[Git][haskell-team/DHG_packages][master] pandoc: Fix CVE-2023-35936
Ilias Tsitsimpis (@iliastsi)
gitlab at salsa.debian.org
Fri Dec 1 12:15:03 GMT 2023
Ilias Tsitsimpis pushed to branch master at Debian Haskell Group / DHG_packages
Commits:
362bf04b by Ilias Tsitsimpis at 2023-12-01T14:09:22+02:00
pandoc: Fix CVE-2023-35936
Re-apply the patch from src:pandoc that fixes CVE-2023-35936.
See also https://bugs.debian.org/1041976.
- - - - -
12 changed files:
- p/haskell-pandoc/debian/changelog
- + p/haskell-pandoc/debian/patches/020230620~5e381e3.patch
- + p/haskell-pandoc/debian/patches/020230623.1~54561e9.patch
- + p/haskell-pandoc/debian/patches/020230623.2~df4f13b.patch
- + p/haskell-pandoc/debian/patches/020230623.3~fe62da6.patch
- + p/haskell-pandoc/debian/patches/020230623.4~5246f02.patch
- + p/haskell-pandoc/debian/patches/020230720~eddedbf.patch
- p/haskell-pandoc/debian/patches/46a4e24d6b03ed88915541a57650f78ec06f6250.patch
- p/haskell-pandoc/debian/patches/65346fa6b1ced5062cf059335b4e9b2db48c287c.patch
- p/haskell-pandoc/debian/patches/f9153e86bbb0b0b5a6722dded757b43c59f3e057.patch
- p/haskell-pandoc/debian/patches/series
- p/haskell-pandoc/debian/patches/undo-xml-light-internal-library
Changes:
=====================================
p/haskell-pandoc/debian/changelog
=====================================
@@ -1,3 +1,9 @@
+haskell-pandoc (3.0.1-2) unstable; urgency=medium
+
+ * Fix CVE-2023-35936
+
+ -- Ilias Tsitsimpis <iliastsi at debian.org> Fri, 01 Dec 2023 14:08:08 +0200
+
haskell-pandoc (3.0.1-1) unstable; urgency=low
* Initial release
=====================================
p/haskell-pandoc/debian/patches/020230620~5e381e3.patch
=====================================
@@ -0,0 +1,120 @@
+Description: fix a security vulnerability in MediaBag and T.P.Class.IO.writeMedia
+ This vulnerability, discovered by Entroy C,
+ allows users to write arbitrary files to any location
+ by feeding pandoc a specially crafted URL in an image element.
+ The vulnerability is serious
+ for anyone using pandoc to process untrusted input.
+ The vulnerability does not affect pandoc
+ when run with the `--sandbox` flag.
+Origin: upstream, https://github.com/jgm/pandoc/commit/5e381e3
+Author: John MacFarlane <jgm at berkeley.edu>
+Bug: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-35936
+Forwarded: yes
+Last-Update: 2023-07-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/Text/Pandoc/Class/IO.hs
++++ b/src/Text/Pandoc/Class/IO.hs
+@@ -50,7 +50,7 @@
+ import Network.HTTP.Client.TLS (mkManagerSettings)
+ import Network.HTTP.Types.Header ( hContentType )
+ import Network.Socket (withSocketsDo)
+-import Network.URI (unEscapeString)
++import Network.URI (URI(..), parseURI)
+ import System.Directory (createDirectoryIfMissing)
+ import System.Environment (getEnv)
+ import System.FilePath ((</>), takeDirectory, normalise)
+@@ -122,11 +122,11 @@
+
+ openURL :: (PandocMonad m, MonadIO m) => Text -> m (B.ByteString, Maybe MimeType)
+ openURL u
+- | Just u'' <- T.stripPrefix "data:" u = do
+- let mime = T.takeWhile (/=',') u''
+- let contents = UTF8.fromString $
+- unEscapeString $ T.unpack $ T.drop 1 $ T.dropWhile (/=',') u''
+- return (decodeBase64Lenient contents, Just mime)
++ | Just (URI{ uriScheme = "data:",
