GNU bug report logs - #44492
[PATCH] Add fractal.

Previous Next

Package: guix-patches;

Reported by: Christopher Baines <mail <at> cbaines.net>

Date: Fri, 6 Nov 2020 21:48:02 UTC

Severity: normal

Tags: moreinfo

Full log

Message #641 received at 44492 <at> debbugs.gnu.org (full text, mbox):

From: Leo Prikler <leo.prikler <at> student.tugraz.at>
To: 44492 <at> debbugs.gnu.org
Subject: [PATCH v5 06/51] gnu: Add rust-comrak-0.7.
Date: Mon, 15 Mar 2021 16:43:39 +0100

* gnu/packages/patches/rust-comrak-0.7-rustsec-2021-0026.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it here.
* gnu/packages/crates-io.scm (rust-comrak-0.7): New variable.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/crates-io.scm                    | 44 +++++++++++++++++++
 .../rust-comrak-0.7-rustsec-2021-0026.patch   | 41 +++++++++++++++++
 3 files changed, 86 insertions(+)
 create mode 100644 gnu/packages/patches/rust-comrak-0.7-rustsec-2021-0026.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index cf8849cf59..d07aaeb90b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1642,6 +1642,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/rust-1.45-linker-locale.patch		\
   %D%/packages/patches/rust-1.48-linker-locale.patch		\
   %D%/packages/patches/rust-bootstrap-stage0-test.patch		\
+  %D%/packages/patches/rust-comrak-0.7-rustsec-2021-0026.patch		\
   %D%/packages/patches/rust-coresimd-doctest.patch		\
   %D%/packages/patches/rust-ndarray-remove-blas-src-dep.patch	\
   %D%/packages/patches/rust-nettle-disable-vendor.patch		 \
diff --git a/gnu/packages/crates-io.scm b/gnu/packages/crates-io.scm
index 91bcbacfae..17ac4a08b4 100644
--- a/gnu/packages/crates-io.scm
+++ b/gnu/packages/crates-io.scm
@@ -7766,6 +7766,50 @@ harness.")
         ("rust-rustc-serialize" ,rust-rustc-serialize-0.3)
         ("rust-tempdir" ,rust-tempdir-0.3))))))
 
+(define-public rust-comrak-0.7
+  (package
+    (name "rust-comrak")
+    (version "0.7.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (crate-uri "comrak" version))
+       (file-name
+        (string-append name "-" version ".tar.gz"))
+       (sha256
+        (base32
+         "07026j0ghwgv5z61fc4l893wwc30krxpsy487rb91wkcag65hw71"))
+       (patches
+        (search-patches
+         "rust-comrak-0.7-rustsec-2021-0026.patch"))
+       (modules '((guix build utils)))
+       (snippet
+        '(begin
+           (substitute* "src/tests.rs"
+             (("data:(png|jpeg|gif|webp)" all what)
+              (string-append "data:image/" what)))
+           #t))))
+    (build-system cargo-build-system)
+    (arguments
+      `(#:cargo-inputs
+        (("rust-clap" ,rust-clap-2)
+         ("rust-entities" ,rust-entities-1)
+         ("rust-lazy-static" ,rust-lazy-static-1)
+         ("rust-pest" ,rust-pest-2)
+         ("rust-pest-derive" ,rust-pest-derive-2)
+         ("rust-regex" ,rust-regex-1)
+         ("rust-twoway" ,rust-twoway-0.2)
+         ("rust-typed-arena" ,rust-typed-arena-1)
+         ("rust-unicode-categories"
+          ,rust-unicode-categories-0.1))
+        #:cargo-development-inputs
+        (("rust-timebomb" ,rust-timebomb-0.1))))
+    (home-page "https://github.com/kivikakk/comrak")
+    (synopsis "Markdown parser and formatter")
+    (description "This package provides a parser and formatter for Github
+Flavored Markdown, that is compatible with CommonMark.")
+    (license license:bsd-2)))
+
 (define-public rust-concurrent-queue-1
   (package
     (name "rust-concurrent-queue")
diff --git a/gnu/packages/patches/rust-comrak-0.7-rustsec-2021-0026.patch b/gnu/packages/patches/rust-comrak-0.7-rustsec-2021-0026.patch
new file mode 100644
index 0000000000..9a74b7b971
--- /dev/null
+++ b/gnu/packages/patches/rust-comrak-0.7-rustsec-2021-0026.patch
@@ -0,0 +1,41 @@
+From 285e9647c6d2f90d8cb7af543b14c986a8efa631 Mon Sep 17 00:00:00 2001
+From: Asherah Connor <ashe <at> kivikakk.ee>
+Date: Fri, 12 Feb 2021 21:15:29 +1100
+Subject: [PATCH] SECURITY: match unsafe prefixes case-insensitively
+
+Many thanks to Kouhei Morita for reporting this.
+
+Co-authored-by: Kouhei Morita <mrtc0 <at> ssrf.in>
+---
+ src/lexer.pest |   2 +-
+ src/tests.rs   | 146 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 147 insertions(+), 1 deletion(-)
+
+diff --git a/src/lexer.pest b/src/lexer.pest
+index e97647c..7f6cd3f 100644
+--- a/src/lexer.pest
++++ b/src/lexer.pest
+@@ -55,4 +55,4 @@ table_start = { "|"? ~ table_marker ~ ("|" ~ table_marker)* ~ "|"? ~ table_space
+ table_cell_end = { "|" ~ table_spacechar* ~ table_newline? }
+ table_row_end = { table_spacechar* ~ table_newline }
+
+-dangerous_url = { "data:" ~ !("png" | "gif" | "jpeg" | "webp") | "javascript:" | "vbscript:" | "file:" }
++dangerous_url = { ^"data:" ~ !(^"image/" ~ (^"png" | ^"gif" | ^"jpeg" | ^"webp")) | ^"javascript:" | ^"vbscript:" | ^"file:" }
+diff --git a/src/tests.rs b/src/tests.rs
+index c61a493..5f3e0cc 100644
+--- a/src/tests.rs
++++ b/src/tests.rs
+@@ -998,3 +998,11 @@ fn description_lists() {
+         ),
+     );
+ }
++
++#[test]
++fn case_insensitive_safety() {
++    html(
++        "[a](javascript:a) [b](Javascript:b) [c](jaVascript:c) [d](data:xyz) [e](Data:xyz) [f](vbscripT:f) [g](FILE:g)\n",
++        "<p><a href=\"\">a</a> <a href=\"\">b</a> <a href=\"\">c</a> <a href=\"\">d</a> <a href=\"\">e</a> <a href=\"\">f</a> <a href=\"\">g</a></p>\n",
++    );
++}
+--
+2.30.1
-- 
2.30.2
This bug report was last modified 4 years and 88 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.