From 3e1948e4ce69751ac1afc12fecbd234640019bee Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 9 Nov 2021 04:46:31 -0500
Subject: [PATCH] import python-jinja2-2.10.1-3.el8

---
 SOURCES/CVE-2020-28493.patch | 133 +++++++++++++++++++++++++++++++++++
 SPECS/python-jinja2.spec     |  19 ++++-
 2 files changed, 149 insertions(+), 3 deletions(-)
 create mode 100644 SOURCES/CVE-2020-28493.patch

diff --git a/SOURCES/CVE-2020-28493.patch b/SOURCES/CVE-2020-28493.patch
new file mode 100644
index 0000000..62047b8
--- /dev/null
+++ b/SOURCES/CVE-2020-28493.patch
@@ -0,0 +1,133 @@
+From 2b76a5a3aa898fd1621c72c6da935cddfb484424 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Fri, 12 Mar 2021 14:34:06 +0100
+Subject: [PATCH] CVE-2020-28493
+
+---
+ Jinja2-2.10.1/jinja2/utils.py | 94 +++++++++++++++++++++--------------
+ 1 file changed, 56 insertions(+), 38 deletions(-)
+
+diff --git a/Jinja2-2.10.1/jinja2/utils.py b/Jinja2-2.10.1/jinja2/utils.py
+index 502a311..25dd78f 100644
+--- a/Jinja2-2.10.1/jinja2/utils.py
++++ b/Jinja2-2.10.1/jinja2/utils.py
+@@ -12,24 +12,12 @@ import re
+ import json
+ import errno
+ from collections import deque
++from string import ascii_letters as _letters
++from string import digits as _digits
+ from threading import Lock
+ from jinja2._compat import text_type, string_types, implements_iterator, \
+      url_quote
+ 
+-
+-_word_split_re = re.compile(r'(\s+)')
+-_punctuation_re = re.compile(
+-    '^(?P<lead>(?:%s)*)(?P<middle>.*?)(?P<trail>(?:%s)*)$' % (
+-        '|'.join(map(re.escape, ('(', '<', '&lt;'))),
+-        '|'.join(map(re.escape, ('.', ',', ')', '>', '\n', '&gt;')))
+-    )
+-)
+-_simple_email_re = re.compile(r'^\S+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9._-]+$')
+-_striptags_re = re.compile(r'(<!--.*?-->|<[^>]*>)')
+-_entity_re = re.compile(r'&([^;]+);')
+-_letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+-_digits = '0123456789'
+-
+ # special singleton representing missing values for the runtime
+ missing = type('MissingType', (), {'__repr__': lambda x: 'missing'})()
+ 
+@@ -203,35 +191,65 @@ def urlize(text, trim_url_limit=None, rel=None, target=None):
+     trim_url = lambda x, limit=trim_url_limit: limit is not None \
+                          and (x[:limit] + (len(x) >=limit and '...'
+                          or '')) or x
+-    words = _word_split_re.split(text_type(escape(text)))
++    words = re.split(r"(\s+)", text_type(escape(text)))
+     rel_attr = rel and ' rel="%s"' % text_type(escape(rel)) or ''
+     target_attr = target and ' target="%s"' % escape(target) or ''
+ 
+     for i, word in enumerate(words):
+-        match = _punctuation_re.match(word)
++        head, middle, tail = "", word, ""
++        match = re.match(r"^([(<]|&lt;)+", middle)
++
+         if match:
+-            lead, middle, trail = match.groups()
+-            if middle.startswith('www.') or (
+-                '@' not in middle and
+-                not middle.startswith('http://') and
+-                not middle.startswith('https://') and
+-                len(middle) > 0 and
+-                middle[0] in _letters + _digits and (
+-                    middle.endswith('.org') or
+-                    middle.endswith('.net') or
+-                    middle.endswith('.com')
+-                )):
+-                middle = '<a href="http://%s"%s%s>%s</a>' % (middle,
+-                    rel_attr, target_attr, trim_url(middle))
+-            if middle.startswith('http://') or \
+-               middle.startswith('https://'):
+-                middle = '<a href="%s"%s%s>%s</a>' % (middle,
+-                    rel_attr, target_attr, trim_url(middle))
+-            if '@' in middle and not middle.startswith('www.') and \
+-               not ':' in middle and _simple_email_re.match(middle):
+-                middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
+-            if lead + middle + trail != word:
+-                words[i] = lead + middle + trail
++            head = match.group()
++            middle = middle[match.end() :]
++
++        # Unlike lead, which is anchored to the start of the string,
++        # need to check that the string ends with any of the characters
++        # before trying to match all of them, to avoid backtracking.
++        if middle.endswith((")", ">", ".", ",", "\n", "&gt;")):
++            match = re.search(r"([)>.,\n]|&gt;)+$", middle)
++
++            if match:
++                tail = match.group()
++                middle = middle[: match.start()]
++
++        if middle.startswith("www.") or (
++            "@" not in middle
++            and not middle.startswith("http://")
++            and not middle.startswith("https://")
++            and len(middle) > 0
++            and middle[0] in _letters + _digits
++            and (
++                middle.endswith(".org")
++                or middle.endswith(".net")
++                or middle.endswith(".com")
++            )
++        ):
++            middle = '<a href="http://%s"%s%s>%s</a>' % (
++                middle,
++                rel_attr,
++                target_attr,
++                trim_url(middle),
++            )
++
++        if middle.startswith("http://") or middle.startswith("https://"):
++            middle = '<a href="%s"%s%s>%s</a>' % (
++                middle,
++                rel_attr,
++                target_attr,
++                trim_url(middle),
++            )
++
++        if (
++            "@" in middle
++            and not middle.startswith("www.")
++            and ":" not in middle
++            and re.match(r"^\S@\w[\w.-]*\.\w$", middle)
++        ):
++            middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
++
++        words[i] = head + middle + tail
++
+     return u''.join(words)
+ 
+ 
+-- 
+2.29.2
+
diff --git a/SPECS/python-jinja2.spec b/SPECS/python-jinja2.spec
index 5bfee7c..e1cb83c 100644
--- a/SPECS/python-jinja2.spec
+++ b/SPECS/python-jinja2.spec
@@ -27,13 +27,19 @@
 
