From 45ab5ff1ce8c69af739d64563672eb636673a09f Mon Sep 17 00:00:00 2001 From: Adam Samalik Date: Fri, 5 May 2023 22:33:40 +0200 Subject: [PATCH] import sources --- .gitignore | 1 + CVE-2020-28493.patch | 133 +++++++++++++ python-jinja2.spec | 431 +++++++++++++++++++++++++++++++++++++++++++ sources | 1 + 4 files changed, 566 insertions(+) create mode 100644 .gitignore create mode 100644 CVE-2020-28493.patch create mode 100644 python-jinja2.spec create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a07ad09 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/Jinja2-2.10.3.tar.gz diff --git a/CVE-2020-28493.patch b/CVE-2020-28493.patch new file mode 100644 index 0000000..bec09e2 --- /dev/null +++ b/CVE-2020-28493.patch @@ -0,0 +1,133 @@ +From 42d67347988a9d09b940d550f1ffa32a8d7e43b2 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Fri, 12 Mar 2021 16:04:15 +0100 +Subject: [PATCH] CVE-2020-28493 + +--- + jinja2/utils.py | 94 +++++++++++++++++++++++++++++-------------------- + 1 file changed, 56 insertions(+), 38 deletions(-) + +diff --git a/jinja2/utils.py b/jinja2/utils.py +index db9c5d0..6ab77f7 100644 +--- a/jinja2/utils.py ++++ b/jinja2/utils.py +@@ -12,24 +12,12 @@ import re + import json + import errno + from collections import deque ++from string import ascii_letters as _letters ++from string import digits as _digits + from threading import Lock + from jinja2._compat import text_type, string_types, implements_iterator, \ + url_quote, abc + +- +-_word_split_re = re.compile(r'(\s+)') +-_punctuation_re = re.compile( +- '^(?P(?:%s)*)(?P.*?)(?P(?:%s)*)$' % ( +- '|'.join(map(re.escape, ('(', '<', '<'))), +- '|'.join(map(re.escape, ('.', ',', ')', '>', '\n', '>'))) +- ) +-) +-_simple_email_re = re.compile(r'^\S+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9._-]+$') +-_striptags_re = re.compile(r'(|<[^>]*>)') +-_entity_re = re.compile(r'&([^;]+);') +-_letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' +-_digits = '0123456789' +- + # special singleton representing missing values for the runtime + missing = type('MissingType', (), {'__repr__': lambda x: 'missing'})() + +@@ -203,35 +191,65 @@ def urlize(text, trim_url_limit=None, rel=None, target=None): + trim_url = lambda x, limit=trim_url_limit: limit is not None \ + and (x[:limit] + (len(x) >=limit and '...' + or '')) or x +- words = _word_split_re.split(text_type(escape(text))) ++ words = re.split(r"(\s+)", text_type(escape(text))) + rel_attr = rel and ' rel="%s"' % text_type(escape(rel)) or '' + target_attr = target and ' target="%s"' % escape(target) or '' + + for i, word in enumerate(words): +- match = _punctuation_re.match(word) ++ head, middle, tail = "", word, "" ++ match = re.match(r"^([(<]|<)+", middle) ++ + if match: +- lead, middle, trail = match.groups() +- if middle.startswith('www.') or ( +- '@' not in middle and +- not middle.startswith('http://') and +- not middle.startswith('https://') and +- len(middle) > 0 and +- middle[0] in _letters + _digits and ( +- middle.endswith('.org') or +- middle.endswith('.net') or +- middle.endswith('.com') +- )): +- middle = '%s' % (middle, +- rel_attr, target_attr, trim_url(middle)) +- if middle.startswith('http://') or \ +- middle.startswith('https://'): +- middle = '%s' % (middle, +- rel_attr, target_attr, trim_url(middle)) +- if '@' in middle and not middle.startswith('www.') and \ +- not ':' in middle and _simple_email_re.match(middle): +- middle = '%s' % (middle, middle) +- if lead + middle + trail != word: +- words[i] = lead + middle + trail ++ head = match.group() ++ middle = middle[match.end() :] ++ ++ # Unlike lead, which is anchored to the start of the string, ++ # need to check that the string ends with any of the characters ++ # before trying to match all of them, to avoid backtracking. ++ if middle.endswith((")", ">", ".", ",", "\n", ">")): ++ match = re.search(r"([)>.,\n]|>)+$", middle) ++ ++ if match: ++ tail = match.group() ++ middle = middle[: match.start()] ++ ++ if middle.startswith("www.") or ( ++ "@" not in middle ++ and not middle.startswith("http://") ++ and not middle.startswith("https://") ++ and len(middle) > 0 ++ and middle[0] in _letters + _digits ++ and ( ++ middle.endswith(".org") ++ or middle.endswith(".net") ++ or middle.endswith(".com") ++ ) ++ ): ++ middle = '%s' % ( ++ middle, ++ rel_attr, ++ target_attr, ++ trim_url(middle), ++ ) ++ ++ if middle.startswith("http://") or middle.startswith("https://"): ++ middle = '%s' % ( ++ middle, ++ rel_attr, ++ target_attr, ++ trim_url(middle), ++ ) ++ ++ if ( ++ "@" in middle ++ and not middle.startswith("www.") ++ and ":" not in middle ++ and re.match(r"^\S@\w[\w.-]*\.\w$", middle) ++ ): ++ middle = '%s' % (middle, middle) ++ ++ words[i] = head + middle + tail ++ + return u''.join(words) + + +-- +2.29.2 + diff --git a/python-jinja2.spec b/python-jinja2.spec new file mode 100644 index 0000000..a6a27dc --- /dev/null +++ b/python-jinja2.spec @@ -0,0 +1,431 @@ +%global srcname Jinja2 + +Name: python-jinja2 +Version: 2.10.3 +Release: 5%{?dist} +Summary: General purpose template engine +License: BSD +URL: http://jinja.pocoo.org/ +Source0: %{pypi_source} + +# CVE-2020-28493: ReDOS vulnerability due to the sub-pattern +# The patch is rebased to the old project structure. +# Upstream commit: https://github.com/pallets/jinja/pull/1343/commits/ef658dc3b6389b091d608e710a810ce8b87995b3 +# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1928707 +Patch0: CVE-2020-28493.patch + +%if 0%{?fedora} || 0%{?rhel} > 7 +# Enable python3 build by default +%bcond_without python3 +%else +%bcond_with python3 +%endif + +%if 0%{?rhel} > 7 +# Disable python2 build by default +%bcond_with python2 +%else +%bcond_without python2 +%endif + +# Enable building without docs to avoid a circular dependency between this +# and python-sphinx: +%bcond_with docs + +%if 0%{?fedora} || 0%{?rhel} > 7 +%bcond_without async +%else +%bcond_with async +%endif + +BuildArch: noarch +# Exclude i686 arch. Due to a modularity issue it's being added to the +# x86_64 compose of CRB, but we don't want to ship it at all. +# See: https://projects.engineering.redhat.com/browse/RCM-72605 +ExcludeArch: i686 + +%description +Jinja2 is a template engine written in pure Python. It provides a +Django inspired non-XML syntax but supports inline expressions and an +optional sandboxed environment. + +If you have any exposure to other text-based template languages, such +as Smarty or Django, you should feel right at home with Jinja2. It's +both designer and developer friendly by sticking to Python's +principles and adding functionality useful for templating +environments. + + +%if %{with python2} +%package -n python2-jinja2 +Summary: General purpose template engine for python2 +BuildRequires: python2-devel +BuildRequires: python2-setuptools +BuildRequires: python2-babel >= 0.8 +BuildRequires: python2-markupsafe >= 0.23 +Requires: python2-babel >= 0.8 +Requires: python2-markupsafe >= 0.23 +Requires: python2-setuptools +%{?python_provide:%python_provide python2-jinja2} + +%description -n python2-jinja2 +Jinja2 is a template engine written in pure Python. It provides a +Django inspired non-XML syntax but supports inline expressions and an +optional sandboxed environment. + +If you have any exposure to other text-based template languages, such +as Smarty or Django, you should feel right at home with Jinja2. It's +both designer and developer friendly by sticking to Python's +principles and adding functionality useful for templating +environments. +%endif # with python2 + + +%if %{with python3} +%package -n python%{python3_pkgversion}-jinja2 +Summary: General purpose template engine for python3 +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: python%{python3_pkgversion}-babel >= 0.8 +BuildRequires: python%{python3_pkgversion}-markupsafe >= 0.23 +BuildRequires: python%{python3_pkgversion}-pytest +BuildRequires: python%{python3_pkgversion}-rpm-macros +%if %{with docs} +BuildRequires: %{_bindir}/sphinx-build-3.8 +BuildRequires: make +BuildRequires: python%{python3_pkgversion}-Pallets-Sphinx-Themes +BuildRequires: python%{python3_pkgversion}-sphinxcontrib-log-cabinet +BuildRequires: python%{python3_pkgversion}-sphinx-issues +%endif +Requires: python%{python3_pkgversion}-babel >= 0.8 +Requires: python%{python3_pkgversion}-markupsafe >= 0.23 +Requires: python%{python3_pkgversion}-setuptools +%{?python_provide:%python_provide python%{python3_pkgversion}-jinja2} + +%description -n python%{python3_pkgversion}-jinja2 +Jinja2 is a template engine written in pure Python. It provides a +Django inspired non-XML syntax but supports inline expressions and an +optional sandboxed environment. + +If you have any exposure to other text-based template languages, such +as Smarty or Django, you should feel right at home with Jinja2. It's +both designer and developer friendly by sticking to Python's +principles and adding functionality useful for templating +environments. +%endif # with python3 + + +%prep +%autosetup -p1 -n %{srcname}-%{version} + +# cleanup +find . -name '*.pyo' -o -name '*.pyc' -delete + +%build +%if %{with python2} +%py2_build +%endif # with python2 + +%if %{with python3} +%py3_build +%if %{with docs} +make -C docs html PYTHONPATH=$(pwd) SPHINXBUILD=sphinx-build-3 +# remove hidden file +rm -rf docs/_build/html/.buildinfo +%endif # with docs +%endif # with python3 + + +%install +%if %{with python2} +%py2_install + +# these files are valid only on Python 3.6+ +rm %{buildroot}%{python2_sitelib}/jinja2/asyncsupport.py +rm %{buildroot}%{python2_sitelib}/jinja2/asyncfilters.py +%endif # with python2 + +%if %{with python3} +%py3_install + +%if ! %{with async} +# these files are valid only on Python 3.6+ +rm %{buildroot}%{python3_sitelib}/jinja2/asyncsupport.py +rm %{buildroot}%{python3_sitelib}/jinja2/asyncfilters.py +%endif # ! with async +%endif # with python3 + + +%check +%if %{with python3} +%{__python3} -m pytest tests +%endif # with python3 + + +%if %{with python2} +%files -n python2-jinja2 +%doc CHANGES.rst +%doc ext +%doc examples +%license LICENSE.rst +%if %{with docs} +%doc docs/_build/html +%endif +%{python2_sitelib}/jinja2 +%{python2_sitelib}/Jinja2-%{version}-py?.?.egg-info +%endif # with python2 + + +%if %{with python3} +%files -n python%{python3_pkgversion}-jinja2 +%doc CHANGES.rst +%doc ext +%doc examples +%license LICENSE.rst +%if %{with docs} +%doc docs/_build/html +%endif +%{python3_sitelib}/jinja2 +%{python3_sitelib}/Jinja2-%{version}-py?.?.egg-info +%endif # with python3 + + +%changelog +* Fri Mar 12 2021 Lumír Balhar - 2.10.3-5 +- Fix CVE-2020-28493: ReDOS vulnerability due to the sub-pattern +Resolves: rhbz#1928707 + +* Fri Dec 13 2019 Tomas Orsava - 