rpms/python-jinja2
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI python-jinja2-2.11.3-6.el9

Browse Source
This commit is contained in:
eabdullin 2024-11-12 10:28:29 +00:00
parent 7bc9c238b3
commit 7610a99234
2 changed files with 86 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
SOURCES/0004-CVE-2024-34064.patch Normal file
View File

@ -0,0 +1,77 @@
From 7597efd51e740313e7e1ad08c3600dc49ce3981d Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Tue, 7 May 2024 14:56:46 +0200
Subject: [PATCH] disallow invalid characters in keys to xmlattr filter
---
src/jinja2/filters.py | 18 +++++++++++++-----
tests/test_filters.py | 11 ++++++-----
2 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py
index 49f7d39..6d4f348 100644
--- a/src/jinja2/filters.py
+++ b/src/jinja2/filters.py
@@ -205,15 +205,23 @@ def do_lower(s):
return soft_unicode(s).lower()
-_space_re = re.compile(r"\s", flags=re.ASCII)
+# Check for characters that would move the parser state from key to value.
+# https://html.spec.whatwg.org/#attribute-name-state
+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
@evalcontextfilter
def do_xmlattr(_eval_ctx, d, autospace=True):
"""Create an SGML/XML attribute string based on the items in a dict.
- If any key contains a space, this fails with a ``ValueError``. Values that
- are neither ``none`` nor ``undefined`` are automatically escaped.
+ **Values** that are neither ``none`` nor ``undefined`` are automatically
+ escaped, safely allowing untrusted user input.
+
+ User input should not be used as **keys** to this filter. If any key
+ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
+ sign, this fails with a ``ValueError``. Regardless of this, user input
+ should never be used as keys to this filter, or must be separately validated
+ first.
.. sourcecode:: html+jinja
@@ -239,8 +247,8 @@ def do_xmlattr(_eval_ctx, d, autospace=True):
if value is None or isinstance(value, Undefined):
continue
- if _space_re.search(key) is not None:
- raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
+ if _attr_key_re.search(key) is not None:
+ raise ValueError(f"Invalid character in attribute name: {key!r}")
items.append(f'{escape(key)}="{escape(value)}"')
diff --git a/tests/test_filters.py b/tests/test_filters.py
index 6e697f3..f0dc1b1 100644
--- a/tests/test_filters.py
+++ b/tests/test_filters.py
@@ -440,11 +440,12 @@ class TestFilter(object):
assert 'bar="23"' in out
assert 'blub:blub="&lt;?&gt;"' in out
- def test_xmlattr_key_with_spaces(self, env):
- with pytest.raises(ValueError, match="Spaces are not allowed"):
- env.from_string(
- "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}"
- ).render()
+ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "="))
+ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None:
+ with pytest.raises(ValueError, match="Invalid character"):
+ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render(
+ key=f"class{sep}onclick=alert(1)"
+ )
def test_sort1(self, env):
tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}")
--
2.45.0

10
SPECS/python-jinja2.spec
View File

@ -2,7 +2,7 @@
Name: python-jinja2 Name: python-jinja2
Version: 2.11.3 Version: 2.11.3
Release: 5%{?dist} Release: 6%{?dist}
Summary: General purpose template engine Summary: General purpose template engine
License: BSD License: BSD
URL: https://palletsprojects.com/p/jinja/ URL: https://palletsprojects.com/p/jinja/
@ -15,6 +15,10 @@ Patch2: 0002-native_concat-pass-only-strings-to-literal_eval.patch
# Resolved upstream: https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23 # Resolved upstream: https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23
Patch3: 0003-CVE-2024-22195.patch Patch3: 0003-CVE-2024-22195.patch
# Security fix for CVE-2024-34064
# Resolved upstream: https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb
Patch4: 0004-CVE-2024-34064.patch
%if 0%{?fedora} || 0%{?rhel} > 7 %if 0%{?fedora} || 0%{?rhel} > 7
# Enable python3 build by default # Enable python3 build by default
%bcond_without python3 %bcond_without python3
@ -186,6 +190,10 @@ PYTHONPATH=$(pwd)/src %{__python3} -m pytest tests
%changelog %changelog
* Tue May 07 2024 Lumír Balhar <lbalhar@redhat.com> - 2.11.3-6
- Security fix for CVE-2024-34064
Resolves: RHEL-35653
* Tue Jan 30 2024 Charalampos Stratakis <cstratak@redhat.com> - 2.11.3-5 * Tue Jan 30 2024 Charalampos Stratakis <cstratak@redhat.com> - 2.11.3-5
- Security fix for CVE-2024-22195 - Security fix for CVE-2024-22195
Resolves: RHEL-21349 Resolves: RHEL-21349