- Update jinja2 to 3.1.5

This commit is contained in:
eabdullin 2025-01-15 10:25:45 +03:00
parent 3e7b877292
commit 42ba2b95db
4 changed files with 7 additions and 71 deletions

View File

@ -1,4 +1,4 @@
a9db54d91b53f76f546afa1414dd015c0574ebeb SOURCES/Jinja2-3.1.3.tar.gz
6399fa2cf3e71269d1b0e6b59434616fd4c9d142 SOURCES/Jinja2-3.1.5.tar.gz
e1b766b2b1601fde67b3b19ed2f13b9746bb1cca SOURCES/MarkupSafe-2.0.1.tar.gz
e1fb5dc6f95a85e7d1f93c6701b331201e8b5479 SOURCES/PyJWT-2.1.0-py3-none-any.whl
53fc16036940089ceadd4127381e40fd6106a7ed SOURCES/PyYAML-5.1.tar.gz

2
.gitignore vendored
View File

@ -1,4 +1,4 @@
SOURCES/Jinja2-3.1.3.tar.gz
SOURCES/Jinja2-3.1.5.tar.gz
SOURCES/MarkupSafe-2.0.1.tar.gz
SOURCES/PyJWT-2.1.0-py3-none-any.whl
SOURCES/PyYAML-5.1.tar.gz

View File

@ -1,65 +0,0 @@
From d655030770081e2dfe46f90e27620472a502289d Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Thu, 2 May 2024 09:14:00 -0700
Subject: [PATCH] disallow invalid characters in keys to xmlattr filter
---
CHANGES.rst | 6 ++++++
src/jinja2/filters.py | 22 +++++++++++++++++-----
tests/test_filters.py | 11 ++++++-----
3 files changed, 29 insertions(+), 10 deletions(-)
diff --git a/kubevirt/jinja2/filters.py b/kubevirt/jinja2/filters.py
index 4cf3c11fb..acd11976e 100644
--- a/kubevirt/jinja2/filters.py
+++ b/kubevirt/jinja2/filters.py
@@ -250,7 +250,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K
yield from value.items()
-_space_re = re.compile(r"\s", flags=re.ASCII)
+# Check for characters that would move the parser state from key to value.
+# https://html.spec.whatwg.org/#attribute-name-state
+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
@pass_eval_context
@@ -259,8 +261,14 @@ def do_xmlattr(
) -> str:
"""Create an SGML/XML attribute string based on the items in a dict.
- If any key contains a space, this fails with a ``ValueError``. Values that
- are neither ``none`` nor ``undefined`` are automatically escaped.
+ **Values** that are neither ``none`` nor ``undefined`` are automatically
+ escaped, safely allowing untrusted user input.
+
+ User input should not be used as **keys** to this filter. If any key
+ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
+ sign, this fails with a ``ValueError``. Regardless of this, user input
+ should never be used as keys to this filter, or must be separately validated
+ first.
.. sourcecode:: html+jinja
@@ -280,6 +288,10 @@ def do_xmlattr(
As you can see it automatically prepends a space in front of the item
if the filter returned something unless the second parameter is false.
+ .. versionchanged:: 3.1.4
+ Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign
+ are not allowed.
+
.. versionchanged:: 3.1.3
Keys with spaces are not allowed.
"""
@@ -289,8 +301,8 @@ def do_xmlattr(
if value is None or isinstance(value, Undefined):
continue
- if _space_re.search(key) is not None:
- raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
+ if _attr_key_re.search(key) is not None:
+ raise ValueError(f"Invalid character in attribute name: {key!r}")
items.append(f'{escape(key)}="{escape(value)}"')

View File

@ -38,7 +38,7 @@
%global websocketclient websocket-client
%global websocketclient_version 1.2.1
%global jinja2 Jinja2
%global jinja2_version 3.1.3
%global jinja2_version 3.1.5
%global markupsafe MarkupSafe
%global markupsafe_version 2.0.1
%global stringutils string-utils
@ -57,7 +57,7 @@
Name: fence-agents
Summary: Set of unified programs capable of host isolation ("fencing")
Version: 4.10.0
Release: 76%{?alphatag:.%{alphatag}}%{?dist}.1.alma.1
Release: 76%{?alphatag:.%{alphatag}}%{?dist}.4.alma.1
License: GPLv2+ and LGPLv2+
URL: https://github.com/ClusterLabs/fence-agents
Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@ -262,7 +262,6 @@ Patch58: RHEL-59878-fence_scsi-only-preempt-once-for-mpath-devices.patch
### HA support libs/utils ###
# all archs
Patch1000: bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
Patch1001: RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch
# cloud (x86_64 only)
Patch2000: bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
Patch2001: RHEL-43562-fix-bundled-urllib3-CVE-2024-37891.patch
@ -494,7 +493,6 @@ rm -rf kubevirt/rsa*
# regular patch doesnt work in build-section
pushd support
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1000}
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1001}
%ifarch x86_64
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2000}
@ -1535,6 +1533,9 @@ are located on corosync cluster nodes.
%endif
%changelog
* Wed Jan 15 2025 Eduard Abdullin <eabdullin@almalinux.org> - 4.10.0-76.4.alma.1
- Update jinja2 to 3.1.5
* Tue Nov 12 2024 Eduard Abdullin <eabdullin@almalinux.org> - 4.10.0-76.1.alma.1
- fence_scsi: preempt clears all devices on the mpath device,
so only run it for the first device