u/ewong/rhodecode-enterprise-ce-fork Commit - r2992:63458594

bleach: moved clean out of the catch context, so we no longer allow sanitizer to be bypassed....

marcink -

r2992:63458594 default

parent child

pkgs/python-packages.nix

0 +3 -3

                 };
               };
               "bleach" = super.buildPythonPackage {
-                name = "bleach-2.1.3";
+                name = "bleach-2.1.4";
                 doCheck = false;
                 propagatedBuildInputs = [
                   self."six"
                   self."html5lib"
                 ];
                 src = fetchurl {
-                  url = "https://files.pythonhosted.org/packages/eb/ea/58428609442130dc31d3a59010bf6cbd263a16c589d01d23b7c1e6997e3b/bleach-2.1.3.tar.gz";
+                  url = "https://files.pythonhosted.org/packages/7a/b7/fa555afb61462b030abaf9ed1479b8ea031510f58c7706b06113be9f82ea/bleach-2.1.4.tar.gz";
-                  sha256 = "0i4sga1rlnn0qaf9y52i31bk2isd2f5q6jlxrvci179l6bv8cwzb";
+                  sha256 = "1n337zbdml6z6zia0b1qgv6xiddx3qlwmcg9vk2mk60jcxhmzs8f";
                 };
                 meta = {
                   license = [ pkgs.lib.licenses.asl20 ];

requirements.txt

0 +1 -1

             # entrypoints backport, pypi version doesn't support egg installs
             https://code.rhodecode.com/upstream/entrypoints/archive/96e6d645684e1af3d7df5b5272f3fe85a546b233.tar.gz?md5=7db37771aea9ac9fefe093e5d6987313#egg=entrypoints==0.2.2.rhodecode-upstream1
             nbconvert==5.3.1
-            bleach==2.1.3
+            bleach==2.1.4
             nbformat==4.4.0
             jupyter_client==5.0.0

rhodecode/lib/markup_renderer.py

0 +10 -5

                     from .bleach_whitelist import markdown_attrs, markdown_tags
                     allowed_tags = markdown_tags
                     allowed_attrs = markdown_attrs
-                    return bleach.clean(text, tags=allowed_tags, attributes=allowed_attrs)
+                    try:
+                        return bleach.clean(text, tags=allowed_tags, attributes=allowed_attrs)
+                    except Exception:
+                        return 'UNPARSEABLE TEXT'
                 @classmethod
                 def renderer_from_filename(cls, filename, exclude):
                         if flavored:
                             source = cls._flavored_markdown(source)
                         rendered = markdown_renderer.convert(source)
-                        if clean_html:
-                            rendered = cls.bleach_clean(rendered)
-                        return rendered
                     except Exception:
                         log.exception('Error when rendering Markdown')
                         if safe:
                             log.debug('Fallback to render in plain mode')
-                            return cls.plain(source)
+                            rendered = cls.plain(source)
                         else:
                             raise
+                    if clean_html:
+                        rendered = cls.bleach_clean(rendered)
+                    return rendered
                 @classmethod
                 def rst(cls, source, safe=True, mentions=False, clean_html=False):
                     if mentions:

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages