packages/jsoup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:1dcf63fe52ec7460394c974db7d7ad9041acf61d
Branches Tags
packages:main
..
compare: packages:d0428381f7a0cb8ab3d2f50d8ddbadefa314f915
Branches Tags
packages:main

No commits in common. "1dcf63fe52ec7460394c974db7d7ad9041acf61d" and "d0428381f7a0cb8ab3d2f50d8ddbadefa314f915" have entirely different histories.
1dcf63fe52 ... d0428381f7

5 changed files with 27 additions and 116 deletions
Show Stats Expand all files Collapse all files

99
CVE-2022-36033.patch
View File

@ -1,99 +0,0 @@
From 4ea768d96b3d232e63edef9594766d44597b3882 Mon Sep 17 00:00:00 2001
From: Jonathan Hedley <jonathan@hedley.net>
Date: Sun, 21 Aug 2022 14:04:56 +1000
Subject: [PATCH] Strip control characters from URLs when resolving absolute
URLs
---
.../java/org/jsoup/internal/StringUtil.java | 10 +++++++++-
.../org/jsoup/internal/StringUtilTest.java | 9 +++++++++
.../java/org/jsoup/safety/CleanerTest.java | 18 ++++++++++++++++++
3 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/jsoup/internal/StringUtil.java b/src/main/java/org/jsoup/internal/StringUtil.java
index 0835225..608e96d 100644
--- a/src/main/java/org/jsoup/internal/StringUtil.java
+++ b/src/main/java/org/jsoup/internal/StringUtil.java
@@ -269,6 +269,7 @@ public final class StringUtil {
* @throws MalformedURLException if an error occurred generating the URL
*/
public static URL resolve(URL base, String relUrl) throws MalformedURLException {
+ relUrl = stripControlChars(relUrl);
// workaround: java resolves '//path/file + ?foo' to '//path/?foo', not '//path/file?foo' as desired
if (relUrl.startsWith("?"))
relUrl = base.getPath() + relUrl;
@@ -287,7 +288,9 @@ public final class StringUtil {
* @param relUrl the relative URL to resolve. (If it's already absolute, it will be returned)
* @return an absolute URL if one was able to be generated, or the empty string if not
*/
- public static String resolve(final String baseUrl, final String relUrl) {
+ public static String resolve(String baseUrl, String relUrl) {
+ // workaround: java will allow control chars in a path URL and may treat as relative, but Chrome / Firefox will strip and may see as a scheme. Normalize to browser's view.
+ baseUrl = stripControlChars(baseUrl); relUrl = stripControlChars(relUrl);
try {
URL base;
try {
@@ -306,6 +309,11 @@ public final class StringUtil {
}
private static final Pattern validUriScheme = Pattern.compile("^[a-zA-Z][a-zA-Z0-9+-.]*:");
+ private static final Pattern controlChars = Pattern.compile("[\\x00-\\x1f]*"); // matches ascii 0 - 31, to strip from url
+ private static String stripControlChars(final String input) {
+ return controlChars.matcher(input).replaceAll("");
+ }
+
private static final ThreadLocal<Stack<StringBuilder>> threadLocalBuilders = new ThreadLocal<Stack<StringBuilder>>() {
@Override
protected Stack<StringBuilder> initialValue() {
diff --git a/src/test/java/org/jsoup/internal/StringUtilTest.java b/src/test/java/org/jsoup/internal/StringUtilTest.java
index 1956084..9ffcec9 100644
--- a/src/test/java/org/jsoup/internal/StringUtilTest.java
+++ b/src/test/java/org/jsoup/internal/StringUtilTest.java
@@ -120,6 +120,15 @@ public class StringUtilTest {
assertEquals("http://example.com/b/c/g#s/../x", resolve("http://example.com/b/c/d;p?q", "g#s/../x"));
}
+ @Test void stripsControlCharsFromUrls() {
+ // should resovle to an absolute url:
+ assertEquals("foo:bar", resolve("\nhttps://\texample.com/", "\r\nfo\to:ba\br"));
+ }
+
+ @Test void allowsSpaceInUrl() {
+ assertEquals("https://example.com/foo bar/", resolve("HTTPS://example.com/example/", "../foo bar/"));
+ }
+
@Test
void isAscii() {
assertTrue(StringUtil.isAscii(""));
diff --git a/src/test/java/org/jsoup/safety/CleanerTest.java b/src/test/java/org/jsoup/safety/CleanerTest.java
index 3338054..0e62f17 100644
--- a/src/test/java/org/jsoup/safety/CleanerTest.java
+++ b/src/test/java/org/jsoup/safety/CleanerTest.java
@@ -309,6 +309,24 @@ public class CleanerTest {
assertEquals("<a rel=\"nofollow\">Clean</a>", clean);
}
+ @Test void dropsConcealedJavascriptProtocolWhenRelativesLinksEnabled() {
+ Safelist safelist = Safelist.basic().preserveRelativeLinks(true);
+ String html = "<a href=\"&#0013;ja&Tab;va&Tab;script&#0010;:alert(1)\">Link</a>";
+ String clean = Jsoup.clean(html, "https://", safelist);
+ assertEquals("<a rel=\"nofollow\">Link</a>", clean);
+
+ String colon = "<a href=\"ja&Tab;va&Tab;script&colon;alert(1)\">Link</a>";
+ String cleanColon = Jsoup.clean(colon, "https://", safelist);
+ assertEquals("<a rel=\"nofollow\">Link</a>", cleanColon);
+ }
+
+ @Test void dropsConcealedJavascriptProtocolWhenRelativesLinksDisabled() {
+ Safelist safelist = Safelist.basic().preserveRelativeLinks(false);
+ String html = "<a href=\"ja&Tab;vas&#0013;cript:alert(1)\">Link</a>";
+ String clean = Jsoup.clean(html, "https://", safelist);
+ assertEquals("<a rel=\"nofollow\">Link</a>", clean);
+ }
+
@Test public void handlesNoHrefAttribute() {
String dirty = "<a>One</a> <a href>Two</a>";
Safelist relaxedWithAnchor = Safelist.relaxed().addProtocols("a", "href", "#");
--
2.33.0

