.gitignore

@@ -1 +1 @@
-SOURCES/Jinja2-2.11.3.tar.gz
+SOURCES/Jinja2-2.10.1.tar.gz

.python-jinja2.metadata

@@ -1 +1 @@
-034173d87c9c5d1c2000f337be45b582dc0eb172 SOURCES/Jinja2-2.11.3.tar.gz
+896a71a32336487edf1216d5d73dd3b26c4d7431 SOURCES/Jinja2-2.10.1.tar.gz

SOURCES/CVE-2020-28493.patch

@@ -0,0 +1,133 @@
+From 2b76a5a3aa898fd1621c72c6da935cddfb484424 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Fri, 12 Mar 2021 14:34:06 +0100
+Subject: [PATCH] CVE-2020-28493
+
+---
+ Jinja2-2.10.1/jinja2/utils.py | 94 +++++++++++++++++++++--------------
+ 1 file changed, 56 insertions(+), 38 deletions(-)
+
+diff --git a/Jinja2-2.10.1/jinja2/utils.py b/Jinja2-2.10.1/jinja2/utils.py
+index 502a311..25dd78f 100644
+--- a/Jinja2-2.10.1/jinja2/utils.py
++++ b/Jinja2-2.10.1/jinja2/utils.py
+@@ -12,24 +12,12 @@ import re
+ import json
+ import errno
+ from collections import deque
++from string import ascii_letters as _letters
++from string import digits as _digits
+ from threading import Lock
+ from jinja2._compat import text_type, string_types, implements_iterator, \
+      url_quote
+ 
+-
+-_word_split_re = re.compile(r'(\s+)')
+-_punctuation_re = re.compile(
+-    '^(?P<lead>(?:%s)*)(?P<middle>.*?)(?P<trail>(?:%s)*)$' % (
+-        '|'.join(map(re.escape, ('(', '<', '&lt;'))),
+-        '|'.join(map(re.escape, ('.', ',', ')', '>', '\n', '&gt;')))
+-    )
+-)
+-_simple_email_re = re.compile(r'^\S+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9._-]+$')
+-_striptags_re = re.compile(r'(<!--.*?-->|<[^>]*>)')
+-_entity_re = re.compile(r'&([^;]+);')
+-_letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+-_digits = '0123456789'
+-
+ # special singleton representing missing values for the runtime
+ missing = type('MissingType', (), {'__repr__': lambda x: 'missing'})()
+ 
+@@ -203,35 +191,65 @@ def urlize(text, trim_url_limit=None, rel=None, target=None):
+     trim_url = lambda x, limit=trim_url_limit: limit is not None \
+                          and (x[:limit] + (len(x) >=limit and '...'
+                          or '')) or x
+-    words = _word_split_re.split(text_type(escape(text)))
++    words = re.split(r"(\s+)", text_type(escape(text)))
+     rel_attr = rel and ' rel="%s"' % text_type(escape(rel)) or ''
+     target_attr = target and ' target="%s"' % escape(target) or ''
+ 
+     for i, word in enumerate(words):
+-        match = _punctuation_re.match(word)
++        head, middle, tail = "", word, ""
++        match = re.match(r"^([(<]|&lt;)+", middle)
++
+         if match:
+-            lead, middle, trail = match.groups()
+-            if middle.startswith('www.') or (
+-                '@' not in middle and
+-                not middle.startswith('http://') and
+-                not middle.startswith('https://') and
+-                len(middle) > 0 and
+-                middle[0] in _letters + _digits and (
+-                    middle.endswith('.org') or
+-                    middle.endswith('.net') or
+-                    middle.endswith('.com')
+-                )):
+-                middle = '<a href="http://%s"%s%s>%s</a>' % (middle,
+-                    rel_attr, target_attr, trim_url(middle))
+-            if middle.startswith('http://') or \
+-               middle.startswith('https://'):
+-                middle = '<a href="%s"%s%s>%s</a>' % (middle,
+-                    rel_attr, target_attr, trim_url(middle))
+-            if '@' in middle and not middle.startswith('www.') and \
+-               not ':' in middle and _simple_email_re.match(middle):
+-                middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
+-            if lead + middle + trail != word:
+-                words[i] = lead + middle + trail
++            head = match.group()
++            middle = middle[match.end() :]
++
++        # Unlike lead, which is anchored to the start of the string,
++        # need to check that the string ends with any of the characters
++        # before trying to match all of them, to avoid backtracking.
++        if middle.endswith((")", ">", ".", ",", "\n", "&gt;")):
++            match = re.search(r"([)>.,\n]|&gt;)+$", middle)
++
++            if match:
++                tail = match.group()
++                middle = middle[: match.start()]
++
++        if middle.startswith("www.") or (
++            "@" not in middle
++            and not middle.startswith("http://")
++            and not middle.startswith("https://")
++            and len(middle) > 0
++            and middle[0] in _letters + _digits
++            and (
++                middle.endswith(".org")
++                or middle.endswith(".net")
++                or middle.endswith(".com")
++            )
++        ):
++            middle = '<a href="http://%s"%s%s>%s</a>' % (
++                middle,
++                rel_attr,
++                target_attr,
++                trim_url(middle),
++            )
++
++        if middle.startswith("http://") or middle.startswith("https://"):
++            middle = '<a href="%s"%s%s>%s</a>' % (
++                middle,
++                rel_attr,
++                target_attr,
++                trim_url(middle),
++            )
++
++        if (
++            "@" in middle
++            and not middle.startswith("www.")
++            and ":" not in middle
++            and re.match(r"^\S@\w[\w.-]*\.\w$", middle)
++        ):
++            middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
++
++        words[i] = head + middle + tail
++
+     return u''.join(words)
+ 
+ 
+-- 
+2.29.2
+

