Bug #110663 for HTML-Defang: Unescaped left brace in regex is deprecated, passed through in regex

Sun Dec 27 11:48:34 2015 ntyni [...] iki.fi - Ticket created

Subject:

Unescaped left brace in regex is deprecated, passed through in regex

This module warns when used with Perl 5.22: # Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?i:^([a-z]*scrip t\s*:|.*\&{ <-- HERE |mocha|hcp|opera\s*:|about\s*:|smb|/dev/|<))|[^\x00-\x7f]/ at /usr/share/perl5/HTML/Defang.p m line 181. # Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/expression|eval|s cript:|mocha:|\&{ <-- HERE |\@import/ at /usr/share/perl5/HTML/Defang.pm line 207. # Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/^([A-Za-z]*script |.*\&{ <-- HERE |mocha|about|opera|mailto:|hcp:|/(dev|proc)|\\|file|smb|cid:([^@]\.com|.*\.(exe|cmd|bat|pif|scr|s ys|sct|lnk|dll|vbs?|vbe|hta|shb|shs|hlp|chm|eml|wsf|wsh|js|asx|wm.|mdb|mht|msi|msp|cpl|lib|reg))(@|\?|$))/ at /us r/share/perl5/HTML/Defang.pm line 160. Proposed patches attached, divided to one for the actual code and one for the test suite.

Subject:

0001-Fix-regexp-syntax-for-Perl-5.22.patch

From 119de7f13a4bbc6bded2dc8f8a2933ae5fbb4822 Mon Sep 17 00:00:00 2001 From: Niko Tyni <ntyni@debian.org> Date: Sun, 27 Dec 2015 18:22:25 +0200 Subject: [PATCH 1/2] Fix regexp syntax for Perl 5.22 Perl 5.22 introduced the warning Unescaped left brace in regex is deprecated, passed through in regex which triggers in these regexps. Bug-Debian: https://bugs.debian.org/809096 --- lib/HTML/Defang.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/HTML/Defang.pm b/lib/HTML/Defang.pm index c97b7b3..61794d8 100644 --- a/lib/HTML/Defang.pm +++ b/lib/HTML/Defang.pm @@ -157,7 +157,7 @@ my $Executables = '([^@]\.com|'. '.*\.(exe|cmd|bat|pif|scr|sys|sct|lnk|dll'. '|vbs?|vbe|hta|shb|shs|hlp|chm|eml|wsf|wsh|js'. '|asx|wm.|mdb|mht|msi|msp|cpl|lib|reg))'; -my $SrcBanStd = qr/^([A-Za-z]*script|.*\&{|mocha|about|opera|mailto:|hcp:|\/(dev|proc)|\\|file|smb|cid:${Executables}(@|\?|$))/i; +my $SrcBanStd = qr/^([A-Za-z]*script|.*\&\{|mocha|about|opera|mailto:|hcp:|\/(dev|proc)|\\|file|smb|cid:${Executables}(@|\?|$))/i; my %Rules = ( @@ -178,7 +178,7 @@ my %Rules = "form-method" => qr/^(get|post)$/i, "frame" => qr/^(void|above|below|hsides|vsides|lhs|rhs|box|border)$/i, # href: Not javascript, vbs or vbscript - "href" => [ qr/(?i:^([a-z]*script\s*:|.*\&{|mocha|hcp|opera\s*:|about\s*:|smb|\/dev\/|<))|[^\x00-\x7f]/ ], + "href" => [ qr/(?i:^([a-z]*script\s*:|.*\&\{|mocha|hcp|opera\s*:|about\s*:|smb|\/dev\/|<))|[^\x00-\x7f]/ ], "usemap-href" => qr/^#[A-Za-z0-9_.-]+$/, # this is not really a href at all! "input-size" => qr/^(\d{1,4})$/, # some browsers freak out with very large widgets "input-type" => qr/^(button|checkbox|file|hidden|image|password|radio|readonly|reset|submit|text)$/i, @@ -204,7 +204,7 @@ my %Rules = # "style" => qr/expression|eval|script:|mocha:|\&{|\@import|(?<!background-)position:|background-image/i, # XXX there are probably a million more ways to cause trouble with css! "style" => qr/^.*$/s, #kc In addition to this, we could strip all 'javascript:|expression|' etc. from all attributes(in attribute_cleanup()) - "stylesheet" => [ qr/expression|eval|script:|mocha:|\&{|\@import/i ], # stylesheets are forbidden if Embedded => 1. css positioning can be allowed in an iframe. + "stylesheet" => [ qr/expression|eval|script:|mocha:|\&\{|\@import/i ], # stylesheets are forbidden if Embedded => 1. css positioning can be allowed in an iframe. # NB see also `process_stylesheet' below "style-type" => [ qr/script|mocha/i ], "size" => qr/^[\d.]+(px|%)?$/i, -- 2.6.4

Subject:

0002-Fix-test-script-regexp-syntax-for-Perl-5.22.patch

Message body is not shown because it is too large.

