drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Ausführen beliebiger Kommandos in python-lxml
Name: |
Ausführen beliebiger Kommandos in python-lxml |
|
ID: |
FEDORA-2014-5801 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 19 |
|
Datum: |
Do, 8. Mai 2014, 20:38 |
|
Referenzen: |
Keine Angabe |
|
Applikationen: |
python-lxml |
|
Originalnachricht |
Name : python-lxml Product : Fedora 19 Version : 3.3.5 Release : 1.fc19 URL : http://lxml.de Summary : ElementTree-like Python bindings for libxml2 and libxslt Description : lxml provides a Python binding to the libxslt and libxml2 libraries. It follows the ElementTree API as much as possible in order to provide a more Pythonic interface to libxml2 and libxslt than the default bindings. In particular, lxml deals with Python Unicode strings rather than encoded UTF-8 and handles memory management automatically, unlike the default bindings.
------------------------------------------------------------------------------- - Update Information:
3.3.5 (2014-04-18)
==================
Bugs fixed
----------
* HTML cleaning could fail to strip javascript links that mix control
characters into the link scheme.
3.3.4 (2014-04-03)
==================
Features added
--------------
* Source line numbers above 65535 are available on Elements when
using libxml2 2.9 or later.
Bugs fixed
----------
* lxml.html.fragment_fromstring() failed for bytes input in Py3.
------------------------------------------------------------------------------- - ChangeLog:
* Mon Apr 28 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.5-1 - 3.3.5 (2014-04-18) - ================== - - Bugs fixed - ---------- - - * HTML cleaning could fail to strip javascript links that mix control - characters into the link scheme. * Mon Apr 28 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.4-1 - 3.3.4 (2014-04-03) - ================== - - Features added - -------------- - - * Source line numbers above 65535 are available on Elements when - using libxml2 2.9 or later. - - Bugs fixed - ---------- - - * lxml.html.fragment_fromstring() failed for bytes input in Py3. * Wed Mar 26 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-4 - Fix macro definition * Wed Mar 26 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-3 - Add python3-cssselect to correct package * Mon Mar 24 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-3 - python3-cssselect is not available on F19 * Mon Mar 24 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-2 - BZ#1075070 add requires and buildrequires for cssselect * Tue Mar 11 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.3-1 - 3.3.3 (2014-03-04) - ================== - - Bugs fixed - ---------- - - * LP#1287118: Crash when using Element subtypes with ``__slots__``. - - Other changes - ------------- - - * The internal classes ``_LogEntry`` and ``_Attrib`` can no longer be - subclassed from Python code. * Tue Mar 11 2014 Alexander Todorov <atodorov@redhat.com> - 3.3.2-2 - Add check section #1075070 * Fri Feb 28 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.2-1 - 3.3.2 (2014-02-26) - ================== - - Bugs fixed - ---------- - - * The properties ``resolvers`` and ``version``, as well as the methods - ``set_element_class_lookup()`` and ``makeelement()``, were lost from - ``iterparse`` objects. - - * LP#1222132: instances of ``XMLSchema``, ``Schematron`` and ``RelaxNG`` - did not clear their local ``error_log`` before running a validation. - - * LP#1238500: lxml.doctestcompare mixed up "expected" and "actual" in - attribute values. - - * Some file I/O tests were failing in MS-Windows due to incorrect temp - file usage. Initial patch by Gabi Davar. - - * LP#910014: duplicate IDs in a document were not reported by DTD - validation. - - * LP#1185332: ``tostring(method="html")`` did not use HTML serialisation - semantics for trailing tail text. Initial patch by Sylvain Viollon. - - * LP#1281139: ``.attrib`` value of Comments lost its mutation methods - in 3.3.0. Even though it is empty and immutable, it should still - provide the same interface as that returned for Elements. * Fri Feb 28 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.2-1 - 3.3.1 (2014-02-12) - ================== - - Bugs fixed - ---------- - - * LP#1014290: HTML documents parsed with ``parser.feed()`` failed to find - elements during tag iteration. - - * LP#1273709: Building in PyPy failed due to missing support for - ``PyUnicode_Compare()`` and ``PyByteArray_*()`` in PyPy's C-API. - - * LP#1274413: Compilation in MSVC failed due to missing "stdint.h" standard - header file. - - * LP#1274118: iterparse() failed to parse BOM prefixed files. * Mon Jan 27 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.0-2 - Update Cython requirement to >= 0.20 * Mon Jan 27 2014 Jeffrey Ollie <jeff@ocjtech.us> - 3.3.0-1 - 3.3.0 (2014-01-26) - ================== - - Features added - -------------- - - Bugs fixed - ---------- - - * The heuristic that distinguishes file paths from URLs was tightened - to produce less false negatives. - - Other changes - ------------- - - - 3.3.0beta5 (2014-01-18) - ======================= - - Features added - -------------- - - * The PEP 393 unicode parsing support gained a fallback for wchar strings - which might still be somewhat common on Windows systems. - - Bugs fixed - ---------- - - * Several error handling problems were fixed throughout the code base that - could previously lead to exceptions being silently swallowed or not - properly reported. - - * The C-API function ``appendChild()`` is now deprecated as it does not - propagate exceptions (its return type is ``void``). The new function - ``appendChildToElement()`` was added as a safe replacement. - - * Passing a string into ``fromstringlist()`` raises an exception instead of - parsing the string character by character. - - Other changes - ------------- - - * Document cleanup code was simplified using the new GC features in - Cython 0.20. - - - 3.3.0beta4 (2014-01-12) - ======================= - - Features added - -------------- - - Bugs fixed - ---------- - - * The (empty) value returned by the ``attrib`` property of Entity and - Comment objects was mutable. - - * Element class lookup wasn't available for the new pull parsers or when - using a custom parser target. - - * Setting Element attributes on instantiation with both the ``attrib`` - argument and keyword arguments could modify the mapping passed as - ``attrib``. - - * LP#1266171: DTDs instantiated from internal/external subsets (i.e. - through the docinfo property) lost their attribute declarations. - - Other changes - ------------- - - * Built with Cython 0.20pre (gitrev 012ae82eb) to prepare support for - Python 3.4. - - - 3.3.0beta3 (2014-01-02) - ======================= - - Features added - -------------- - - * Unicode string parsing was optimised for Python 3.3 (PEP 393). - - Bugs fixed - ---------- - - * HTML parsing of Unicode strings could misdecode the input on some - platforms. - - * Crash in xmlfile() when closing open elements out of order in an error - case. - - Other changes - ------------- - - - 3.3.0beta2 (2013-12-20) - ======================= - - Features added - -------------- - - * ``iterparse()`` supports the ``recover`` option. - - Bugs fixed - ---------- - - * Crash in ``iterparse()`` for HTML parsing. - - * Crash in target parsing with attributes. - - Other changes - ------------- - - * The safety check in the read-only tree implementation (e.g. used by - ``PythonElementClassLookup``) raises a more appropriate - ``ReferenceError`` for illegal access after tree disposal instead of - an ``AssertionError``. This should only impact test code that - specifically checks the original behaviour. - - - 3.3.0beta1 (2013-12-12) - ======================= - - Features added - -------------- - - * New option ``handle_failures`` in ``make_links_absolute()`` and - ``resolve_base_href()`` (lxml.html) that enables ignoring or - discarding links that fail to parse as URLs. - - * New parser classes ``XMLPullParser`` and ``HTMLPullParser`` for - incremental parsing, as implemented for ElementTree in Python 3.4. - - * ``iterparse()`` enables recovery mode by default for HTML parsing - (``html=True``). - - Bugs fixed - ---------- - - * LP#1255132: crash when trying to run validation over non-Element (e.g. - comment or PI). - - * Error messages in the log and in exception messages that originated - from libxml2 could accidentally be picked up from preceding warnings - instead of the actual error. - - * The ``ElementMaker`` in lxml.objectify did not accept a dict as - argument for adding attributes to the element it's building. This - works as in lxml.builder now. - - * LP#1228881: ``repr(XSLTAccessControl)`` failed in Python 3. - - * Raise ``ValueError`` when trying to append an Element to itself or - to one of its own descendants, instead of running into an infinite - loop. - - * LP#1206077: htmldiff discarded whitespace from the output. - - * Compressed plain-text serialisation to file-like objects was broken. - - * lxml.html.formfill: Fix textarea form filling. - The textarea used to be cleared before the new content was set, - which removed the name attribute. - - Other changes - ------------- - - * Some basic API classes use freelists internally for faster - instantiation. This can speed up some ``iterparse()`` scenarios, - for example. - - * ``iterparse()`` was rewritten to use the new ``*PullParser`` - classes internally instead of being a parser itself. * Mon Nov 11 2013 Jeffrey Ollie <jeff@ocjtech.us> - 3.2.4-1 - 3.2.4 (2013-11-07) - ================== - - Bugs fixed - ---------- - - * Memory leak when creating an XPath evaluator in a thread. - - * LP#1228881: ``repr(XSLTAccessControl)`` failed in Python 3. - - * Raise ``ValueError`` when trying to append an Element to itself or - to one of its own descendants. - - * LP#1206077: htmldiff discarded whitespace from the output. - - * Compressed plain-text serialisation to file-like objects was broken. * Wed Sep 18 2013 Jeffrey Ollie <jeff@ocjtech.us> - 3.2.3-2 - Add requirement for on python-cssselect for the python2 version * Sun Jul 28 2013 Jeffrey Ollie <jeff@ocjtech.us> - 3.2.3-1 - and here's a version 3.2.3. The last release accidentally lost the ability - to work on Python 2.4. There are no other changes over 3.2.2. - - 3.2.2 (2013-07-28) - ================== - - Features added - -------------- - - Bugs fixed - ---------- - - * LP#1185701: spurious XMLSyntaxError after finishing iterparse(). - - * Crash in lxml.objectify during xsi annotation. - - Other changes - ------------- - - * Return values of user provided element class lookup methods are now - validated against the type of the XML node they represent to prevent - API class mismatches. ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #1092613 - python-lxml: clean_html input sanitization flaw https://bugzilla.redhat.com/show_bug.cgi?id=1092613 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update python-lxml' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|