SOURCES/CVE-2024-22195.patch

@@ -0,0 +1,77 @@
+From c4695c78dc41d206a6c79878dea177d6188896b4 Mon Sep 17 00:00:00 2001
+From: Calum Hutton <calum.hutton@snyk.io>
+Date: Thu, 26 Oct 2023 12:08:53 +0100
+Subject: [PATCH] xmlattr filter disallows keys with spaces
+
+---
+ Jinja2-2.10.1/jinja2/filters.py     | 26 +++++++++++++++++++-------
+ Jinja2-2.10.1/tests/test_filters.py |  6 ++++++
+ 2 files changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/Jinja2-2.10.1/jinja2/filters.py b/Jinja2-2.10.1/jinja2/filters.py
+index 267dddd..d473058 100644
+--- a/Jinja2-2.10.1/jinja2/filters.py
++++ b/Jinja2-2.10.1/jinja2/filters.py
+@@ -150,11 +150,15 @@ def do_lower(s):
+     return soft_unicode(s).lower()
+ 
+ 
++_space_re = re.compile(r"\s", flags=re.ASCII)
++
++
+ @evalcontextfilter
+ def do_xmlattr(_eval_ctx, d, autospace=True):
+     """Create an SGML/XML attribute string based on the items in a dict.
+-    All values that are neither `none` nor `undefined` are automatically
+-    escaped:
++
++    If any key contains a space, this fails with a ``ValueError``. Values that
++    are neither ``none`` nor ``undefined`` are automatically escaped.
+ 
+     .. sourcecode:: html+jinja
+ 
+@@ -174,11 +178,19 @@ def do_xmlattr(_eval_ctx, d, autospace=True):
+     As you can see it automatically prepends a space in front of the item
+     if the filter returned something unless the second parameter is false.
+     """
+-    rv = u' '.join(
+-        u'%s="%s"' % (escape(key), escape(value))
+-        for key, value in iteritems(d)
+-        if value is not None and not isinstance(value, Undefined)
+-    )
++    items = []
++
++    for key, value in d.items():
++        if value is None or isinstance(value, Undefined):
++            continue
++
++        if _space_re.search(key) is not None:
++            raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
++
++        items.append(f'{escape(key)}="{escape(value)}"')
++
++    rv = " ".join(items)
++
+     if autospace and rv:
+         rv = u' ' + rv
+     if _eval_ctx.autoescape:
+diff --git a/Jinja2-2.10.1/tests/test_filters.py b/Jinja2-2.10.1/tests/test_filters.py
+index 8962ced..911d10a 100644
+--- a/Jinja2-2.10.1/tests/test_filters.py
++++ b/Jinja2-2.10.1/tests/test_filters.py
+@@ -389,6 +389,12 @@ class TestFilter(object):
+         assert 'bar="23"' in out
+         assert 'blub:blub="&lt;?&gt;"' in out
+ 
++    def test_xmlattr_key_with_spaces(self, env):
++        with pytest.raises(ValueError, match="Spaces are not allowed"):
++            env.from_string(
++                "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}"
++            ).render()
++
+     def test_sort1(self, env):
+         tmpl = env.from_string(
+             '{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}')
+-- 
+2.43.0
+