 Name:           python-jinja2
 Version:        2.10.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        General purpose template engine
 Group:          Development/Languages
 License:        BSD
 URL:            http://jinja.pocoo.org/
 Source0:        https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
 
+# CVE-2020-28493: ReDOS vulnerability due to the sub-pattern
+# The patch is rebased to the old project structure.
+# Upstream commit: https://github.com/pallets/jinja/pull/1343/commits/ef658dc3b6389b091d608e710a810ce8b87995b3
+# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1928707
+Patch0:         CVE-2020-28493.patch
+
 BuildArch:      noarch
 
 %description
@@ -108,6 +114,9 @@ environments.
 
 %prep
 %setup -qc -n Jinja2-%{version}
+
+%patch0 -p1
+
 # cleanup
 find Jinja2-%{version} -name '*.pyo' -o -name '*.pyc' -delete
 
@@ -208,13 +217,17 @@ popd
 
 
 %changelog
+* Fri Mar 12 2021 Lumír Balhar <lbalhar@redhat.com> - 2.10.1-3
+- Fix CVE-2020-28493: ReDOS vulnerability due to the sub-pattern
+Resolves: rhbz#1928707
+
 * Tue Apr 30 2019 Lumír Balhar <lbalhar@redhat.com> - 2.10.1-2
 - Rebuild of package to go through gating
-- Resolves: rhbz#1701300
+- Resolves: rhbz#1701301
 
 * Thu Apr 25 2019 Lumír Balhar <lbalhar@redhat.com> - 2.10.1-1
 - Rebase to 2.10.1 (security update) to fix CVE-2019-10906
-- Resolves: rhbz#1701300
+- Resolves: rhbz#1701301
 
 * Fri Nov 16 2018 Lumír Balhar <lbalhar@redhat.com> - 2.10-9
 - Require platform-python-setuptools instead of python3-setuptools