++ uriPath = upath }) <- parseURI (T.unpack u) = do
++ let (mime, rest) = break (== '.') upath
++ let contents = UTF8.fromString $ drop 1 rest
++ return (decodeBase64Lenient contents, Just (T.pack mime))
+ | otherwise = do
+ let toReqHeader (n, v) = (CI.mk (UTF8.fromText n), UTF8.fromText v)
+ customHeaders <- map toReqHeader <$> getsCommonState stRequestHeaders
+@@ -224,7 +224,7 @@
+ -> m ()
+ writeMedia dir (fp, _mt, bs) = do
+ -- we normalize to get proper path separators for the platform
+- let fullpath = normalise $ dir </> unEscapeString fp
++ let fullpath = normalise $ dir </> fp
+ liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath)
+ logIOError $ BL.writeFile fullpath bs
+
+--- a/src/Text/Pandoc/MediaBag.hs
++++ b/src/Text/Pandoc/MediaBag.hs
+@@ -28,6 +28,7 @@
+ import qualified Data.Map as M
+ import Data.Maybe (fromMaybe, isNothing)
+ import Data.Typeable (Typeable)
++import Network.URI (unEscapeString)
+ import System.FilePath
+ import qualified System.FilePath.Posix as Posix
+ import qualified System.FilePath.Windows as Windows
+@@ -35,7 +36,7 @@
+ import Data.Text (Text)
+ import qualified Data.Text as T
+ import Data.Digest.Pure.SHA (sha1, showDigest)
+-import Network.URI (URI (..), parseURI)
++import Network.URI (URI (..), parseURI, isURI)
+
+ data MediaItem =
+ MediaItem
+@@ -54,9 +55,12 @@
+ instance Show MediaBag where
+ show bag = "MediaBag " ++ show (mediaDirectory bag)
+
+--- | We represent paths with /, in normalized form.
++-- | We represent paths with /, in normalized form. Percent-encoding
++-- is resolved.
+ canonicalize :: FilePath -> Text
+-canonicalize = T.replace "\\" "/" . T.pack . normalise
++canonicalize fp
++ | isURI fp = T.pack fp
++ | otherwise = T.replace "\\" "/" . T.pack . normalise . unEscapeString $ fp
+
+ -- | Delete a media item from a 'MediaBag', or do nothing if no item corresponds
+ -- to the given path.
+@@ -79,23 +83,23 @@
+ , mediaContents = contents
+ , mediaMimeType = mt }
+ fp' = canonicalize fp
++ fp'' = T.unpack fp'
+ uri = parseURI fp
+- newpath = if Posix.isRelative fp
+- && Windows.isRelative fp
++ newpath = if Posix.isRelative fp''
++ && Windows.isRelative fp''
+ && isNothing uri
+- && ".." `notElem` splitDirectories fp
+- then T.unpack fp'
++ && not (".." `T.isInfixOf` fp')
++ then fp''
+ else showDigest (sha1 contents) <> "." <> ext
+- fallback = case takeExtension fp of
+- ".gz" -> getMimeTypeDef $ dropExtension fp
+- _ -> getMimeTypeDef fp
++ fallback = case takeExtension fp'' of
++ ".gz" -> getMimeTypeDef $ dropExtension fp''
++ _ -> getMimeTypeDef fp''
+ mt = fromMaybe fallback mbMime
+- path = maybe fp uriPath uri
++ path = maybe fp'' (unEscapeString . uriPath) uri
+ ext = case takeExtension path of
+ '.':e -> e
+ _ -> maybe "" T.unpack $ extensionFromMimeType mt
+
+-
+ -- | Lookup a media item in a 'MediaBag', returning mime type and contents.
+ lookupMedia :: FilePath
+ -> MediaBag
=====================================
p/haskell-pandoc/debian/patches/020230623.1~54561e9.patch
=====================================
@@ -0,0 +1,24 @@
+Description: fix bug in git commit 5e381e3
+ In the new code a comma mysteriously turned into a period.
+ This would have prevented proper separation
+ of the mime type and content in data uris.
+ Thanks to @hseg for catching this.