SPECS/python-jinja2.spec

@@ -1,21 +1,3 @@
-%global srcname Jinja2
-
-Name:           python-jinja2
-Version:        2.11.3
-Release:        1%{?dist}
-Summary:        General purpose template engine
-License:        BSD
-URL:            https://palletsprojects.com/p/jinja/
-Source0:        %{pypi_source}
-
-
-%if 0%{?fedora} || 0%{?rhel} > 7
-# Enable python3 build by default
-%bcond_without python3
-%else
-%bcond_with python3
-%endif
-
 %if 0%{?rhel} > 7
 # Disable python2 build by default
 %bcond_with python2
@@ -23,21 +5,46 @@ Source0:        %{pypi_source}
 %bcond_without python2
 %endif
 
+%if 0%{?fedora} || 0%{?rhel} > 7
+%bcond_without python3
+%else
+%bcond_with python3
+%endif
+
 # Enable building without docs to avoid a circular dependency between this
 # and python-sphinx:
+%if %{with python3}
+%bcond_without docs
+%else
 %bcond_with docs
+%endif
 
-%if 0%{?fedora} || 0%{?rhel} > 7
+%if 0%{?fedora} > 25 || 0%{?rhel} > 7
 %bcond_without async
 %else
 %bcond_with async
 %endif
 
+Name:           python-jinja2
+Version:        2.10.1
+Release:        4%{?dist}
+Summary:        General purpose template engine
+Group:          Development/Languages
+License:        BSD
+URL:            http://jinja.pocoo.org/
+Source0:        https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
+
+# CVE-2020-28493: ReDOS vulnerability due to the sub-pattern
+# The patch is rebased to the old project structure.
+# Upstream commit: https://github.com/pallets/jinja/pull/1343/commits/ef658dc3b6389b091d608e710a810ce8b87995b3
+# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1928707
+Patch0:         CVE-2020-28493.patch
+
+# Security fix for CVE-2024-22195
+# Resolved upstream: https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23
+Patch1:         CVE-2024-22195.patch
+
 BuildArch:      noarch
-# Exclude i686 arch. Due to a modularity issue it's being added to the
-# x86_64 compose of CRB, but we don't want to ship it at all.
-# See: https://projects.engineering.redhat.com/browse/RCM-72605
-ExcludeArch:    i686
 
 %description
 Jinja2 is a template engine written in pure Python.  It provides a
@@ -56,10 +63,9 @@ environments.
 Summary:        General purpose template engine for python2
 BuildRequires:  python2-devel
 BuildRequires:  python2-setuptools
-BuildRequires:  python2-babel >= 0.8
-BuildRequires:  python2-markupsafe >= 0.23
-Requires:       python2-babel >= 0.8
-Requires:       python2-markupsafe >= 0.23
+BuildRequires:  python2-markupsafe
+BuildRequires:  python2-pytest
+Requires:       python2-markupsafe
 Requires:       python2-setuptools
 %{?python_provide:%python_provide python2-jinja2}
 
@@ -77,27 +83,27 @@ environments.
 
 
 %if %{with python3}
-%package -n python%{python3_pkgversion}-jinja2
+%package -n python3-jinja2
 Summary:        General purpose template engine for python3
-BuildRequires:  python%{python3_pkgversion}-devel
-BuildRequires:  python%{python3_pkgversion}-setuptools
-BuildRequires:  python%{python3_pkgversion}-babel >= 0.8
-BuildRequires:  python%{python3_pkgversion}-markupsafe >= 0.23
-BuildRequires:  python%{python3_pkgversion}-pytest
-BuildRequires:  python%{python3_pkgversion}-rpm-macros
+Group:          Development/Languages
+BuildRequires:  python3-devel
+BuildRequires:  python3-setuptools
+BuildRequires:  python3-babel >= 0.8
+BuildRequires:  python3-markupsafe
+BuildRequires:  python3-pytest
 %if %{with docs}
-BuildRequires:  %{_bindir}/sphinx-build-3.8
-BuildRequires:  make
-BuildRequires:  python%{python3_pkgversion}-Pallets-Sphinx-Themes
-BuildRequires:  python%{python3_pkgversion}-sphinxcontrib-log-cabinet
-BuildRequires:  python%{python3_pkgversion}-sphinx-issues
+BuildRequires:  %{_bindir}/sphinx-build-3
 %endif
-Requires:       python%{python3_pkgversion}-babel >= 0.8
-Requires:       python%{python3_pkgversion}-markupsafe >= 0.23
-Requires:       python%{python3_pkgversion}-setuptools
-%{?python_provide:%python_provide python%{python3_pkgversion}-jinja2}
+Requires:       python3-babel >= 0.8
+Requires:       python3-markupsafe
+%if 0%{?rhel} && 0%{?rhel} >= 8
+Requires:       platform-python-setuptools
+%else
+Requires:       python3-setuptools
+%endif
+%{?python_provide:%python_provide python3-jinja2}
 
