buf.write(s.encode('UTF-8'))
+            else:
+                buf.write(s)
+        self.contents.flatten(write_both)
         buf = buf.getvalue()
         self.headers['Content-Length'] = str(len(buf))
         def later(req):



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b817f30d72573cc78b6f5222e705cbd4b5ce22ba...223c1bdce3594938fc4038633b23f536497dc920

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b817f30d72573cc78b6f5222e705cbd4b5ce22ba...223c1bdce3594938fc4038633b23f536497dc920
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200501/04ff3a4c/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list