+Origin: upstream, https://github.com/jgm/pandoc/commit/54561e9
+Author: John MacFarlane <jgm at berkeley.edu>
+Bug: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-35936
+Forwarded: yes
+Last-Update: 2023-07-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/Text/Pandoc/Class/IO.hs
++++ b/src/Text/Pandoc/Class/IO.hs
+@@ -124,7 +124,7 @@
+ openURL u
+ | Just (URI{ uriScheme = "data:",
+ uriPath = upath }) <- parseURI (T.unpack u) = do
+- let (mime, rest) = break (== '.') upath
++ let (mime, rest) = break (== ',') upath
+ let contents = UTF8.fromString $ drop 1 rest
+ return (decodeBase64Lenient contents, Just (T.pack mime))
+ | otherwise = do
=====================================
p/haskell-pandoc/debian/patches/020230623.2~df4f13b.patch
=====================================
@@ -0,0 +1,86 @@
+Description: more fixes to git commit 5e381e3
+ These changes recognize that parseURI does not unescape the path.
+ .
+ Another change is that the canonical form
+ of the path used as the MediaBag key
+ retains percent-encoding, if present;
+ we only unescape the string when writing to a file.
+ .
+ Some tests are needed before the issue can be closed.
+Origin: upstream, https://github.com/jgm/pandoc/commit/df4f13b
+Author: John MacFarlane <jgm at berkeley.edu>
+Bug: https://github.com/jgm/pandoc/issues/8918
+Bug: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-35936
+Forwarded: yes
+Last-Update: 2023-07-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/Text/Pandoc/Class/IO.hs
++++ b/src/Text/Pandoc/Class/IO.hs
+@@ -50,7 +50,7 @@
+ import Network.HTTP.Client.TLS (mkManagerSettings)
+ import Network.HTTP.Types.Header ( hContentType )
+ import Network.Socket (withSocketsDo)
+-import Network.URI (URI(..), parseURI)
++import Network.URI (URI(..), parseURI, unEscapeString)
+ import System.Directory (createDirectoryIfMissing)
+ import System.Environment (getEnv)
+ import System.FilePath ((</>), takeDirectory, normalise)
+@@ -124,7 +124,7 @@
+ openURL u
+ | Just (URI{ uriScheme = "data:",
+ uriPath = upath }) <- parseURI (T.unpack u) = do
+- let (mime, rest) = break (== ',') upath
++ let (mime, rest) = break (== ',') $ unEscapeString upath
+ let contents = UTF8.fromString $ drop 1 rest
+ return (decodeBase64Lenient contents, Just (T.pack mime))
+ | otherwise = do
+@@ -224,7 +224,7 @@
+ -> m ()
+ writeMedia dir (fp, _mt, bs) = do
+ -- we normalize to get proper path separators for the platform
+- let fullpath = normalise $ dir </> fp
++ let fullpath = normalise $ dir </> unEscapeString fp
+ liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath)
+ logIOError $ BL.writeFile fullpath bs
+
+--- a/src/Text/Pandoc/MediaBag.hs
++++ b/src/Text/Pandoc/MediaBag.hs
+@@ -37,6 +37,7 @@
+ import qualified Data.Text as T
+ import Data.Digest.Pure.SHA (sha1, showDigest)
+ import Network.URI (URI (..), parseURI, isURI)
++import Data.List (isInfixOf)
+
+ data MediaItem =
+ MediaItem
+@@ -56,11 +57,11 @@
+ show bag = "MediaBag " ++ show (mediaDirectory bag)
+
+ -- | We represent paths with /, in normalized form. Percent-encoding
+--- is resolved.
++-- is not resolved.
+ canonicalize :: FilePath -> Text
+ canonicalize fp
+ | isURI fp = T.pack fp
+- | otherwise = T.replace "\\" "/" . T.pack . normalise . unEscapeString $ fp
++ | otherwise = T.replace "\\" "/" . T.pack . normalise $ fp
+
+ -- | Delete a media item from a 'MediaBag', or do nothing if no item corresponds
+ -- to the given path.