-%description -n python%{python3_pkgversion}-jinja2
+%description -n python3-jinja2
 Jinja2 is a template engine written in pure Python.  It provides a
 Django inspired non-XML syntax but supports inline expressions and an
 optional sandboxed environment.
@@ -111,74 +117,104 @@ environments.
 
 
 %prep
-%autosetup -p1 -n %{srcname}-%{version}
+%setup -qc -n Jinja2-%{version}
+
+%patch0 -p1
+%patch1 -p1
 
 # cleanup
-find . -name '*.pyo' -o -name '*.pyc' -delete
+find Jinja2-%{version} -name '*.pyo' -o -name '*.pyc' -delete
+
+# fix EOL
+sed -i 's|\r$||g' Jinja2-%{version}/LICENSE
+
+mv Jinja2-%{version} python2
+cp -av python2 python3
+
 
 %build
 %if %{with python2}
+pushd python2
 %py2_build
+popd
 %endif # with python2
 
 %if %{with python3}
+pushd python3
 %py3_build
 %if %{with docs}
 make -C docs html PYTHONPATH=$(pwd) SPHINXBUILD=sphinx-build-3
-# remove hidden file
-rm -rf docs/_build/html/.buildinfo
 %endif # with docs
+popd
 %endif # with python3
 
 
 %install
 %if %{with python2}
+pushd python2
 %py2_install
 
 # these files are valid only on Python 3.6+
 rm %{buildroot}%{python2_sitelib}/jinja2/asyncsupport.py
 rm %{buildroot}%{python2_sitelib}/jinja2/asyncfilters.py
+popd
 %endif # with python2
 
 %if %{with python3}
+pushd python3
 %py3_install
 
+%if %{with docs}
+# remove hidden file
+rm -rf docs/_build/html/.buildinfo
+%endif
+
 %if ! %{with async}
 # these files are valid only on Python 3.6+
 rm %{buildroot}%{python3_sitelib}/jinja2/asyncsupport.py
 rm %{buildroot}%{python3_sitelib}/jinja2/asyncfilters.py
 %endif # ! with async
+popd
 %endif # with python3
 
 
 %check
+%if %{with python2}
+pushd python2
+# there are currently no tests in the jinja2 tarball
+# make test
+popd
+%endif # with python2
+
 %if %{with python3}
-PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest tests
+pushd python3
+# there are currently no tests in the jinja2 tarball
+# make test
+popd
 %endif # with python3
 
 
 %if %{with python2}
 %files -n python2-jinja2
-%doc CHANGES.rst
-%doc ext
-%doc examples
-%license LICENSE.rst
-%if %{with docs}
-%doc docs/_build/html
-%endif
+%doc python2/AUTHORS
+%doc python2/CHANGES.rst
+%doc python2/ext
+%doc python2/examples
+%license python2/LICENSE
 %{python2_sitelib}/jinja2
 %{python2_sitelib}/Jinja2-%{version}-py?.?.egg-info
 %endif # with python2
 
 
 %if %{with python3}
-%files -n python%{python3_pkgversion}-jinja2
-%doc CHANGES.rst
-%doc ext
-%doc examples
-%license LICENSE.rst
+%files -n python3-jinja2
+%doc python3/AUTHORS
+%doc python3/CHANGES.rst
+%doc python3/ext
+%doc python3/examples
+%license python3/LICENSE
 %if %{with docs}
-%doc docs/_build/html
+%doc python3/docs/_build/html
 %endif
 %{python3_sitelib}/jinja2
 %{python3_sitelib}/Jinja2-%{version}-py?.?.egg-info
@@ -186,62 +222,44 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest tests
 