2.10.3-4 +- Exclude unsupported i686 arch + +* Wed Nov 20 2019 Lumír Balhar - 2.10.3-3 +- Adjusted for Python 3.8 module in RHEL 8 + +* Wed Nov 20 2019 Thomas Moschny - 2.10.3-2 +- Add missing BR on make. + +* Mon Nov 11 2019 Lumír Balhar - 2.10.3-1 +- New upstream version (2.10.3) + +* Thu Oct 03 2019 Miro Hrončok - 2.10.1-5 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Sat Aug 17 2019 Miro Hrončok - 2.10.1-4 +- Rebuilt for Python 3.8 + +* Thu Aug 15 2019 Miro Hrončok - 2.10.1-3 +- Bootstrap for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 2.10.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Apr 10 2019 Thomas Moschny - 2.10.1-1 +- Update to 2.10.1. +- Update specfile. + +* Wed Feb 27 2019 Phil Wyett - 2.10-8 +- Fix FTBS due to bad conditional +- Add version requirement for markupsafe + +* Sat Feb 02 2019 Fedora Release Engineering - 2.10-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 14 2018 Fedora Release Engineering - 2.10-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jun 18 2018 Miro Hrončok - 2.10-5 +- Rebuilt for Python 3.7 + +* Thu Jun 14 2018 Miro Hrončok - 2.10-4 +- Bootstrap for Python 3.7 + +* Mon Apr 16 2018 Charalampos Stratakis - 2.10-3 +- Don't build the Python 2 subpackage on EL > 7 + +* Fri Feb 09 2018 Fedora Release Engineering - 2.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Nov 16 2017 Thomas Moschny - 2.10-1 +- Update to 2.10. +- Use %%bcond. +- Move BRs to their respective subpackages. + +* Fri Oct 20 2017 Troy Dawson - 2.9.6-4 +- Really cleanup spec file conditionals + +* Fri Sep 29 2017 Troy Dawson - 2.9.6-3 +- Cleanup spec file conditionals + +* Thu Jul 27 2017 Fedora Release Engineering - 2.9.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Apr 5 2017 Thomas Moschny - 2.9.6-1 +- Update to 2.9.6. + +* Sat Feb 11 2017 Fedora Release Engineering - 2.9.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sun Jan 29 2017 Thomas Moschny - 2.9.5-1 +- Update to 2.9.5. + +* Fri Jan 13 2017 Thomas Moschny - 2.9.4-1 +- Update to 2.9.4. + +* Sat Dec 31 2016 Thomas Moschny - 2.8.1-1 +- Update to 2.8.1. + +* Fri Dec 09 2016 Charalampos Stratakis - 2.8-8 +- Rebuild for Python 3.6 + +* Thu Sep 22 2016 Orion Poplawski - 2.8-7 +- Ship python2-jinja2 (bug #1378519) +- Modernize spec + +* Tue Jul 19 2016 Fedora Release Engineering - 2.8-6 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Fri Feb 5 2016 Thomas Moschny - 2.8-5 +- Do not call py.test, there are currently no tests in the tarball. + +* Thu Feb 04 2016 Fedora Release Engineering - 2.8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Oct 12 2015 Robert Kuska - 2.8-3 +- Rebuilt for Python3.5 rebuild + +* Mon Jul 27 2015 Thomas Moschny - 2.8-2 +- Apply updates Python packaging guidelines. +- Mark LICENSE with %%license. + +* Sun Jul 26 2015 Haïkel Guémar - 2.8-1 +- Upstream 2.8 + +* Thu Jun 18 2015 Fedora Release Engineering - 2.7.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Dec 2 2014 Orion Poplawski - 2.7.3-2 +- Add Requires python(3)-setuptools (bug #1168774) + +* Sat Jun 7 2014 Thomas Moschny - 2.7.3-1 +- Update to 2.7.3. +- Reenable docs. + +* Sat May 10 2014 Orion Poplawski - 2.7.2-2 +- Bootstrap (without docs) build for Python 3.4 + +* Fri Jan 10 2014 Thomas Moschny - 2.7.2-1 +- Update to 2.7.2. +- Update python3 conditional. + +* Fri Aug 16 2013 Thomas Moschny - 2.7.1-1 +- Update to 2.7.1. + +* Thu Jul 25 2013 Orion Poplawski - 2.7-1 +- Update to 2.7 +- spec cleanup + +* Thu Feb 14 2013 Fedora Release Engineering - 2.6-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sat Aug 04 2012 David Malcolm - 2.6-5 +- rebuild for https://fedoraproject.org/wiki/Features/Python_3.3 + +* Fri Aug 3 2012 David Malcolm - 2.6-4 +- remove rhel logic from with_python3 conditional + +* Sat Jul 21 2012 Fedora Release Engineering - 2.