+@@ -83,12 +84,12 @@
+ , mediaContents = contents
+ , mediaMimeType = mt }
+ fp' = canonicalize fp
+- fp'' = T.unpack fp'
++ fp'' = unEscapeString $ T.unpack fp'
+ uri = parseURI fp
+ newpath = if Posix.isRelative fp''
+ && Windows.isRelative fp''
+ && isNothing uri
+- && not (".." `T.isInfixOf` fp')
++ && not (".." `isInfixOf` fp'')
+ then fp''
+ else showDigest (sha1 contents) <> "." <> ext
+ fallback = case takeExtension fp'' of
=====================================
p/haskell-pandoc/debian/patches/020230623.3~fe62da6.patch
=====================================
@@ -0,0 +1,87 @@
+Description: add tests for fillMediaBag/extractMedia
+Origin: upstream, https://github.com/jgm/pandoc/commit/fe62da6
+Author: John MacFarlane <jgm at berkeley.edu>
+Bug: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-35936
+Forwarded: yes
+Last-Update: 2023-07-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/pandoc.cabal
++++ b/pandoc.cabal
+@@ -751,6 +751,7 @@
+ tasty-hunit >= 0.9 && < 0.11,
+ tasty-quickcheck >= 0.8 && < 0.11,
+ text >= 1.1.1.0 && < 2.1,
++ temporary >= 1.1 && < 1.4,
+ time >= 1.5 && < 1.14,
+ xml >= 1.3.12 && < 1.4,
+ zip-archive >= 0.2.3.4 && < 0.5
+@@ -758,6 +759,7 @@
+ Tests.Command
+ Tests.Helpers
+ Tests.Shared
++ Tests.MediaBag
+ Tests.Readers.LaTeX
+ Tests.Readers.HTML
+ Tests.Readers.JATS
+--- /dev/null
++++ b/test/Tests/MediaBag.hs
+@@ -0,0 +1,39 @@
++{-# LANGUAGE OverloadedStrings #-}
++module Tests.MediaBag (tests) where
++
++import Test.Tasty
++import Test.Tasty.HUnit
++-- import Tests.Helpers
++import Text.Pandoc.Class (extractMedia, fillMediaBag, runIOorExplode)
++import System.IO.Temp (withTempDirectory)
++import System.FilePath
++import Text.Pandoc.Builder as B
++import System.Directory (doesFileExist, copyFile, setCurrentDirectory, getCurrentDirectory)
++
++tests :: [TestTree]
++tests = [
++ testCase "test fillMediaBag & extractMedia" $
++ withTempDirectory "." "extractMediaTest" $ \tmpdir -> do
++ olddir <- getCurrentDirectory
++ setCurrentDirectory tmpdir
++ copyFile "../../test/lalune.jpg" "moon.jpg"
++ let d = B.doc $
++ B.para (B.image "../../test/lalune.jpg" "" mempty) <>
++ B.para (B.image "moon.jpg" "" mempty) <>
++ B.para (B.image "data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%2f%2e%2e%2f%2e%2e%2fa%2elua" "" mempty) <>
++ B.para (B.image "data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" "" mempty)
++ runIOorExplode $ do
++ fillMediaBag d
++ extractMedia "foo" d
++ exists1 <- doesFileExist ("foo" </> "moon.jpg")
++ assertBool "file in directory extract with original name" exists1
++ exists2 <- doesFileExist ("foo" </> "f9d88c3dbe18f6a7f5670e994a947d51216cdf0e.jpg")
++ assertBool "file above directory extracted with hashed name" exists2
++ exists3 <- doesFileExist ("foo" </> "2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua")
++ exists4 <- doesFileExist "a.lua"
++ assertBool "data uri with malicious payload does not get written to arbitrary location"
++ (exists3 && not exists4)
++ exists5 <- doesFileExist ("foo" </> "d5fceb6532643d0d84ffe09c40c481ecdf59e15a.gif")
++ assertBool "data uri with gif is properly decoded" exists5
++ setCurrentDirectory olddir
++ ]
+--- a/test/test-pandoc.hs
++++ b/test/test-pandoc.hs
+@@ -50,6 +50,7 @@
+ import qualified Tests.Writers.AnnotatedTable
+ import qualified Tests.Writers.TEI
+ import qualified Tests.Writers.Markua
++import qualified Tests.MediaBag
+ import Text.Pandoc.Shared (inDirectory)
+
+ tests :: FilePath -> TestTree
+@@ -57,6 +58,7 @@
+ [ Tests.Command.tests
+ , testGroup "Old" (Tests.Old.tests pandocPath)
+ , testGroup "Shared" Tests.Shared.tests
++ , testGroup "MediaBag" Tests.MediaBag.tests
+ , testGroup "Writers"
+ [ testGroup "Native" Tests.Writers.Native.tests
+ , testGroup "ConTeXt" Tests.Writers.ConTeXt.tests
=====================================
p/haskell-pandoc/debian/patches/020230623.4~5246f02.patch
=====================================
@@ -0,0 +1,52 @@
+Description: improve tests for fillMediaBag/extractMedia
+ Ensure that the current directory is not changed up if a test fails,
+ and fix messages for the assertion failures.