 
 %changelog
-* Fri May 20 2022 Maxwell G <gotmax@e.email> - 2.11.3-1
-- Update to 2.11.3.
-- Fix URL.
-- Remove patch that is included in this release.
-Resolves: rhbz#2086141.
+* Tue Jan 30 2024 Charalampos Stratakis <cstratak@redhat.com> - 2.10.1-4
+- Security fix for CVE-2024-22195
+Resolves: RHEL-21347
 
-* Fri Mar 12 2021 Lumír Balhar <lbalhar@redhat.com> - 2.10.3-5
+* Fri Mar 12 2021 Lumír Balhar <lbalhar@redhat.com> - 2.10.1-3
 - Fix CVE-2020-28493: ReDOS vulnerability due to the sub-pattern
 Resolves: rhbz#1928707
 
-* Fri Dec 13 2019 Tomas Orsava <torsava@redhat.com> - 2.10.3-4
-- Exclude unsupported i686 arch
+* Tue Apr 30 2019 Lumír Balhar <lbalhar@redhat.com> - 2.10.1-2
+- Rebuild of package to go through gating
+- Resolves: rhbz#1701301
 
-* Wed Nov 20 2019 Lumír Balhar <lbalhar@redhat.com> - 2.10.3-3
-- Adjusted for Python 3.8 module in RHEL 8
+* Thu Apr 25 2019 Lumír Balhar <lbalhar@redhat.com> - 2.10.1-1
+- Rebase to 2.10.1 (security update) to fix CVE-2019-10906
+- Resolves: rhbz#1701301
 
-* Wed Nov 20 2019 Thomas Moschny <thomas.moschny@gmx.de> - 2.10.3-2
-- Add missing BR on make.
+* Fri Nov 16 2018 Lumír Balhar <lbalhar@redhat.com> - 2.10-9
+- Require platform-python-setuptools instead of python3-setuptools
+- Resolves: rhbz#1650536
 
-* Mon Nov 11 2019 Lumír Balhar <lbalhar@redhat.com> - 2.10.3-1
-- New upstream version (2.10.3)
+* Mon Aug 06 2018 Lumír Balhar <lbalhar@redhat.com> - 2.10-8
+- Revert changes commited to wrong branch
 
-* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 2.10.1-5
-- Rebuilt for Python 3.8.0rc1 (#1748018)
+* Sat Aug 04 2018 Lumír Balhar <lbalhar@redhat.com> - 2.10-7
+- Fix conditions
 
-* Sat Aug 17 2019 Miro Hrončok <mhroncok@redhat.com> - 2.10.1-4
-- Rebuilt for Python 3.8
+* Sat Aug 04 2018 Lumír Balhar <lbalhar@redhat.com> - 2.10-6
+- Specfile cleanup and fixes
 
-* Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 2.10.1-3
-- Bootstrap for Python 3.8
+* Mon Jun 25 2018 Lumír Balhar <Lbalhar@redhat.com> - 2.10-5
+- Disable Python 2 build by default
 
-* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.10.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+* Mon Jun 25 2018 Lumír Balhar <Lbalhar@redhat.com> - 2.10-4
+- Allow build with Python 2
 
-* Wed Apr 10 2019 Thomas Moschny <thomas.moschny@gmx.de> - 2.10.1-1
-- Update to 2.10.1.
-- Update specfile.
-
-* Wed Feb 27 2019 Phil Wyett <philwyett@kathenas.org> - 2.10-8
-- Fix FTBS due to bad conditional
-- Add version requirement for markupsafe
-
-* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.10-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.10-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Mon Jun 18 2018 Miro Hrončok <mhroncok@redhat.com> - 2.10-5
-- Rebuilt for Python 3.7
-
-* Thu Jun 14 2018 Miro Hrončok <mhroncok@redhat.com> - 2.10-4
-- Bootstrap for Python 3.7
-
-* Mon Apr 16 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.10-3
-- Don't build the Python 2 subpackage on EL > 7
+* Mon May 28 2018 Petr Viktorin <pviktori@redhat.com> - 2.10-3
+- Remove docs from Python 2 package
+- Remove dependency on python2-babel and python2-sphinx
 
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.10-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild