python-reportlab/CVE-2019-17626.patch

# HG changeset patch
# User mkasik@redhat.com
# Date 1580132768 -3600
#      Mon Jan 27 14:46:08 2020 +0100
# Node ID b47055e78d8b3e49e7bb5b9cdaa55d449b996764
# Parent  9bb6ebf1b8473e3dc11740cbdce0d5dc1a1afae2
Parse input string of toColor.__call__ for color classes

It constructs respective object from the string then.
This currently supports CMYKColor, PCMYKColor, CMYKColorSep
and PCMYKColorSep.

--- a/src/reportlab/lib/colors.py
+++ b/src/reportlab/lib/colors.py
@@ -833,6 +833,53 @@ class cssParse:
 
 cssParse=cssParse()
 
+def parseColorClassFromString(arg):
+    '''Parses known classes which holds color information from string
+    and constructs respective object.
+    It constructs CMYKColor, PCMYKColor, CMYKColorSep and PCMYKColorSep now.
+    '''
+
+    # Strips input string and splits it with {'(', ')', ','} delimiters
+    splitted = "".join(arg.split()).replace('(', ',').replace(')','').split(',')
+
+    # Creates a "fingerprint" of given string made of {'(', ')', ','} characters only.
+    fingerprint = ''.join(c for c in arg if c in set('(,)'))
+
+    if (len(splitted) > 0):
+        if (splitted[0] == 'Color'):
+            if (fingerprint == '(,,,)'):
+                try:
+                    return Color(*list(map(float, splitted[1:5])))
+                except:
+                    return None
+            elif (fingerprint == '(,,)'):
+                try:
+                    return Color(*list(map(float, splitted[1:4])))
+                except:
+                    return None
+        elif (splitted[0] == 'CMYKColor' and fingerprint == '(,,,)'):
+            try:
+                return CMYKColor(*list(map(float, splitted[1:5])))
+            except:
+                return None
+        elif (splitted[0] == 'PCMYKColor' and fingerprint == '(,,,)'):
+            try:
+                return PCMYKColor(*list(map(float, splitted[1:5])))
+            except:
+                return None
+        elif (splitted[0] == 'CMYKColorSep' and fingerprint == '(,,,)'):
+            try:
+                return CMYKColorSep(*list(map(float, splitted[1:5])))
+            except:
+                return None
+        elif (splitted[0] == 'PCMYKColorSep' and fingerprint == '(,,,)'):
+            try:
+                return PCMYKColorSep(*list(map(float, splitted[1:5])))
+            except:
+                return None
+    else:
+                return None
+
 class toColor:
 
     def __init__(self):
@@ -858,10 +905,8 @@ class toColor:
             C = getAllNamedColors()
             s = arg.lower()
             if s in C: return C[s]
-            try:
-                return toColor(eval(arg))
-            except:
-                pass
+            parsedColor = parseColorClassFromString(arg)
+            if (parsedColor): return parsedColor
 
         try:
             return HexColor(arg)