rpms/python-jinja2
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import python-jinja2-2.10.3-5.module+el8.5.0+10542+ba057329

Browse Source
This commit is contained in:
CentOS Sources 2021-11-09 04:54:00 -05:00 committed by Stepan Oksanichenko
parent da6440ff05
commit 927b107512
2 changed files with 145 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
SOURCES/CVE-2020-28493.patch Normal file
View File

@ -0,0 +1,133 @@
From 42d67347988a9d09b940d550f1ffa32a8d7e43b2 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Fri, 12 Mar 2021 16:04:15 +0100
Subject: [PATCH] CVE-2020-28493
---
jinja2/utils.py | 94 +++++++++++++++++++++++++++++--------------------
1 file changed, 56 insertions(+), 38 deletions(-)
diff --git a/jinja2/utils.py b/jinja2/utils.py
index db9c5d0..6ab77f7 100644
--- a/jinja2/utils.py
+++ b/jinja2/utils.py
@@ -12,24 +12,12 @@ import re
import json
import errno
from collections import deque
+from string import ascii_letters as _letters
+from string import digits as _digits
from threading import Lock
from jinja2._compat import text_type, string_types, implements_iterator, \
url_quote, abc
-
-_word_split_re = re.compile(r'(\s+)')
-_punctuation_re = re.compile(
- '^(?P<lead>(?:%s)*)(?P<middle>.*?)(?P<trail>(?:%s)*)$' % (
- '|'.join(map(re.escape, ('(', '<', '&lt;'))),
- '|'.join(map(re.escape, ('.', ',', ')', '>', '\n', '&gt;')))
- )
-)
-_simple_email_re = re.compile(r'^\S+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9._-]+$')
-_striptags_re = re.compile(r'(<!--.*?-->|<[^>]*>)')
-_entity_re = re.compile(r'&([^;]+);')
-_letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
-_digits = '0123456789'
-
# special singleton representing missing values for the runtime
missing = type('MissingType', (), {'__repr__': lambda x: 'missing'})()
@@ -203,35 +191,65 @@ def urlize(text, trim_url_limit=None, rel=None, target=None):
trim_url = lambda x, limit=trim_url_limit: limit is not None \
and (x[:limit] + (len(x) >=limit and '...'
or '')) or x
- words = _word_split_re.split(text_type(escape(text)))
+ words = re.split(r"(\s+)", text_type(escape(text)))
rel_attr = rel and ' rel="%s"' % text_type(escape(rel)) or ''
target_attr = target and ' target="%s"' % escape(target) or ''
for i, word in enumerate(words):
- match = _punctuation_re.match(word)
+ head, middle, tail = "", word, ""
+ match = re.match(r"^([(<]|&lt;)+", middle)
+
if match:
- lead, middle, trail = match.groups()
- if middle.startswith('www.') or (
- '@' not in middle and
- not middle.startswith('http://') and
- not middle.startswith('https://') and
- len(middle) > 0 and
- middle[0] in _letters + _digits and (
- middle.endswith('.org') or
- middle.endswith('.net') or
- middle.endswith('.com')
- )):
- middle = '<a href="http://%s"%s%s>%s</a>' % (middle,
- rel_attr, target_attr, trim_url(middle))
- if middle.startswith('http://') or \
- middle.startswith('https://'):
- middle = '<a href="%s"%s%s>%s</a>' % (middle,
- rel_attr, target_attr, trim_url(middle))
- if '@' in middle and not middle.startswith('www.') and \
- not ':' in middle and _simple_email_re.match(middle):
- middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
- if lead + middle + trail != word:
- words[i] = lead + middle + trail
+ head = match.group()
+ middle = middle[match.end() :]
+
+ # Unlike lead, which is anchored to the start of the string,
+ # need to check that the string ends with any of the characters
+ # before trying to match all of them, to avoid backtracking.
+ if middle.endswith((")", ">", ".", ",", "\n", "&gt;")):
+ match = re.search(r"([)>.,\n]|&gt;)+$", middle)
+
+ if match:
+ tail = match.group()
+ middle = middle[: match.start()]
+
+ if middle.startswith("www.") or (
+ "@" not in middle
+ and not middle.startswith("http://")
+ and not middle.startswith("https://")
+ and len(middle) > 0
+ and middle[0] in _letters + _digits
+ and (
+ middle.endswith(".org")
+ or middle.endswith(".net")
+ or middle.endswith(".com")
+ )
+ ):
+ middle = '<a href="http://%s"%s%s>%s</a>' % (
+ middle,
+ rel_attr,
+ target_attr,
+ trim_url(middle),
+ )
+
+ if middle.startswith("http://") or middle.startswith("https://"):
+ middle = '<a href="%s"%s%s>%s</a>' % (
+ middle,
+ rel_attr,
+ target_attr,
+ trim_url(middle),
+ )
+
+ if (
+ "@" in middle
+ and not middle.startswith("www.")
+ and ":" not in middle
+ and re.match(r"^\S@\w[\w.-]*\.\w$", middle)
+ ):
+ middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
+
+ words[i] = head + middle + tail
+
return u''.join(words)
--
2.29.2

14
SPECS/python-jinja2.spec
View File

@ -2,12 +2,18 @@
Name: python-jinja2
Version: 2.10.3
Release: 4%{?dist}
Release: 5%{?dist}
Summary: General purpose template engine
License: BSD
URL: http://jinja.pocoo.org/
Source0: %{pypi_source}
# CVE-2020-28493: ReDOS vulnerability due to the sub-pattern
# The patch is rebased to the old project structure.
# Upstream commit: https://github.com/pallets/jinja/pull/1343/commits/ef658dc3b6389b091d608e710a810ce8b87995b3
# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1928707
Patch0: CVE-2020-28493.patch
%if 0%{?fedora} || 0%{?rhel} > 7
# Enable python3 build by default
%bcond_without python3
@ -110,7 +116,7 @@ environments.
%prep
%autosetup -n %{srcname}-%{version}
%autosetup -p1 -n %{srcname}-%{version}
# cleanup
find . -name '*.pyo' -o -name '*.pyc' -delete
@ -185,6 +191,10 @@ rm %{buildroot}%{python3_sitelib}/jinja2/asyncfilters.py
%changelog
* Fri Mar 12 2021 Lumír Balhar <lbalhar@redhat.com> - 2.10.3-5
- Fix CVE-2020-28493: ReDOS vulnerability due to the sub-pattern
Resolves: rhbz#1928707
* Fri Dec 13 2019 Tomas Orsava <torsava@redhat.com> - 2.10.3-4
- Exclude unsupported i686 arch