From aa07f93ef7fd99d0a5aedcdef7dfd9c739edd87f Mon Sep 17 00:00:00 2001
From: Martin Trigaux <mat@odoo.com>
Date: Fri, 8 Jan 2021 10:05:34 +0000
Subject: [PATCH] [IMP] package: update lxml version

Update the version to benefit from the fix for
https://github.com/advisories/GHSA-pgww-xf46-h92r
https://nvd.nist.gov/vuln/detail/CVE-2020-27783

This vulnerability is reproducible in Odoo with
html_sanitize(..., sanitize_tags=False) which does NOT happen for
user-facing content.

Remove old compatibility check (lxml 3.1 was released in 2013)
and cleanup global variables only used once

closes odoo/odoo#64248

Signed-off-by: Christophe Monniez (moc) <moc@odoo.com>
---
 odoo/tools/mail.py | 26 +++++++++-----------------
 requirements.txt   |  4 +---
 2 files changed, 10 insertions(+), 20 deletions(-)

diff --git a/odoo/tools/mail.py b/odoo/tools/mail.py
index 3e90e25c14d1..29c4fd79d787 100644
--- a/odoo/tools/mail.py
+++ b/odoo/tools/mail.py
@@ -28,13 +28,6 @@ _logger = logging.getLogger(__name__)
 # HTML Sanitizer
 #----------------------------------------------------------
 
-tags_to_kill = ['base', 'embed', 'frame', 'head', 'iframe', 'link', 'meta',
-                'noscript', 'object', 'script', 'style', 'title']
-
-tags_to_remove = ['html', 'body']
-
-# allow new semantic HTML5 tags
-allowed_tags = clean.defs.tags | frozenset('article bdi section header footer hgroup nav aside figure main'.split() + [etree.Comment])
 safe_attrs = clean.defs.safe_attrs | frozenset(
     ['style',
      'data-o-mail-quote',  # quote detection
@@ -43,6 +36,13 @@ safe_attrs = clean.defs.safe_attrs | frozenset(
      'data-class', 'data-mimetype', 'data-original-src', 'data-original-id', 'data-gl-filter', 'data-quality', 'data-resize-width',
      'data-shape', 'data-shape-colors', 'data-file-name', 'data-original-mimetype',
      ])
+SANITIZE_TAGS = {
+    # allow new semantic HTML5 tags
+    'allow_tags': clean.defs.tags | frozenset('article bdi section header footer hgroup nav aside figure main'.split() + [etree.Comment]),
+    'kill_tags': ['base', 'embed', 'frame', 'head', 'iframe', 'link', 'meta',
+                  'noscript', 'object', 'script', 'style', 'title'],
+    'remove_tags': ['html', 'body'],
+}
 
 
 class _Cleaner(clean.Cleaner):
@@ -199,17 +199,9 @@ def html_sanitize(src, silent=True, sanitize_tags=True, sanitize_attributes=Fals
         'processing_instructions': False
     }
     if sanitize_tags:
-        kwargs['allow_tags'] = allowed_tags
-        if etree.LXML_VERSION >= (2, 3, 1):
-            # kill_tags attribute has been added in version 2.3.1
-            kwargs.update({
-                'kill_tags': tags_to_kill,
-                'remove_tags': tags_to_remove,
-            })
-        else:
-            kwargs['remove_tags'] = tags_to_kill + tags_to_remove
+        kwargs.update(SANITIZE_TAGS)
 
-    if sanitize_attributes and etree.LXML_VERSION >= (3, 1, 0):  # lxml < 3.1.0 does not allow to specify safe_attrs. We keep all attributes in order to keep "style"
+    if sanitize_attributes:  # We keep all attributes in order to keep "style"
         if strip_classes:
             current_safe_attrs = safe_attrs - frozenset(['class'])
         else:
diff --git a/requirements.txt b/requirements.txt
index 5d3236adf435..128d286b08f7 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -15,9 +15,7 @@ Jinja2==2.10.1; python_version < '3.8'
 # bullseye version, focal patched 2.10
 Jinja2==2.11.2; python_version >= '3.8'
 libsass==0.18.0
-lxml==4.3.2 ; sys_platform != 'win32' and python_version == '3.7'
-lxml==4.6.1 ; sys_platform != 'win32' and python_version > '3.7'
-lxml ; sys_platform == 'win32'
+lxml==4.6.2
 MarkupSafe==1.1.0
 num2words==0.5.6
 ofxparse==0.19
-- 
GitLab