Sun Dec 27 11:59:37 2015 ntyni [...] iki.fi - Correspondence added

From:

ntyni [...] iki.fi

On Sun Dec 27 11:48:34 2015, ntyni@iki.fi wrote: Show quoted text

> Proposed patches attached, divided to one for the actual code and one > for the test suite.

Whoops, a re-export with 'git format-patch --no-binary' attached for your convenience.

Subject:

0002-Fix-test-script-regexp-syntax-for-Perl-5.22.patch

Message body is not shown because it is too large.

Subject:

0001-Fix-regexp-syntax-for-Perl-5.22.patch

From f88618b06c4b8d2dee5bd38211c0e29703a648f8 Mon Sep 17 00:00:00 2001 From: Niko Tyni <ntyni@debian.org> Date: Sun, 27 Dec 2015 18:22:25 +0200 Subject: [PATCH 1/2] Fix regexp syntax for Perl 5.22 Perl 5.22 introduced the warning Unescaped left brace in regex is deprecated, passed through in regex which triggers in these regexps. Bug-Debian: https://bugs.debian.org/809096 Bug: https://rt.cpan.org/Public/Bug/Display.html?id=110663 --- lib/HTML/Defang.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/HTML/Defang.pm b/lib/HTML/Defang.pm index c97b7b3..61794d8 100644 --- a/lib/HTML/Defang.pm +++ b/lib/HTML/Defang.pm @@ -157,7 +157,7 @@ my $Executables = '([^@]\.com|'. '.*\.(exe|cmd|bat|pif|scr|sys|sct|lnk|dll'. '|vbs?|vbe|hta|shb|shs|hlp|chm|eml|wsf|wsh|js'. '|asx|wm.|mdb|mht|msi|msp|cpl|lib|reg))'; -my $SrcBanStd = qr/^([A-Za-z]*script|.*\&{|mocha|about|opera|mailto:|hcp:|\/(dev|proc)|\\|file|smb|cid:${Executables}(@|\?|$))/i; +my $SrcBanStd = qr/^([A-Za-z]*script|.*\&\{|mocha|about|opera|mailto:|hcp:|\/(dev|proc)|\\|file|smb|cid:${Executables}(@|\?|$))/i; my %Rules = ( @@ -178,7 +178,7 @@ my %Rules = "form-method" => qr/^(get|post)$/i, "frame" => qr/^(void|above|below|hsides|vsides|lhs|rhs|box|border)$/i, # href: Not javascript, vbs or vbscript - "href" => [ qr/(?i:^([a-z]*script\s*:|.*\&{|mocha|hcp|opera\s*:|about\s*:|smb|\/dev\/|<))|[^\x00-\x7f]/ ], + "href" => [ qr/(?i:^([a-z]*script\s*:|.*\&\{|mocha|hcp|opera\s*:|about\s*:|smb|\/dev\/|<))|[^\x00-\x7f]/ ], "usemap-href" => qr/^#[A-Za-z0-9_.-]+$/, # this is not really a href at all! "input-size" => qr/^(\d{1,4})$/, # some browsers freak out with very large widgets "input-type" => qr/^(button|checkbox|file|hidden|image|password|radio|readonly|reset|submit|text)$/i, @@ -204,7 +204,7 @@ my %Rules = # "style" => qr/expression|eval|script:|mocha:|\&{|\@import|(?<!background-)position:|background-image/i, # XXX there are probably a million more ways to cause trouble with css! "style" => qr/^.*$/s, #kc In addition to this, we could strip all 'javascript:|expression|' etc. from all attributes(in attribute_cleanup()) - "stylesheet" => [ qr/expression|eval|script:|mocha:|\&{|\@import/i ], # stylesheets are forbidden if Embedded => 1. css positioning can be allowed in an iframe. + "stylesheet" => [ qr/expression|eval|script:|mocha:|\&\{|\@import/i ], # stylesheets are forbidden if Embedded => 1. css positioning can be allowed in an iframe. # NB see also `process_stylesheet' below "style-type" => [ qr/script|mocha/i ], "size" => qr/^[\d.]+(px|%)?$/i, -- 2.6.4

