• Bug#1105219: unblock: php-league-commonmark/2.7.0-1 (5/5)

    From David =?iso-8859-1?Q?Pr=E9vot?=@21:1/5 to All on Tue May 13 18:30:01 2025
    [continued from previous message]

    │ │ │ +-rw-r--r-- 0 root (0) root (0) 1158 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Reference/Reference.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 623 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Reference/ReferenceInterface.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 2022 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Reference/ReferenceMap.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 787 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Reference/ReferenceMapInterface.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 9238 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Reference/ReferenceParser.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 405 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Reference/ReferenceableInterface.php
    │ │ │ +drwxr-xr-x 0 root (0) root (0) 0 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/
    │ │ │ +drwxr-xr-x 0 root (0) root (0) 0 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/Block/
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 1467 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/Block/DocumentRenderer.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 1978 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/Block/ParagraphRenderer.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 701 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/ChildNodeRendererInterface.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 687 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/DocumentRendererInterface.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 1263 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/HtmlDecorator.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 2869 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/HtmlRenderer.php
    │ │ │ +drwxr-xr-x 0 root (0) root (0) 0 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/Inline/
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 2012 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/Inline/NewlineRenderer.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 1339 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/Inline/TextRenderer.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 728 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/MarkdownRendererInterface.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 421 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/NoMatchingRendererException.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 662 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/NodeRendererInterface.php
    │ │ │ +drwxr-xr-x 0 root (0) root (0) 0 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 3476 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/ArrayCollection.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 1815 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/Html5EntityDecoder.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 4140 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/HtmlElement.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 1468 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/HtmlFilter.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 4942 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/LinkParserHelper.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 1641 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/PrioritizedList.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 10399 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/RegexHelper.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 2237 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/SpecReader.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 2619 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/UrlEncoder.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 738 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/Xml.php
    │ │ │ +drwxr-xr-x 0 root (0) root (0) 0 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Xml/
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 2222 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Xml/FallbackNodeXmlRenderer.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 1604 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Xml/MarkdownToXmlConverter.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 610 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Xml/XmlNodeRendererInterface.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 4166 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Xml/XmlRenderer.php
    │ │ │ +-rw-r--r-- 0 root (0) root (0) 39022 2025-05-05 14:16:52.000000 ./usr/share/php/League/CommonMark/autoload.php
