Security fix for CVE-2025-27516
Resolves: RHEL-85063
This commit is contained in:
Lumir Balhar
parent
d5bb17e18c
commit
3bfd3a1b51
87
0006-CVE-2025-27516.patch
Normal file
87
0006-CVE-2025-27516.patch
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
From c630659347e6824a303e63a7706c23d248bf17cc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lumir Balhar <lbalhar@redhat.com>
|
||||||
|
Date: Wed, 26 Mar 2025 21:51:37 +0100
|
||||||
|
Subject: [PATCH] CVE-2025-27516
|
||||||
|
|
||||||
|
---
|
||||||
|
src/jinja2/filters.py | 34 ++++++++++++++++------------------
|
||||||
|
tests/test_security.py | 10 ++++++++++
|
||||||
|
2 files changed, 26 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py
|
||||||
|
index 6d4f348..bc6cab3 100644
|
||||||
|
--- a/src/jinja2/filters.py
|
||||||
|
+++ b/src/jinja2/filters.py
|
||||||
|
@@ -5,6 +5,7 @@ import random
|
||||||
|
import re
|
||||||
|
import warnings
|
||||||
|
from collections import namedtuple
|
||||||
|
+from inspect import getattr_static
|
||||||
|
from itertools import chain
|
||||||
|
from itertools import groupby
|
||||||
|
|
||||||
|
@@ -1067,28 +1068,25 @@ def do_reverse(value):
|
||||||
|
|
||||||
|
@environmentfilter
|
||||||
|
def do_attr(environment, obj, name):
|
||||||
|
- """Get an attribute of an object. ``foo|attr("bar")`` works like
|
||||||
|
- ``foo.bar`` just that always an attribute is returned and items are not
|
||||||
|
- looked up.
|
||||||
|
+ """Get an attribute of an object. ``foo|attr("bar")`` works like
|
||||||
|
+ ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
|
||||||
|
+ if the attribute doesn't exist.
|
||||||
|
|
||||||
|
See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
|
||||||
|
"""
|
||||||
|
+ # Environment.getattr will fall back to obj[name] if obj.name doesn't exist.
|
||||||
|
+ # But we want to call env.getattr to get behavior such as sandboxing.
|
||||||
|
+ # Determine if the attr exists first, so we know the fallback won't trigger.
|
||||||
|
try:
|
||||||
|
- name = str(name)
|
||||||
|
- except UnicodeError:
|
||||||
|
- pass
|
||||||
|
- else:
|
||||||
|
- try:
|
||||||
|
- value = getattr(obj, name)
|
||||||
|
- except AttributeError:
|
||||||
|
- pass
|
||||||
|
- else:
|
||||||
|
- if environment.sandboxed and not environment.is_safe_attribute(
|
||||||
|
- obj, name, value
|
||||||
|
- ):
|
||||||
|
- return environment.unsafe_undefined(obj, name)
|
||||||
|
- return value
|
||||||
|
- return environment.undefined(obj=obj, name=name)
|
||||||
|
+ # This avoids executing properties/descriptors, but misses __getattr__
|
||||||
|
+ # and __getattribute__ dynamic attrs.
|
||||||
|
+ getattr_static(obj, name)
|
||||||
|
+ except AttributeError:
|
||||||
|
+ # This finds dynamic attrs, and we know it's not a descriptor at this point.
|
||||||
|
+ if not hasattr(obj, name):
|
||||||
|
+ return environment.undefined(obj=obj, name=name)
|
||||||
|
+
|
||||||
|
+ return environment.getattr(obj, name)
|
||||||
|
|
||||||
|
|
||||||
|
@contextfilter
|
||||||
|
diff --git a/tests/test_security.py b/tests/test_security.py
|
||||||
|
index 2e2af69..c1c71df 100644
|
||||||
|
--- a/tests/test_security.py
|
||||||
|
+++ b/tests/test_security.py
|
||||||
|
@@ -225,3 +225,13 @@ class TestStringFormatMap(object):
|
||||||
|
|
||||||
|
with pytest.raises(SecurityError):
|
||||||
|
t.render()
|
||||||
|
+
|
||||||
|
+ def test_attr_filter(self) -> None:
|
||||||
|
+ env = SandboxedEnvironment()
|
||||||
|
+ t = env.from_string(
|
||||||
|
+ """{{ "{0.__call__.__builtins__[__import__]}"
|
||||||
|
+ | attr("format")(not_here) }}"""
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ with pytest.raises(SecurityError):
|
||||||
|
+ t.render()
|
||||||
|
--
|
||||||
|
2.49.0
|
||||||
|
|
||||||
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Name: python-jinja2
|
Name: python-jinja2
|
||||||
Version: 2.11.3
|
Version: 2.11.3
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
Summary: General purpose template engine
|
Summary: General purpose template engine
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: https://palletsprojects.com/p/jinja/
|
URL: https://palletsprojects.com/p/jinja/
|
||||||
@ -25,6 +25,12 @@ Patch4: 0004-CVE-2024-34064.patch
|
|||||||
# Patch backported from upstream without changelog and typing.
|
# Patch backported from upstream without changelog and typing.
|
||||||
Patch5: 0005-CVE-2024-56326.patch
|
Patch5: 0005-CVE-2024-56326.patch
|
||||||
|
|
||||||
|
# Security fix for CVE-2025-27516
|
||||||
|
# Resolved upstream: https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403
|
||||||
|
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2025-27516
|
||||||
|
# Patch backported from upstream without changelog.
|
||||||
|
Patch6: 0006-CVE-2025-27516.patch
|
||||||
|
|
||||||
%if 0%{?fedora} || 0%{?rhel} > 7
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||||
# Enable python3 build by default
|
# Enable python3 build by default
|
||||||
%bcond_without python3
|
%bcond_without python3
|
||||||
@ -196,6 +202,10 @@ PYTHONPATH=$(pwd)/src %{__python3} -m pytest tests
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Mar 26 2025 Lumír Balhar <lbalhar@redhat.com> - 2.11.3-8
|
||||||
|
- Security fix for CVE-2025-27516
|
||||||
|
Resolves: RHEL-85063
|
||||||
|
|
||||||
* Wed Jan 22 2025 Lumír Balhar <lbalhar@redhat.com> - 2.11.3-7
|
* Wed Jan 22 2025 Lumír Balhar <lbalhar@redhat.com> - 2.11.3-7
|
||||||
- Security fix for CVE-2024-56326
|
- Security fix for CVE-2024-56326
|
||||||
Resolves: RHEL-74690
|
Resolves: RHEL-74690
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user