Wed Aug 31 02:12:08 2016 SREZIC [...] cpan.org - Correspondence added

On 2015-12-27 11:48:34, ntyni@iki.fi wrote: Show quoted text

> This module warns when used with Perl 5.22: > > # Unescaped left brace in regex is deprecated, passed through in > regex; marked by <-- HERE in m/(?i:^([a-z]*scrip > t\s*:|.*\&{ <-- HERE > |mocha|hcp|opera\s*:|about\s*:|smb|/dev/|<))|[^\x00-\x7f]/ at > /usr/share/perl5/HTML/Defang.p > m line 181. > # Unescaped left brace in regex is deprecated, passed through in > regex; marked by <-- HERE in m/expression|eval|s > cript:|mocha:|\&{ <-- HERE |\@import/ at > /usr/share/perl5/HTML/Defang.pm line 207. > # Unescaped left brace in regex is deprecated, passed through in > regex; marked by <-- HERE in m/^([A-Za-z]*script > |.*\&{ <-- HERE > |mocha|about|opera|mailto:|hcp:|/(dev|proc)|\\|file|smb|cid:([^@]\.com|.*\.(exe|cmd|bat|pif|scr|s > ys|sct|lnk|dll|vbs?|vbe|hta|shb|shs|hlp|chm|eml|wsf|wsh|js|asx|wm.|mdb|mht|msi|msp|cpl|lib|reg))(@|\?|$))/ > at /us > r/share/perl5/HTML/Defang.pm line 160. > > Proposed patches attached, divided to one for the actual code and one > for the test suite.

With perl 5.25.x this is a compilation error: PERL_DL_NONLAZY=1 "/bbbike/perl-5.25.4/bin/perl5.25.4" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t Unescaped left brace in regex is illegal here in regex; marked by <-- HERE in m/(?i:^([a-z]*script\s*:|.*\&{ <-- HERE |mocha|hcp|opera\s*:|about\s*:|smb|/dev/|<))|[^\x00-\x7f]/ at /tmpfs/.cpan-build-cpansand/2016083103/HTML-Defang-1.04-0/blib/lib/HTML/Defang.pm line 181. Compilation failed in require at t/01_basic.t line 5. BEGIN failed--compilation aborted at t/01_basic.t line 5. # Looks like your test exited with 2 before it could output anything. t/01_basic.t ...... Dubious, test returned 2 (wstat 512, 0x200) Failed 89/89 subtests ...

Wed Aug 31 02:12:08 2016 The RT System itself - Status changed from 'new' to 'open'

Tue Dec 20 11:23:23 2016 jkeenan [...] cpan.org - Correspondence added

On Wed Aug 31 02:12:08 2016, SREZIC wrote: Show quoted text

> On 2015-12-27 11:48:34, ntyni@iki.fi wrote:

> > This module warns when used with Perl 5.22: > > > > # Unescaped left brace in regex is deprecated, passed through in > > regex; marked by <-- HERE in m/(?i:^([a-z]*scrip > > t\s*:|.*\&{ <-- HERE > > |mocha|hcp|opera\s*:|about\s*:|smb|/dev/|<))|[^\x00-\x7f]/ at > > /usr/share/perl5/HTML/Defang.p > > m line 181. > > # Unescaped left brace in regex is deprecated, passed through in > > regex; marked by <-- HERE in m/expression|eval|s > > cript:|mocha:|\&{ <-- HERE |\@import/ at > > /usr/share/perl5/HTML/Defang.pm line 207. > > # Unescaped left brace in regex is deprecated, passed through in > > regex; marked by <-- HERE in m/^([A-Za-z]*script > > |.*\&{ <-- HERE > > |mocha|about|opera|mailto:|hcp:|/(dev|proc)|\\|file|smb|cid:([^@]\.com|.*\.(exe|cmd|bat|pif|scr|s > > ys|sct|lnk|dll|vbs?|vbe|hta|shb|shs|hlp|chm|eml|wsf|wsh|js|asx|wm.|mdb|mht|msi|msp|cpl|lib|reg))(@|\?|$))/ > > at /us > > r/share/perl5/HTML/Defang.pm line 160. > > > > Proposed patches attached, divided to one for the actual code and one > > for the test suite.