+Origin: upstream, https://github.com/jgm/pandoc/commit/5246f02
+Author: John MacFarlane <jgm at berkeley.edu>
+Bug: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-35936
+Forwarded: yes
+Last-Update: 2023-07-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/test/Tests/MediaBag.hs
++++ b/test/Tests/MediaBag.hs
+@@ -6,16 +6,15 @@
+ -- import Tests.Helpers
+ import Text.Pandoc.Class (extractMedia, fillMediaBag, runIOorExplode)
+ import System.IO.Temp (withTempDirectory)
++import Text.Pandoc.Shared (inDirectory)
+ import System.FilePath
+ import Text.Pandoc.Builder as B
+-import System.Directory (doesFileExist, copyFile, setCurrentDirectory, getCurrentDirectory)
++import System.Directory (doesFileExist, copyFile)
+
+ tests :: [TestTree]
+ tests = [
+ testCase "test fillMediaBag & extractMedia" $
+- withTempDirectory "." "extractMediaTest" $ \tmpdir -> do
+- olddir <- getCurrentDirectory
+- setCurrentDirectory tmpdir
++ withTempDirectory "." "extractMediaTest" $ \tmpdir -> inDirectory tmpdir $ do
+ copyFile "../../test/lalune.jpg" "moon.jpg"
+ let d = B.doc $
+ B.para (B.image "../../test/lalune.jpg" "" mempty) <>
+@@ -26,14 +25,13 @@
+ fillMediaBag d
+ extractMedia "foo" d
+ exists1 <- doesFileExist ("foo" </> "moon.jpg")
+- assertBool "file in directory extract with original name" exists1
++ assertBool "file in directory is not extracted with original name" exists1
+ exists2 <- doesFileExist ("foo" </> "f9d88c3dbe18f6a7f5670e994a947d51216cdf0e.jpg")
+- assertBool "file above directory extracted with hashed name" exists2
++ assertBool "file above directory is not extracted with hashed name" exists2
+ exists3 <- doesFileExist ("foo" </> "2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua")
+ exists4 <- doesFileExist "a.lua"
+- assertBool "data uri with malicious payload does not get written to arbitrary location"
++ assertBool "data uri with malicious payload gets written outside of destination dir"
+ (exists3 && not exists4)
+ exists5 <- doesFileExist ("foo" </> "d5fceb6532643d0d84ffe09c40c481ecdf59e15a.gif")
+- assertBool "data uri with gif is properly decoded" exists5
+- setCurrentDirectory olddir
++ assertBool "data uri with gif is not properly decoded" exists5
+ ]
=====================================
p/haskell-pandoc/debian/patches/020230720~eddedbf.patch
=====================================
@@ -0,0 +1,90 @@
+Description: ix new variant of the vulnerability in CVE-2023-35936
+ Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete.
+ An attacker could get around it
+ by double-encoding the malicious extension
+ to create or override arbitrary files.
+ .
+ $ echo '' >b.md
+ $ .cabal/bin/pandoc b.md --extract-media=bar
+ <p><img
+ src="bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+%2f%2e%2e%2f%2e%2e%2fb%2elua" /></p>
+ $ cat b.lua
+ print "hello"
+ $ find bar
+ bar/
+ bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+
+ .
+ This commit adds a test case for this more complex attack
+ and fixes the vulnerability.
+ (The fix is quite simple:
+ if the URL-unescaped filename or extension contains a '%',
+ we just use the sha1 hash of the contents as the canonical name,
+ just as we do if the filename contains '..'.)
