import python-jinja2-2.11.3-1.module+el8.7.0+15575+d005caff
This commit is contained in:
parent
927b107512
commit
b530fcfc02
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/Jinja2-2.10.3.tar.gz
|
||||
SOURCES/Jinja2-2.11.3.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
fbb6a03ad01b766d816650147d1fccfc145de9e0 SOURCES/Jinja2-2.10.3.tar.gz
|
||||
034173d87c9c5d1c2000f337be45b582dc0eb172 SOURCES/Jinja2-2.11.3.tar.gz
|
||||
|
@ -1,133 +0,0 @@
|
||||
From 42d67347988a9d09b940d550f1ffa32a8d7e43b2 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Fri, 12 Mar 2021 16:04:15 +0100
|
||||
Subject: [PATCH] CVE-2020-28493
|
||||
|
||||
---
|
||||
jinja2/utils.py | 94 +++++++++++++++++++++++++++++--------------------
|
||||
1 file changed, 56 insertions(+), 38 deletions(-)
|
||||
|
||||
diff --git a/jinja2/utils.py b/jinja2/utils.py
|
||||
index db9c5d0..6ab77f7 100644
|
||||
--- a/jinja2/utils.py
|
||||
+++ b/jinja2/utils.py
|
||||
@@ -12,24 +12,12 @@ import re
|
||||
import json
|
||||
import errno
|
||||
from collections import deque
|
||||
+from string import ascii_letters as _letters
|
||||
+from string import digits as _digits
|
||||
from threading import Lock
|
||||
from jinja2._compat import text_type, string_types, implements_iterator, \
|
||||
url_quote, abc
|
||||
|
||||
-
|
||||
-_word_split_re = re.compile(r'(\s+)')
|
||||
-_punctuation_re = re.compile(
|
||||
- '^(?P<lead>(?:%s)*)(?P<middle>.*?)(?P<trail>(?:%s)*)$' % (
|
||||
- '|'.join(map(re.escape, ('(', '<', '<'))),
|
||||
- '|'.join(map(re.escape, ('.', ',', ')', '>', '\n', '>')))
|
||||
- )
|
||||
-)
|
||||
-_simple_email_re = re.compile(r'^\S+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9._-]+$')
|
||||
-_striptags_re = re.compile(r'(<!--.*?-->|<[^>]*>)')
|
||||
-_entity_re = re.compile(r'&([^;]+);')
|
||||
-_letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
|
||||
-_digits = '0123456789'
|
||||
-
|
||||
# special singleton representing missing values for the runtime
|
||||
missing = type('MissingType', (), {'__repr__': lambda x: 'missing'})()
|
||||
|
||||
@@ -203,35 +191,65 @@ def urlize(text, trim_url_limit=None, rel=None, target=None):
|
||||
trim_url = lambda x, limit=trim_url_limit: limit is not None \
|
||||
and (x[:limit] + (len(x) >=limit and '...'
|
||||
or '')) or x
|
||||
- words = _word_split_re.split(text_type(escape(text)))
|
||||
+ words = re.split(r"(\s+)", text_type(escape(text)))
|
||||
rel_attr = rel and ' rel="%s"' % text_type(escape(rel)) or ''
|
||||
target_attr = target and ' target="%s"' % escape(target) or ''
|
||||
|
||||
for i, word in enumerate(words):
|
||||
- match = _punctuation_re.match(word)
|
||||
+ head, middle, tail = "", word, ""
|
||||
+ match = re.match(r"^([(<]|<)+", middle)
|
||||
+
|
||||
if match:
|
||||
- lead, middle, trail = match.groups()
|
||||
- if middle.startswith('www.') or (
|
||||
- '@' not in middle and
|
||||
- not middle.startswith('http://') and
|
||||
- not middle.startswith('https://') and
|
||||
- len(middle) > 0 and
|
||||
- middle[0] in _letters + _digits and (
|
||||
- middle.endswith('.org') or
|
||||
- middle.endswith('.net') or
|
||||
- middle.endswith('.com')
|
||||
- )):
|
||||
- middle = '<a href="http://%s"%s%s>%s</a>' % (middle,
|
||||
- rel_attr, target_attr, trim_url(middle))
|
||||
- if middle.startswith('http://') or \
|
||||
- middle.startswith('https://'):
|
||||
- middle = '<a href="%s"%s%s>%s</a>' % (middle,
|
||||
- rel_attr, target_attr, trim_url(middle))
|
||||
- if '@' in middle and not middle.startswith('www.') and \
|
||||
- not ':' in middle and _simple_email_re.match(middle):
|
||||
- middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
|
||||
- if lead + middle + trail != word:
|
||||
- words[i] = lead + middle + trail
|
||||
+ head = match.group()
|
||||
+ middle = middle[match.end() :]
|
||||
+
|
||||
+ # Unlike lead, which is anchored to the start of the string,
|
||||
+ # need to check that the string ends with any of the characters
|
||||
+ # before trying to match all of them, to avoid backtracking.
