[Python-modules-team] Bug#951907: Suggested Stable Fix
Salvatore Bonaccorso
carnil at debian.org
Thu Feb 27 13:11:32 GMT 2020
Hi Scott,
On Thu, Feb 27, 2020 at 01:41:44PM +0100, Salvatore Bonaccorso wrote:
> Hi,
>
> On Thu, Feb 27, 2020 at 01:18:55PM +0100, Salvatore Bonaccorso wrote:
> > I think though we mgiht need to revisit the assessment that older
> > versions are not affected. Look at the this quick and dirty test
> > deduced from the testsuite:
>
> So I think versions before are as well vulnerable but a fix will
> become not so easy. First back in b07814e0753c ("Extract all html5lib
> things into a shim module") in v3.0.0 did split some code from
> bleach.sanitizer to bleach.html5lib_shim, and before in 67afdf8ae7d3
> ("Prevent HTMLTokenizer from unescaping entities") in v2.1 was quite
> refactored.
>
> Now I'm not entirely sure how we should fix that for stretch.
Additional point, in earlier version the package depended on html5lib,
then the code was vedored out to bleach itself, and then further
modified as above. So while it is true one can argue the affected code
is not in bleach, the bleach.clean still does not properly sanitize
leading to the issue.
It is possibly to hard to actually fix the issue for stretch (and for
LTS interest as well in jessie)?
Regards,
Salvatore
More information about the Python-modules-team
mailing list