> > With perl 5.25.x this is a compilation error: > > PERL_DL_NONLAZY=1 "/bbbike/perl-5.25.4/bin/perl5.25.4" "- > MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef > *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" > t/*.t > Unescaped left brace in regex is illegal here in regex; marked by <-- > HERE in m/(?i:^([a-z]*script\s*:|.*\&{ <-- HERE > |mocha|hcp|opera\s*:|about\s*:|smb|/dev/|<))|[^\x00-\x7f]/ at > /tmpfs/.cpan-build-cpansand/2016083103/HTML-Defang-1.04- > 0/blib/lib/HTML/Defang.pm line 181. > Compilation failed in require at t/01_basic.t line 5. > BEGIN failed--compilation aborted at t/01_basic.t line 5. > # Looks like your test exited with 2 before it could output anything. > t/01_basic.t ...... > Dubious, test returned 2 (wstat 512, 0x200) > Failed 89/89 subtests > ...

Applying a patch along the lines of the attachment should address the problems in the source code -- but you have many instances of the problem in t/*.t. Thank you very much. Jim Keenan

Subject:

HTML-Defang-unrecognized-left-brace.diff

Only in blib/lib: auto diff -u -r lib/HTML/Defang.pm blib/lib/HTML/Defang.pm --- lib/HTML/Defang.pm 2011-01-03 07:24:18.000000000 -0500 +++ blib/lib/HTML/Defang.pm 2016-12-20 11:19:33.512636710 -0500 @@ -157,7 +157,7 @@ '.*\.(exe|cmd|bat|pif|scr|sys|sct|lnk|dll'. '|vbs?|vbe|hta|shb|shs|hlp|chm|eml|wsf|wsh|js'. '|asx|wm.|mdb|mht|msi|msp|cpl|lib|reg))'; -my $SrcBanStd = qr/^([A-Za-z]*script|.*\&{|mocha|about|opera|mailto:|hcp:|\/(dev|proc)|\\|file|smb|cid:${Executables}(@|\?|$))/i; +my $SrcBanStd = qr/^([A-Za-z]*script|.*\&\{|mocha|about|opera|mailto:|hcp:|\/(dev|proc)|\\|file|smb|cid:${Executables}(@|\?|$))/i; my %Rules = ( @@ -178,7 +178,7 @@ "form-method" => qr/^(get|post)$/i, "frame" => qr/^(void|above|below|hsides|vsides|lhs|rhs|box|border)$/i, # href: Not javascript, vbs or vbscript - "href" => [ qr/(?i:^([a-z]*script\s*:|.*\&{|mocha|hcp|opera\s*:|about\s*:|smb|\/dev\/|<))|[^\x00-\x7f]/ ], + "href" => [ qr/(?i:^([a-z]*script\s*:|.*\&\{|mocha|hcp|opera\s*:|about\s*:|smb|\/dev\/|<))|[^\x00-\x7f]/ ], "usemap-href" => qr/^#[A-Za-z0-9_.-]+$/, # this is not really a href at all! "input-size" => qr/^(\d{1,4})$/, # some browsers freak out with very large widgets "input-type" => qr/^(button|checkbox|file|hidden|image|password|radio|readonly|reset|submit|text)$/i, @@ -201,10 +201,10 @@ # "src" => qr/^([a-z]+):|^[\w\.\/\%]+$/i, "src" => qr/^https?:\/\/|^[\w.\/%]+$/i, # "style" => qr/^([A-Za-z0-9_-]+\\s*:\\s*(yes|no)|text-align\\s*:\\s*$alignments|((background|(background-|font-)?color)\\s*:\\s*(\\#?[A-Z0-9]+)?|((margin|padding|border)-(right|left)|tab-interval|height|width)\\s*:\\s*[\\d\\.]+(pt|px)|font(-family|-size|-weight|)\\s*:(\\s*[\\d\\.]+(pt|px)|\\s*$fonts)+)[;\\s]*)+\$/i, -# "style" => qr/expression|eval|script:|mocha:|\&{|\@import|(?<!background-)position:|background-image/i, # XXX there are probably a million more ways to cause trouble with css! +# "style" => qr/expression|eval|script:|mocha:|\&\{|\@import|(?<!background-)position:|background-image/i, # XXX there are probably a million more ways to cause trouble with css! "style" => qr/^.*$/s, #kc In addition to this, we could strip all 'javascript:|expression|' etc. from all attributes(in attribute_cleanup()) - "stylesheet" => [ qr/expression|eval|script:|mocha:|\&{|\@import/i ], # stylesheets are forbidden if Embedded => 1. css positioning can be allowed in an iframe. + "stylesheet" => [ qr/expression|eval|script:|mocha:|\&\{|\@import/i ], # stylesheets are forbidden if Embedded => 1. css positioning can be allowed in an iframe. # NB see also `process_stylesheet' below "style-type" => [ qr/script|mocha/i ], "size" => qr/^[\d.]+(px|%)?$/i, Only in blib/lib/HTML: .exists