+Origin: upstream, https://github.com/jgm/pandoc/commit/eddedbf
+Author: John MacFarlane <jgm at berkeley.edu>
+Bug: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-38745
+Forwarded: yes
+Last-Update: 2023-07-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/Text/Pandoc/Class/IO.hs
++++ b/src/Text/Pandoc/Class/IO.hs
+@@ -224,6 +224,8 @@
+ -> m ()
+ writeMedia dir (fp, _mt, bs) = do
+ -- we normalize to get proper path separators for the platform
++ -- we unescape URI encoding, but given how insertMedia
++ -- is written, we shouldn't have any % in a canonical media name...
+ let fullpath = normalise $ dir </> unEscapeString fp
+ liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath)
+ logIOError $ BL.writeFile fullpath bs
+--- a/src/Text/Pandoc/MediaBag.hs
++++ b/src/Text/Pandoc/MediaBag.hs
+@@ -90,16 +90,17 @@
+ && Windows.isRelative fp''
+ && isNothing uri
+ && not (".." `isInfixOf` fp'')
++ && '%' `notElem` fp''
+ then fp''
+- else showDigest (sha1 contents) <> "." <> ext
++ else showDigest (sha1 contents) <> ext
+ fallback = case takeExtension fp'' of
+ ".gz" -> getMimeTypeDef $ dropExtension fp''
+ _ -> getMimeTypeDef fp''
+ mt = fromMaybe fallback mbMime
+ path = maybe fp'' (unEscapeString . uriPath) uri
+ ext = case takeExtension path of
+- '.':e -> e
+- _ -> maybe "" T.unpack $ extensionFromMimeType mt
++ '.':e | '%' `notElem` e -> '.':e
++ _ -> maybe "" (\x -> '.':T.unpack x) $ extensionFromMimeType mt
+
+ -- | Lookup a media item in a 'MediaBag', returning mime type and contents.
+ lookupMedia :: FilePath
+--- a/test/Tests/MediaBag.hs
++++ b/test/Tests/MediaBag.hs
+@@ -19,7 +19,7 @@
+ let d = B.doc $
+ B.para (B.image "../../test/lalune.jpg" "" mempty) <>
+ B.para (B.image "moon.jpg" "" mempty) <>
+- B.para (B.image "data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%2f%2e%2e%2f%2e%2e%2fa%2elua" "" mempty) <>
++ B.para (B.image "data:image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%2f%2e%2e%2f%2e%2e%2fa%2elua" "" mempty) <>
+ B.para (B.image "data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" "" mempty)
+ runIOorExplode $ do
+ fillMediaBag d
+@@ -34,4 +34,14 @@
+ (exists3 && not exists4)
+ exists5 <- doesFileExist ("foo" </> "d5fceb6532643d0d84ffe09c40c481ecdf59e15a.gif")
+ assertBool "data uri with gif is not properly decoded" exists5
++ -- double-encoded version:
++ let e = B.doc $
++ B.para (B.image "data:image/png;base64,cHJpbnQgInB3bmVkIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua" "" mempty)
++ runIOorExplode $ do
++ fillMediaBag e
++ extractMedia "bar" e
++ exists6 <- doesFileExist ("bar" </> "772ceca21a2751863ec46cb23db0e7fc35b9cff8.png")
++ exists7 <- doesFileExist "b.lua"
++ assertBool "data uri with double-encoded malicious payload gets written outside of destination dir"
++ (exists6 && not exists7)
+ ]
=====================================
p/haskell-pandoc/debian/patches/46a4e24d6b03ed88915541a57650f78ec06f6250.patch
=====================================
@@ -23,8 +23,6 @@ New module Text.Pandoc.Readers.Typst [API change].
