diff --git a/SOURCES/0004-CVE-2024-34064.patch b/SOURCES/0004-CVE-2024-34064.patch new file mode 100644 index 0000000..0cfe296 --- /dev/null +++ b/SOURCES/0004-CVE-2024-34064.patch @@ -0,0 +1,77 @@ +From 7597efd51e740313e7e1ad08c3600dc49ce3981d Mon Sep 17 00:00:00 2001 +From: David Lord +Date: Tue, 7 May 2024 14:56:46 +0200 +Subject: [PATCH] disallow invalid characters in keys to xmlattr filter + +--- + src/jinja2/filters.py | 18 +++++++++++++----- + tests/test_filters.py | 11 ++++++----- + 2 files changed, 19 insertions(+), 10 deletions(-) + +diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py +index 49f7d39..6d4f348 100644 +--- a/src/jinja2/filters.py ++++ b/src/jinja2/filters.py +@@ -205,15 +205,23 @@ def do_lower(s): + return soft_unicode(s).lower() + + +-_space_re = re.compile(r"\s", flags=re.ASCII) ++# Check for characters that would move the parser state from key to value. ++# https://html.spec.whatwg.org/#attribute-name-state ++_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII) + + + @evalcontextfilter + def do_xmlattr(_eval_ctx, d, autospace=True): + """Create an SGML/XML attribute string based on the items in a dict. + +- If any key contains a space, this fails with a ``ValueError``. Values that +- are neither ``none`` nor ``undefined`` are automatically escaped. ++ **Values** that are neither ``none`` nor ``undefined`` are automatically ++ escaped, safely allowing untrusted user input. ++ ++ User input should not be used as **keys** to this filter. If any key ++ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals ++ sign, this fails with a ``ValueError``. Regardless of this, user input ++ should never be used as keys to this filter, or must be separately validated ++ first. + + .. sourcecode:: html+jinja + +@@ -239,8 +247,8 @@ def do_xmlattr(_eval_ctx, d, autospace=True): + if value is None or isinstance(value, Undefined): + continue + +- if _space_re.search(key) is not None: +- raise ValueError(f"Spaces are not allowed in attributes: '{key}'") ++ if _attr_key_re.search(key) is not None: ++ raise ValueError(f"Invalid character in attribute name: {key!r}") + + items.append(f'{escape(key)}="{escape(value)}"') + +diff --git a/tests/test_filters.py b/tests/test_filters.py +index 6e697f3..f0dc1b1 100644 +--- a/tests/test_filters.py ++++ b/tests/test_filters.py +@@ -440,11 +440,12 @@ class TestFilter(object): + assert 'bar="23"' in out + assert 'blub:blub="<?>"' in out + +- def test_xmlattr_key_with_spaces(self, env): +- with pytest.raises(ValueError, match="Spaces are not allowed"): +- env.from_string( +- "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}" +- ).render() ++ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "=")) ++ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None: ++ with pytest.raises(ValueError, match="Invalid character"): ++ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render( ++ key=f"class{sep}onclick=alert(1)" ++ ) + + def test_sort1(self, env): + tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}") +-- +2.45.0 + diff --git a/SPECS/python-jinja2.spec b/SPECS/python-jinja2.spec index c38bae4..73a2e15 100644 --- a/SPECS/python-jinja2.spec +++ b/SPECS/python-jinja2.spec @@ -2,7 +2,7 @@ Name: python-jinja2 Version: 2.11.3 -Release: 5%{?dist} +Release: 6%{?dist} Summary: General purpose template engine License: BSD URL: https://palletsprojects.com/p/jinja/ @@ -15,6 +15,10 @@ Patch2: 0002-native_concat-pass-only-strings-to-literal_eval.patch # Resolved upstream: https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23 Patch3: 0003-CVE-2024-22195.patch +# Security fix for CVE-2024-34064 +# Resolved upstream: https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb +Patch4: 0004-CVE-2024-34064.patch + %if 0%{?fedora} || 0%{?rhel} > 7 # Enable python3 build by default %bcond_without python3 @@ -186,6 +190,10 @@ PYTHONPATH=$(pwd)/src %{__python3} -m pytest tests %changelog +* Tue May 07 2024 Lumír Balhar - 2.11.3-6 +- Security fix for CVE-2024-34064 +Resolves: RHEL-35653 + * Tue Jan 30 2024 Charalampos Stratakis - 2.11.3-5 - Security fix for CVE-2024-22195 Resolves: RHEL-21349