Tue Jun 19 14:50:04 2018 SREZIC [...] cpan.org - Broken in 1.05 added

Mon Jun 25 01:14:47 2018 SREZIC [...] cpan.org - Correspondence added

On 2016-08-31 02:12:08, SREZIC wrote: Show quoted text

> On 2015-12-27 11:48:34, ntyni@iki.fi wrote:

> > This module warns when used with Perl 5.22: > > > > # Unescaped left brace in regex is deprecated, passed through in > > regex; marked by <-- HERE in m/(?i:^([a-z]*scrip > > t\s*:|.*\&{ <-- HERE > > |mocha|hcp|opera\s*:|about\s*:|smb|/dev/|<))|[^\x00-\x7f]/ at > > /usr/share/perl5/HTML/Defang.p > > m line 181. > > # Unescaped left brace in regex is deprecated, passed through in > > regex; marked by <-- HERE in m/expression|eval|s > > cript:|mocha:|\&{ <-- HERE |\@import/ at > > /usr/share/perl5/HTML/Defang.pm line 207. > > # Unescaped left brace in regex is deprecated, passed through in > > regex; marked by <-- HERE in m/^([A-Za-z]*script > > |.*\&{ <-- HERE > > |mocha|about|opera|mailto:|hcp:|/(dev|proc)|\\|file|smb|cid:([^@]\.com|.*\.(exe|cmd|bat|pif|scr|s > > ys|sct|lnk|dll|vbs?|vbe|hta|shb|shs|hlp|chm|eml|wsf|wsh|js|asx|wm.|mdb|mht|msi|msp|cpl|lib|reg))(@|\?|$))/ > > at /us > > r/share/perl5/HTML/Defang.pm line 160. > > > > Proposed patches attached, divided to one for the actual code and one > > for the test suite.

> > With perl 5.25.x this is a compilation error: > > PERL_DL_NONLAZY=1 "/bbbike/perl-5.25.4/bin/perl5.25.4" "- > MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef > *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" > t/*.t > Unescaped left brace in regex is illegal here in regex; marked by <-- > HERE in m/(?i:^([a-z]*script\s*:|.*\&{ <-- HERE > |mocha|hcp|opera\s*:|about\s*:|smb|/dev/|<))|[^\x00-\x7f]/ at > /tmpfs/.cpan-build-cpansand/2016083103/HTML-Defang-1.04- > 0/blib/lib/HTML/Defang.pm line 181. > Compilation failed in require at t/01_basic.t line 5. > BEGIN failed--compilation aborted at t/01_basic.t line 5. > # Looks like your test exited with 2 before it could output anything. > t/01_basic.t ...... > Dubious, test returned 2 (wstat 512, 0x200) > Failed 89/89 subtests > ...

There are still regex-related failures with 1.06: ... PERL_DL_NONLAZY=1 "/usr/perl5.26.0p/bin/perl5.26.0" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t Unescaped left brace in regex is illegal here in regex; marked by <-- HERE in m/^([A-Za-z]*script|.*\&{ <-- HERE |mocha|about|opera|mailto:|hcp:|/(dev|proc)|\\|file|smb|cid:([^@]\.com|.*\.(exe|cmd|bat|pif|scr|sys|sct|lnk|dll|vbs?|vbe|hta|shb|shs|hlp|chm|eml|wsf|wsh|js|asx|wm.|mdb|mht|msi|msp|cpl|lib|reg))(@|\?|$))/ at /home/cpansand/.cpan/build/2018062506/HTML-Defang-1.06-10/blib/lib/HTML/Defang.pm line 171. Compilation failed in require at t/01_basic.t line 8. BEGIN failed--compilation aborted at t/01_basic.t line 8. # Looks like your test exited with 255 before it could output anything. t/01_basic.t ...... Dubious, test returned 255 (wstat 65280, 0xff00) Failed 93/93 subtests ...

Mon Jun 25 17:24:13 2018 SREZIC [...] cpan.org - Broken in 1.06 added