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Jan 14 2012 Fedora Release Engineering - 2.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Jul 25 2011 Thomas Moschny - 2.6-1 +- Update to 2.6. + +* Tue Feb 08 2011 Fedora Release Engineering - 2.5.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jan 18 2011 Thomas Moschny - 2.5.5-3 +- Re-enable html doc generation. +- Remove conditional for F-12 and below. +- Do not silently fail the testsuite for with py3k. + +* Mon Nov 1 2010 Michel Salim - 2.5.5-2 +- Move python3 runtime requirements to python3 subpackage + +* Wed Oct 27 2010 Thomas Moschny - 2.5.5-1 +- Update to 2.5.5. + +* Wed Aug 25 2010 Thomas Moschny - 2.5.2-4 +- Revert to previous behavior: fail the build on failed test. +- Rebuild for Python 3.2. + +* Wed Aug 25 2010 Dan Horák - 2.5.2-3 +- %%ifnarch doesn't work on noarch package so don't fail the build on failed tests + +* Wed Aug 25 2010 Dan Horák - 2.5.2-2 +- disable the testsuite on s390(x) + +* Thu Aug 19 2010 Thomas Moschny - 2.5.2-1 +- Update to upstream version 2.5.2. +- Package depends on python-markupsafe and is noarch now. + +* Thu Jul 22 2010 David Malcolm - 2.5-4 +- add explicit build-requirement on python-setuptools +- fix doc disablement for python3 subpackage + +* Thu Jul 22 2010 David Malcolm - 2.5-3 +- support disabling documentation in the build to break a circular build-time +dependency with python-sphinx; disable docs for now + +* Thu Jul 22 2010 David Malcolm - 2.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Tue Jul 13 2010 Thomas Moschny - 2.5-1 +- Update to upstream version 2.5. +- Create python3 subpackage. +- Minor specfile fixes. +- Add examples directory. +- Thanks to Gareth Armstrong for additional hints. + +* Wed Apr 21 2010 Thomas Moschny - 2.4.1-1 +- Update to 2.4.1. + +* Tue Apr 13 2010 Thomas Moschny - 2.4-1 +- Update to 2.4. + +* Tue Feb 23 2010 Thomas Moschny - 2.3.1-1 +- Update to 2.3.1. +- Docs are built using Sphinx now. +- Run the testsuite. + +* Sat Sep 19 2009 Thomas Moschny - 2.2.1-1 +- Update to 2.2.1, mainly a bugfix release. +- Remove patch no longer needed. +- Remove conditional for FC-8. +- Compilation of speedup module has to be explicitly requested now. + +* Sun Jul 26 2009 Fedora Release Engineering - 2.1.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Feb 26 2009 Fedora Release Engineering - 2.1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sat Jan 10 2009 Thomas Moschny - 2.1.1-1 +- Update to 2.1.1 (bugfix release). + +* Thu Dec 18 2008 Thomas Moschny - 2.1-1 +- Update to 2.1, which fixes a number of bugs. + See http://jinja.pocoo.org/2/documentation/changelog#version-2-1. + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 2.0-3 +- Rebuild for Python 2.6 + +* Tue Jul 22 2008 Thomas Moschny - 2.0-2 +- Use rpm buildroot macro instead of RPM_BUILD_ROOT. + +* Sun Jul 20 2008 Thomas Moschny - 2.0-1 +- Upstream released 2.0. + +* Sun Jun 29 2008 Thomas Moschny - 2.0-0.1.rc1 +- Modified specfile from the existing python-jinja package. diff --git a/sources b/sources new file mode 100644 index 0000000..c8153cb --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (Jinja2-2.10.3.tar.gz) = c51c335450f46a467b0d40de1a51c149bdb4eb961ea888b64ff141e11b592b32e05040bfd9aa4a39892dda8d9d8cbf5a35b386ea16a247484d31b5b52eda1b8f