    │ │ │ +drwxr-xr-x 0 root (0) root (0) 0 2025-05-05 14:16:52.000000 ./usr/share/pkg-php-tools/
    │ │ │ drwxr-xr-x 0 root (0) root (0) 0 2024-10-29 12:16:14.000000 ./usr/share/pkg-php-tools/autoloaders/
    │ │ │ -rw-r--r-- 0 root (0) root (0) 49 2024-07-23 10:20:01.000000 ./usr/share/pkg-php-tools/autoloaders/php-league-commonmark
    │ │ ├── ./usr/share/doc/php-league-commonmark/changelog.Debian.gz
    │ │ │ ├── changelog.Debian
    │ │ │ │ @@ -1,7 +1,15 @@
    │ │ │ │ +php-league-commonmark (2.7.0-1) unstable; urgency=medium
    │ │ │ │ +
    │ │ │ │ + [ Colin O'Dell ]
    │ │ │ │ + * Fix XSS in AttributesExtension
    │ │ │ │ + * Prepare to release 2.7.0
    │ │ │ │ +
    │ │ │ │ + -- David Prévot <taffit@debian.org> Mon, 05 May 2025 16:16:52 +0200
    │ │ │ │ +
    │ │ │ │ php-league-commonmark (2.6.2-1) unstable; urgency=medium
    │ │ │ │
    │ │ │ │ [ Colin O'Dell ]
    │ │ │ │ * Fix Attributes extension parsing regression (#1071)
    │ │ │ │ * Prepare to release 2.6.2
    │ │ │ │
    │ │ │ │ [ David Prévot ]
    │ │ ├── ./usr/share/doc/php-league-commonmark/changelog.gz
    │ │ │ ├── changelog
    │ │ │ │ @@ -2,14 +2,25 @@
    │ │ │ │ All notable changes to this project will be documented in this file.
    │ │ │ │ Updates should follow the [Keep a CHANGELOG](https://keepachangelog.com/) principles.
    │ │ │ │
    │ │ │ │ **Upgrading from 1.x?** See <https://commonmark.thephpleague.com/2.0/upgrading/> for additional information.
    │ │ │ │
    │ │ │ │ ## [Unreleased][unreleased]
    │ │ │ │
    │ │ │ │ +## [2.7.0]
    │ │ │ │ +
    │ │ │ │ +This is a **security release** to address a potential cross-site scripting (XSS) vulnerability when using the `AttributesExtension` with untrusted user input.
    │ │ │ │ +
    │ │ │ │ +### Added
    │ │ │ │ +- Added `attributes/allow` config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)
    │ │ │ │ +
    │ │ │ │ +### Changed
    │ │ │ │ +- The `AttributesExtension` blocks all attributes starting with `on` unless explicitly allowed via the `attributes/allow` config option
    │ │ │ │ +- The `allow_unsafe_links` option is now respected by the `AttributesExtension` when users specify `href` and `src` attributes
    │ │ │ │ +
    │ │ │ │ ## [2.6.2] - 2025-04-18
    │ │ │ │
    │ │ │ │ ### Fixed
    │ │ │ │
    │ │ │ │ - Fixed Attributes extension parsing regression (#1071)
    │ │ │ │
    │ │ │ │ ## [2.6.1] - 2024-12-29
    │ │ │ │ @@ -685,15 +696,16 @@
    │ │ │ │ **The following things have been deprecated and will not be supported in v3.0:**
    │ │ │ │
    │ │ │ │ - `Environment::mergeConfig()` (set configuration before instantiation instead)
    │ │ │ │ - `Environment::createCommonMarkEnvironment()` and `Environment::createGFMEnvironment()`
    │ │ │ │ - Alternative 1: Use `CommonMarkConverter` or `GithubFlavoredMarkdownConverter` if you don't need to customize the environment
    │ │ │ │ - Alternative 2: Instantiate a new `Environment` and add the necessary extensions yourself
    │ │ │ │
    │ │ │ │ -[unreleased]: https://github.com/thephpleague/commonmark/compare/2.6.1...2.6.2
    │ │ │ │ +[unreleased]: https://github.com/thephpleague/commonmark/compare/2.7.0...HEAD
    │ │ │ │ +[2.7.0]: https://github.com/thephpleague/commonmark/compare/2.6.2...2.7.0
    │ │ │ │ [2.6.2]: https://github.com/thephpleague/commonmark/compare/2.6.1...2.6.2
    │ │ │ │ [2.6.1]: https://github.com/thephpleague/commonmark/compare/2.6.0...2.6.1
    │ │ │ │ [2.6.0]: https://github.com/thephpleague/commonmark/compare/2.5.3...2.6.0
    │ │ │ │ [2.5.3]: https://github.com/thephpleague/commonmark/compare/2.5.2...2.5.3
    │ │ │ │ [2.5.2]: https://github.com/thephpleague/commonmark/compare/2.5.1...2.5.2
    │ │ │ │ [2.5.1]: https://github.com/thephpleague/commonmark/compare/2.5.0...2.5.1
    │ │ │ │ [2.5.0]: https://github.com/thephpleague/commonmark/compare/2.4.4...2.5.0
    │ │ ├── ./usr/share/php/League/CommonMark/Extension/Attributes/AttributesExtension.php
    │ │ │ @@ -15,18 +15,30 @@
    │ │ │ namespace League\CommonMark\Extension\Attributes;
    │ │ │
    │ │ │ use League\CommonMark\Environment\EnvironmentBuilderInterface;
    │ │ │ use League\CommonMark\Event\DocumentParsedEvent;
    │ │ │ use League\CommonMark\Extension\Attributes\Event\AttributesListener;
    │ │ │ use League\CommonMark\Extension\Attributes\Parser\AttributesBlockStartParser;
    │ │ │ use League\CommonMark\Extension\Attributes\Parser\AttributesInlineParser;
    │ │ │ -use League\CommonMark\Extension\ExtensionInterface;
    │ │ │ +use League\CommonMark\Extension\ConfigurableExtensionInterface; │ │ │ +use League\Config\ConfigurationBuilderInterface;
    │ │ │ +use Nette\Schema\Expect;
    │ │ │
    │ │ │ -final class AttributesExtension implements ExtensionInterface
    │ │ │ +final class AttributesExtension implements ConfigurableExtensionInterface
    │ │ │ {
