Projects
Mega:23.09
python-fonttools
_service:tar_scm:CVE-2023-45139.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:CVE-2023-45139.patch of Package python-fonttools
From 9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c Mon Sep 17 00:00:00 2001 From: Cosimo Lupo <clupo@google.com> Date: Fri, 15 Sep 2023 16:50:38 +0200 Subject: [PATCH] subset: parse OT-SVG with resolve_entities=False Origin: https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c to guard against XXE attacks as recommended in https://codeql.github.com/codeql-query-help/python/py-xxe/ --- Lib/fontTools/subset/svg.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Lib/fontTools/subset/svg.py b/Lib/fontTools/subset/svg.py index f6d74a4002..2e55bf54c0 100644 --- a/Lib/fontTools/subset/svg.py +++ b/Lib/fontTools/subset/svg.py @@ -225,6 +225,9 @@ def subset_glyphs(self, s) -> bool: # ignore blank text as it's not meaningful in OT-SVG; it also prevents # dangling tail text after removing an element when pretty_print=True remove_blank_text=True, + # don't replace entities; we don't expect any in OT-SVG and they may + # aboused for XXE attacks + resolve_entities=False, ), )
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2