21
generate-tarball.sh Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
set -e
name=jsoup
version="$(sed -n 's/Version:\s*//p' *.spec)"
# RETRIEVE
wget "https://github.com/jhy/${name}/archive/${name}-${version}.tar.gz" -O "${name}-${version}.orig.tar.gz"
rm -rf tarball-tmp
mkdir tarball-tmp
cd tarball-tmp
tar xf "../${name}-${version}.orig.tar.gz"
# CLEAN TARBALL
# contains scraped news articles (non-free)
rm -r */src/test/resources
tar cf "../${name}-${version}.tar.gz" *
cd ..
rm -r tarball-tmp "${name}-${version}.orig.tar.gz"

BIN
jsoup-1.11.3.tar.gz Normal file
View File

Binary file not shown.

BIN
jsoup-1.14.2.tar.gz
View File

Binary file not shown.

23
jsoup.spec
View File

@ -1,16 +1,15 @@
Name: jsoup Name: jsoup
Version: 1.14.2 Version: 1.11.3
Release: 2 Release: 4
Summary: Java HTML Parser Summary: Java HTML Parser
License: MIT License: MIT
URL: http://jsoup.org/ URL: http://jsoup.org/
Source0: https://github.com/jhy/jsoup/archive/refs/tags/jsoup-%{version}.tar.gz Source0: %{name}-%{version}.tar.gz
# https://github.com/jhy/jsoup/commit/4ea768d96b3d232e63edef9594766d44597b3882 Source1: generate-tarball.sh
Patch0: CVE-2022-36033.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: maven-local, mvn(org.apache.felix:maven-bundle-plugin) BuildRequires: maven-local, mvn(org.apache.felix:maven-bundle-plugin)
Provides: %{name}-javadoc%{?_isa} %{name}-javadoc Provides: %{name}-javadoc%{?_isa} %{name}-javadoc
Obsoletes: %{name}-javadoc Obsoletes: %{name}-javadoc
%description %description
@ -21,8 +20,7 @@ for extracting and manipulating data, using the best of DOM, CSS, and jquery-lik
%autosetup -n %{name}-%{name}-%{version} -p1 %autosetup -n %{name}-%{name}-%{version} -p1
%pom_remove_plugin :animal-sniffer-maven-plugin %pom_remove_plugin :animal-sniffer-maven-plugin
%pom_remove_plugin :japicmp-maven-plugin %pom_remove_plugin :maven-javadoc-plugin
%pom_remove_plugin :maven-failsafe-plugin
%build %build
%mvn_build -f %mvn_build -f
@ -36,14 +34,5 @@ for extracting and manipulating data, using the best of DOM, CSS, and jquery-lik
%{_javadocdir}/%{name}/* %{_javadocdir}/%{name}/*
%changelog %changelog
* Mon Mar 04 2024 yaoxin <yao_xin001@hoperun.com> - 1.14.2-2
- Fix CVE-2022-36033
* Fri Sep 3 2021 houyingchao <houyingchao@huawei.com> - 1.14.2-1
- Upgrade to 1.14.2
* Wed Mar 4 2020 chenli <chenli147@huawei.com> - 1.11.3-5
- Modify Spec.
* Tue Dec 3 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.11.3-4 * Tue Dec 3 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.11.3-4
- Package init - Package init