    │ │ │ + public function configureSchema(ConfigurationBuilderInterface $builder): void
    │ │ │ + {
    │ │ │ + $builder->addSchema('attributes', Expect::structure([
    │ │ │ + 'allow' => Expect::arrayOf('string')->default([]),
    │ │ │ + ]));
    │ │ │ + }
    │ │ │ +
    │ │ │ public function register(EnvironmentBuilderInterface $environment): void
    │ │ │ {
    │ │ │ + $allowList = $environment->getConfiguration()->get('attributes.allow');
    │ │ │ + $allowUnsafeLinks = $environment->getConfiguration()->get('allow_unsafe_links');
    │ │ │ +
    │ │ │ $environment->addBlockStartParser(new AttributesBlockStartParser());
    │ │ │ $environment->addInlineParser(new AttributesInlineParser());
    │ │ │ - $environment->addEventListener(DocumentParsedEvent::class, [new AttributesListener(), 'processDocument']);
    │ │ │ + $environment->addEventListener(DocumentParsedEvent::class, [new AttributesListener($allowList, $allowUnsafeLinks), 'processDocument']);
    │ │ │ }
    │ │ │ }
    │ │ ├── ./usr/share/php/League/CommonMark/Extension/Attributes/Event/AttributesListener.php
    │ │ │ @@ -25,14 +25,27 @@
    │ │ │ use League\CommonMark\Node\Node;
    │ │ │
    │ │ │ final class AttributesListener
    │ │ │ {
    │ │ │ private const DIRECTION_PREFIX = 'prefix';
    │ │ │ private const DIRECTION_SUFFIX = 'suffix';
    │ │ │
    │ │ │ + /** @var list<string> */
    │ │ │ + private array $allowList;
    │ │ │ + private bool $allowUnsafeLinks;
    │ │ │ +
    │ │ │ + /**
    │ │ │ + * @param list<string> $allowList
    │ │ │ + */
    │ │ │ + public function __construct(array $allowList = [], bool $allowUnsafeLinks = true)
    │ │ │ + {
    │ │ │ + $this->allowList = $allowList;
    │ │ │ + $this->allowUnsafeLinks = $allowUnsafeLinks;
    │ │ │ + }
    │ │ │ +
    │ │ │ public function processDocument(DocumentParsedEvent $event): void
    │ │ │ {
    │ │ │ foreach ($event->getDocument()->iterator() as $node) {
    │ │ │ if (! ($node instanceof Attributes || $node instanceof AttributesInline)) {
    │ │ │ continue;
    │ │ │ }
    │ │ │
    │ │ │ @@ -46,15 +59,15 @@
    │ │ │
    │ │ │ if ($direction === self::DIRECTION_SUFFIX) {
    │ │ │ $attributes = AttributesHelper::mergeAttributes($target, $node->getAttributes());
    │ │ │ } else {
    │ │ │ $attributes = AttributesHelper::mergeAttributes($node->getAttributes(), $target);
    │ │ │ }
    │ │ │
    │ │ │ - $target->data->set('attributes', $attributes);
    │ │ │ + $target->data->set('attributes', AttributesHelper::filterAttributes($attributes, $this->allowList, $this->allowUnsafeLinks));
    │ │ │ }
    │ │ │
    │ │ │ $node->detach();
    │ │ │ }
    │ │ │ }
    │ │ │
    │ │ │ /**
    │ │ ├── ./usr/share/php/League/CommonMark/Extension/Attributes/Util/AttributesHelper.php
    │ │ │ @@ -135,8 +135,46 @@
    │ │ │
    │ │ │ if (isset($attributes['class'])) {
    │ │ │ $attributes['class'] = \implode(' ', $attributes['class']);
    │ │ │ }
    │ │ │
    │ │ │ return $attributes;
    │ │ │ }
    │ │ │ +
    │ │ │ + /**
    │ │ │ + * @param array<string, mixed> $attributes
    │ │ │ + * @param list<string> $allowList
    │ │ │ + *
    │ │ │ + * @return array<string, mixed>
    │ │ │ + */
    │ │ │ + public static function filterAttributes(array $attributes, array $allowList, bool $allowUnsafeLinks): array
    │ │ │ + {
    │ │ │ + $allowList = \array_fill_keys($allowList, true);
    │ │ │ +
    │ │ │ + foreach ($attributes as $name => $value) {
    │ │ │ + $attrNameLower = \strtolower($name);
    │ │ │ +
    │ │ │ + // Remove any unsafe links
    │ │ │ + if (! $allowUnsafeLinks && ($attrNameLower === 'href' || $attrNameLower === 'src') && \is_string($value) && RegexHelper::isLinkPotentiallyUnsafe($value)) {
    │ │ │ + unset($attributes[$name]);
    │ │ │ + continue;
    │ │ │ + }
    │ │ │ +
    │ │ │ + // No allowlist?
    │ │ │ + if ($allowList === []) {
    │ │ │ + // Just remove JS event handlers
    │ │ │ + if (\str_starts_with($attrNameLower, 'on')) {
    │ │ │ + unset($attributes[$name]);
    │ │ │ + }
    │ │ │ +
    │ │ │ + continue;
    │ │ │ + }
    │ │ │ +
    │ │ │ + // Remove any attributes not in that allowlist (case-sensitive)
    │ │ │ + if (! isset($allowList[$name])) {
    │ │ │ + unset($attributes[$name]);
    │ │ │ + }
    │ │ │ + }
    │ │ │ +
    │ │ │ + return $attributes;
    │ │ │ + }
    │ │ │ }

    --KvfobiQo61QIB6U6--

    -----BEGIN PGP SIGNATURE-----

    iQEzBAABCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmgjcpcACgkQBYwc+UT2 vTynjwgAgSwyvMYxhrAPxbcFpahSk5K1T10VM0aef6+CHz3ei98YOQorfDrykjNl wftmhiiv8JjKkqZQL1XgjI+PgjZnsFY45Vi3WVOXQlkkhDAcxPag2LU08ElSYB5f kykhk3qFRVGUYGBlhyPP1UmeDn3W9JgJwYg25llFd9n6Azxnb1Nk3E4sN/aXTdAu xwBrZhw84p9u3w9ADYFvRH4F6iFqJalTnoqcRGcwozgd2YlGMF0wb8B5rPfjz5Oo B+BEqXxzXxIsKoCwM7usxTnRovKCjqp/h4A6Rq+eiyFV5aAXYvZlkWnu5jCIp2Kj HOgo3z1UJULP4hFwvxyYejLT76tOqg==
    =7qeT
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)