create mode 100644 src/Text/Pandoc/Readers/Typst/Math.hs
create mode 100644 src/Text/Pandoc/Readers/Typst/Parsing.hs
-diff --git a/test/epub/features.native b/test/epub/features.native
-index ef5f0d032c1e..2a458009251c 100644
--- a/test/epub/features.native
+++ b/test/epub/features.native
@@ -1281,7 +1281,7 @@
=====================================
p/haskell-pandoc/debian/patches/65346fa6b1ced5062cf059335b4e9b2db48c287c.patch
=====================================
@@ -9,8 +9,6 @@ Subject: [PATCH] Use latest texmath
test/epub/features.native | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
-diff --git a/test/epub/features.native b/test/epub/features.native
-index 659c9692ef1e..ef5f0d032c1e 100644
--- a/test/epub/features.native
+++ b/test/epub/features.native
@@ -1184,7 +1184,7 @@
=====================================
p/haskell-pandoc/debian/patches/f9153e86bbb0b0b5a6722dded757b43c59f3e057.patch
=====================================
@@ -8,8 +8,6 @@ Subject: [PATCH] Update tests for skylighting-format-blaze-html change.
test/lhs-test.html+lhs | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
-diff --git a/test/lhs-test.html b/test/lhs-test.html
-index c85e4adc90a4..c0b7ece666c1 100644
--- a/test/lhs-test.html
+++ b/test/lhs-test.html
@@ -161,7 +161,7 @@
@@ -21,8 +19,6 @@ index c85e4adc90a4..c0b7ece666c1 100644
pre > code.sourceCode > span:empty { height: 1.2em; }
.sourceCode { overflow: visible; }
code.sourceCode > span { color: inherit; text-decoration: inherit; }
-diff --git a/test/lhs-test.html+lhs b/test/lhs-test.html+lhs
-index db055d405df8..981084e10d1c 100644
--- a/test/lhs-test.html+lhs
+++ b/test/lhs-test.html+lhs
@@ -161,7 +161,7 @@
=====================================
p/haskell-pandoc/debian/patches/series
=====================================
@@ -2,3 +2,9 @@ f9153e86bbb0b0b5a6722dded757b43c59f3e057.patch
65346fa6b1ced5062cf059335b4e9b2db48c287c.patch
46a4e24d6b03ed88915541a57650f78ec06f6250.patch
undo-xml-light-internal-library
+020230620~5e381e3.patch
+020230623.1~54561e9.patch
+020230623.2~df4f13b.patch
+020230623.3~fe62da6.patch
+020230623.4~5246f02.patch
+020230720~eddedbf.patch
=====================================
p/haskell-pandoc/debian/patches/undo-xml-light-internal-library
=====================================
@@ -1,6 +1,6 @@
--- a/pandoc.cabal
+++ b/pandoc.cabal
-@@ -442,24 +442,9 @@ common common-executable
+@@ -442,24 +442,9 @@
build-depends: pandoc
ghc-options: -rtsopts -with-rtsopts=-A8m -threaded
@@ -26,7 +26,7 @@
JuicyPixels >= 3.1.6.1 && < 3.4,
SHA >= 1.6 && < 1.7,
aeson >= 2.0.1.0 && < 2.2,
-@@ -521,7 +506,9 @@ library
+@@ -521,7 +506,9 @@
yaml >= 0.11 && < 0.12,
zip-archive >= 0.2.3.4 && < 0.5,
zlib >= 0.5 && < 0.7,
@@ -37,7 +37,7 @@
if !os(windows)
build-depends: unix >= 2.4 && < 2.9
-@@ -529,6 +516,7 @@ library
+@@ -529,6 +516,7 @@
cpp-options: -DEMBED_DATA_FILES
other-modules: Text.Pandoc.Data.BakedIn
hs-source-dirs: src
@@ -45,7 +45,7 @@
exposed-modules: Text.Pandoc,
Text.Pandoc.App,
-@@ -624,6 +612,10 @@ library
+@@ -624,6 +612,10 @@
Text.Pandoc.Slides,
Text.Pandoc.Templates,
Text.Pandoc.XML,
View it on GitLab: https://salsa.debian.org/haskell-team/DHG_packages/-/commit/362bf04b0d491176155a2600626744f7b22aff83
--
View it on GitLab: https://salsa.debian.org/haskell-team/DHG_packages/-/commit/362bf04b0d491176155a2600626744f7b22aff83
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-haskell-commits/attachments/20231201/5363d5cc/attachment-0001.htm>
More information about the Pkg-haskell-commits
mailing list