Описание
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| python-bleach | fixed | 3.1.4-1 | package | |
| python-bleach | no-dsa | buster | package | |
| python-bleach | no-dsa | stretch | package |
Примечания
https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm
https://bugzilla.mozilla.org/show_bug.cgi?id=1623633
https://github.com/mozilla/bleach/commit/d6018f2539d271963c3e7f54f36ef11900363c69
https://github.com/mozilla/bleach/commit/6e74a5027b57055cdaeb040343d32934121392a7
Regression report: https://github.com/mozilla/bleach/pull/530
Связанные уязвимости
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
regular expression denial-of-service (ReDoS) in Bleach
