Version in base suite: 2.5.0-1.1+deb11u1

Base version: cairosvg_2.5.0-1.1+deb11u1
Target version: cairosvg_2.5.0-1.1+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cairosvg/cairosvg_2.5.0-1.1+deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cairosvg/cairosvg_2.5.0-1.1+deb11u2.dsc

 changelog                                   |    7 +++
 patches/Handle-data-URLs-in-safe-mode.patch |   61 ++++++++++++++++++++++++++++
 patches/series                              |    1 
 3 files changed, 69 insertions(+)

diff -Nru cairosvg-2.5.0/debian/changelog cairosvg-2.5.0/debian/changelog
--- cairosvg-2.5.0/debian/changelog	2023-03-23 19:51:51.000000000 +0000
+++ cairosvg-2.5.0/debian/changelog	2023-09-06 19:24:37.000000000 +0000
@@ -1,3 +1,10 @@
+cairosvg (2.5.0-1.1+deb11u2) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Handle data-URLs in safe mode (Closes: #1050643)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 06 Sep 2023 21:24:37 +0200
+
 cairosvg (2.5.0-1.1+deb11u1) bullseye-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch
--- cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch	1970-01-01 00:00:00.000000000 +0000
+++ cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch	2023-09-06 19:24:37.000000000 +0000
@@ -0,0 +1,61 @@
+From: Guillaume Ayoub <guillaume@courtbouillon.org>
+Date: Tue, 18 Apr 2023 14:51:13 +0200
+Subject: Handle data-URLs in safe mode.
+Origin: https://github.com/Kozea/CairoSVG/commit/2cbe3066e604af67c31d6651aa3acafe4ae0749d
+Bug: https://github.com/Kozea/CairoSVG/issues/383
+Bug-Debian: https://bugs.debian.org/1050643
+
+Fix #383.
+---
+ cairosvg/parser.py |  5 ++---
+ cairosvg/url.py    | 11 +++++++++++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/cairosvg/parser.py b/cairosvg/parser.py
+index 61275f0a1073..06a65db5c0e2 100644
+--- a/cairosvg/parser.py
++++ b/cairosvg/parser.py
+@@ -14,7 +14,7 @@ from defusedxml import ElementTree
+ from . import css
+ from .features import match_features
+ from .helpers import flatten, pop_rotation, rotations
+-from .url import fetch, parse_url, read_url
++from .url import fetch, parse_url, read_url, safe_fetch
+ 
+ # 'display' is actually inherited but handled differently because some markers
+ # are part of a none-displaying group (see test painting-marker-07-f.svg)
+@@ -393,8 +393,7 @@ class Tree(Node):
+ 
+         # Don’t allow fetching external files unless explicitly asked for
+         if 'url_fetcher' not in kwargs and not unsafe:
+-            self.url_fetcher = (
+-                lambda *args, **kwargs: b'<svg width="1" height="1"></svg>')
++            self.url_fetcher = safe_fetch
+ 
+         self.xml_tree = tree
+         root = cssselect2.ElementWrapper.from_xml_root(tree)
+diff --git a/cairosvg/url.py b/cairosvg/url.py
+index b4a78eaf6645..7b184e6e74d9 100644
+--- a/cairosvg/url.py
++++ b/cairosvg/url.py
+@@ -84,6 +84,17 @@ def fetch(url, resource_type):
+     return urlopen(Request(url, headers=HTTP_HEADERS)).read()
+ 
+ 
++def safe_fetch(url, resource_type):
++    """Fetch the content of ``url`` only if it’s a data-URL.
++
++    Otherwise, return an empty SVG.
++
++    """
++    if url and url.startswith('data:'):
++        return fetch(url, resource_type)
++    return b'<svg width="1" height="1"></svg>'
++
++
+ def parse_url(url, base=None):
+     """Parse an URL.
+ 
+-- 
+2.40.1
+
diff -Nru cairosvg-2.5.0/debian/patches/series cairosvg-2.5.0/debian/patches/series
--- cairosvg-2.5.0/debian/patches/series	2023-03-23 19:51:07.000000000 +0000
+++ cairosvg-2.5.0/debian/patches/series	2023-09-06 19:23:58.000000000 +0000
@@ -1,3 +1,4 @@
 0001-Remove-pytest-options-for-plugins-not-packaged-for-D.patch
 0002-Don-t-use-overlapping-groups-for-regular-expressions.patch
 Don-t-allow-fetching-external-files-unless-explicitl.patch
+Handle-data-URLs-in-safe-mode.patch