CVE-2020-6817

Advisory

Bleach 3.1.4 includes a fix for CVE-2020-6817: bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

Affected package

Affected versions

Fixed versions

Vulnerability changelog

--------------------------------

**Security fixes**

* ``bleach.clean`` behavior parsing style attributes could result in a
regular expression denial of service (ReDoS).

Calls to ``bleach.clean`` with an allowed tag with an allowed
``style`` attribute were vulnerable to ReDoS. For example,
``bleach.clean(..., attributes={'a': ['style']})``.

This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1,
v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar
regular expression and should be considered vulnerable too.

Anyone using Bleach <=v3.1.3 is encouraged to upgrade.

https://bugzilla.mozilla.org/show_bug.cgi?id=1623633

**Backwards incompatible changes**

* Style attributes with dashes, or single or double quoted values are
cleaned instead of passed through.

**Features**

None

**Bug fixes**

None

Resources

• https://pypi.org/project/bleach
• https://pyup.io/changelogs/bleach/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6817
• https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm
• https://bugzilla.mozilla.org/show_bug.cgi?id=1623633