|
||||
+ if middle.endswith((")", ">", ".", ",", "\n", ">")):
|
||||
+ match = re.search(r"([)>.,\n]|>)+$", middle)
|
||||
+
|
||||
+ if match:
|
||||
+ tail = match.group()
|
||||
+ middle = middle[: match.start()]
|
||||
+
|
||||
+ if middle.startswith("www.") or (
|
||||
+ "@" not in middle
|
||||
+ and not middle.startswith("http://")
|
||||
+ and not middle.startswith("https://")
|
||||
+ and len(middle) > 0
|
||||
+ and middle[0] in _letters + _digits
|
||||
+ and (
|
||||
+ middle.endswith(".org")
|
||||
+ or middle.endswith(".net")
|
||||
+ or middle.endswith(".com")
|
||||
+ )
|
||||
+ ):
|
||||
+ middle = '<a href="http://%s"%s%s>%s</a>' % (
|
||||
+ middle,
|
||||
+ rel_attr,
|
||||
+ target_attr,
|
||||
+ trim_url(middle),
|
||||
+ )
|
||||
+
|
||||
+ if middle.startswith("http://") or middle.startswith("https://"):
|
||||
+ middle = '<a href="%s"%s%s>%s</a>' % (
|
||||
+ middle,
|
||||
+ rel_attr,
|
||||
+ target_attr,
|
||||
+ trim_url(middle),
|
||||
+ )
|
||||
+
|
||||
+ if (
|
||||
+ "@" in middle
|
||||
+ and not middle.startswith("www.")
|
||||
+ and ":" not in middle
|
||||
+ and re.match(r"^\S@\w[\w.-]*\.\w$", middle)
|
||||
+ ):
|
||||
+ middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
|
||||
+
|
||||
+ words[i] = head + middle + tail
|
||||
+
|
||||
return u''.join(words)
|
||||
|
||||
|
||||
--
|
||||
2.29.2
|
||||
|
@ -1,18 +1,13 @@
|
||||
%global srcname Jinja2
|
||||
|
||||
Name: python-jinja2
|
||||
Version: 2.10.3
|
||||
Release: 5%{?dist}
|
||||
Version: 2.11.3
|
||||
Release: 1%{?dist}
|
||||
Summary: General purpose template engine
|
||||
License: BSD
|
||||
URL: http://jinja.pocoo.org/
|
||||
URL: https://palletsprojects.com/p/jinja/
|
||||
Source0: %{pypi_source}
|
||||
|
||||
# CVE-2020-28493: ReDOS vulnerability due to the sub-pattern
|
||||
# The patch is rebased to the old project structure.
|
||||
# Upstream commit: https://github.com/pallets/jinja/pull/1343/commits/ef658dc3b6389b091d608e710a810ce8b87995b3
|
||||
# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1928707
|
||||
Patch0: CVE-2020-28493.patch
|
||||
|
||||
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||
# Enable python3 build by default
|
||||
@ -158,7 +153,7 @@ rm %{buildroot}%{python3_sitelib}/jinja2/asyncfilters.py
|
||||
|
||||
%check
|
||||
%if %{with python3}
|
||||
%{__python3} -m pytest tests
|
||||
PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest tests
|
||||
%endif # with python3
|
||||
|
||||
|
||||
@ -191,6 +186,12 @@ rm %{buildroot}%{python3_sitelib}/jinja2/asyncfilters.py
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri May 20 2022 Maxwell G <gotmax@e.email> - 2.11.3-1
|
||||
- Update to 2.11.3.
|
||||
- Fix URL.
|
||||
- Remove patch that is included in this release.
|
||||
Resolves: rhbz#2086141.
|
||||
|
||||
* Fri Mar 12 2021 Lumír Balhar <lbalhar@redhat.com> - 2.10.3-5
|
||||
- Fix CVE-2020-28493: ReDOS vulnerability due to the sub-pattern
|
||||
Resolves: rhbz#1928707
|
||||
|
Loading…
Reference in New Issue
Block a user