.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1 @@
-SOURCES/Jinja2-2.11.3.tar.gz
+/Jinja2-*.tar.gz

.python-jinja2.metadata

@@ -1 +1 @@
-034173d87c9c5d1c2000f337be45b582dc0eb172 SOURCES/Jinja2-2.11.3.tar.gz
+034173d87c9c5d1c2000f337be45b582dc0eb172 Jinja2-2.11.3.tar.gz

0001-add-linetable-to-the-preserved-CodeType-attributes-1.patch

@@ -0,0 +1,27 @@
+From 9a99db929323f60553b391c80d0395821121d593 Mon Sep 17 00:00:00 2001
+From: Thomas Moschny <thomas.moschny@gmx.de>
+Date: Tue, 19 Jan 2021 21:01:18 +0100
+Subject: [PATCH] add 'linetable' to the preserved CodeType attributes (#1334)
+
+add 'linetable' to the preserved CodeType attributes
+
+co_linetable replaces co_lnotab as part of PEP 626 in Python 3.10.
+---
+ src/jinja2/debug.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/jinja2/debug.py b/src/jinja2/debug.py
+index 5d8aec3..e256617 100644
+--- a/src/jinja2/debug.py
++++ b/src/jinja2/debug.py
+@@ -137,6 +137,7 @@ def fake_traceback(exc_value, tb, filename, lineno):
+             "lnotab",
+             "freevars",
+             "cellvars",
++            "linetable",  # Python 3.10
+         ):
+             if isinstance(attr, tuple):
+                 # Replace with given value.
+-- 
+2.29.2
+

0002-native_concat-pass-only-strings-to-literal_eval.patch

@@ -0,0 +1,49 @@
+From 58250a709532ccb3e6d92ca65b3d305d1464cb68 Mon Sep 17 00:00:00 2001
+From: Martin Krizek <martin.krizek@gmail.com>
+Date: Thu, 28 Jan 2021 10:08:50 +0100
+Subject: [PATCH] native_concat: pass only strings to literal_eval
+
+If there is only single node and it is not a string, there is no point
+in passing it into ``literal_eval``, just return it immediately.
+
+One of the examples where passing a non-string node into
+``literal_eval`` would actually cause problems is when the node is
+``Undefined``. On Python 3.10 this would cause ``UndefinedError``
+instead of just ``Undefined`` being returned.
+
+Fixes #1335
+---
+ CHANGES.rst               | 3 +++
+ src/jinja2/nativetypes.py | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/CHANGES.rst b/CHANGES.rst
+index 511b22b..a8a66ea 100644
+--- a/CHANGES.rst
++++ b/CHANGES.rst
+@@ -8,6 +8,9 @@ Released 2021-01-31
+ -   Improve the speed of the ``urlize`` filter by reducing regex
+     backtracking. Email matching requires a word character at the start
+     of the domain part, and only word characters in the TLD. :pr:`1343`
++-   Fix UndefinedError incorrectly being thrown on an undefined variable
++    instead of ``Undefined`` being returned on
++    ``NativeEnvironment`` on Python 3.10. :issue:`1335`
+ 
+ 
+ Version 2.11.2
+diff --git a/src/jinja2/nativetypes.py b/src/jinja2/nativetypes.py
+index a9ead4e..2fee17f 100644
+--- a/src/jinja2/nativetypes.py
++++ b/src/jinja2/nativetypes.py
+@@ -26,6 +26,8 @@ def native_concat(nodes):
+ 
+     if len(head) == 1:
+         raw = head[0]
++        if not isinstance(raw, str):
++            return raw
+     else:
+         raw = u"".join([text_type(v) for v in chain(head, nodes)])
+ 
+-- 
+2.29.2
+

0003-CVE-2024-22195.patch

@@ -0,0 +1,77 @@
+From d9835bd39a630ea74f719e1c76765ca2ec89f2f2 Mon Sep 17 00:00:00 2001
+From: Calum Hutton <calum.hutton@snyk.io>
+Date: Thu, 26 Oct 2023 12:08:53 +0100
+Subject: [PATCH] xmlattr filter disallows keys with spaces
+
+---
+ src/jinja2/filters.py | 26 +++++++++++++++++++-------
+ tests/test_filters.py |  6 ++++++
+ 2 files changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py
+index 74b108d..49f7d39 100644
+--- a/src/jinja2/filters.py
++++ b/src/jinja2/filters.py
+@@ -205,11 +205,15 @@ def do_lower(s):
+     return soft_unicode(s).lower()
+ 
+ 
++_space_re = re.compile(r"\s", flags=re.ASCII)
++
++
+ @evalcontextfilter
+ def do_xmlattr(_eval_ctx, d, autospace=True):
+     """Create an SGML/XML attribute string based on the items in a dict.
+-    All values that are neither `none` nor `undefined` are automatically
+-    escaped:
++
++    If any key contains a space, this fails with a ``ValueError``. Values that
++    are neither ``none`` nor ``undefined`` are automatically escaped.
+ 
+     .. sourcecode:: html+jinja
+ 
+@@ -229,11 +233,19 @@ def do_xmlattr(_eval_ctx, d, autospace=True):
+     As you can see it automatically prepends a space in front of the item
+     if the filter returned something unless the second parameter is false.
+     """
+-    rv = u" ".join(
+-        u'%s="%s"' % (escape(key), escape(value))
+-        for key, value in iteritems(d)
+-        if value is not None and not isinstance(value, Undefined)
+-    )
++    items = []
++
++    for key, value in d.items():
++        if value is None or isinstance(value, Undefined):
++            continue
++
++        if _space_re.search(key) is not None:
++            raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
++
++        items.append(f'{escape(key)}="{escape(value)}"')
++
++    rv = " ".join(items)
++
+     if autospace and rv:
+         rv = u" " + rv
+     if _eval_ctx.autoescape:
+diff --git a/tests/test_filters.py b/tests/test_filters.py
+index 388c346..6e697f3 100644
+--- a/tests/test_filters.py
++++ b/tests/test_filters.py
+@@ -440,6 +440,12 @@ class TestFilter(object):
+         assert 'bar="23"' in out
+         assert 'blub:blub="&lt;?&gt;"' in out
+ 
++    def test_xmlattr_key_with_spaces(self, env):
++        with pytest.raises(ValueError, match="Spaces are not allowed"):
++            env.from_string(
++                "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}"
++            ).render()
++
+     def test_sort1(self, env):
+         tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}")
+         assert tmpl.render() == "[1, 2, 3]|[3, 2, 1]"
+-- 
+2.43.0
+

0004-CVE-2024-34064.patch

@@ -0,0 +1,77 @@
+From 7597efd51e740313e7e1ad08c3600dc49ce3981d Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Tue, 7 May 2024 14:56:46 +0200
+Subject: [PATCH] disallow invalid characters in keys to xmlattr filter
+
+---
+ src/jinja2/filters.py | 18 +++++++++++++-----
+ tests/test_filters.py | 11 ++++++-----
+ 2 files changed, 19 insertions(+), 10 deletions(-)
+
+diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py
+index 49f7d39..6d4f348 100644
+--- a/src/jinja2/filters.py
++++ b/src/jinja2/filters.py
+@@ -205,15 +205,23 @@ def do_lower(s):
+     return soft_unicode(s).lower()
+ 
+ 
+-_space_re = re.compile(r"\s", flags=re.ASCII)
++# Check for characters that would move the parser state from key to value.
++# https://html.spec.whatwg.org/#attribute-name-state
++_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
+ 
+ 
+ @evalcontextfilter
+ def do_xmlattr(_eval_ctx, d, autospace=True):
+     """Create an SGML/XML attribute string based on the items in a dict.
+ 
+-    If any key contains a space, this fails with a ``ValueError``. Values that
+-    are neither ``none`` nor ``undefined`` are automatically escaped.
++    **Values** that are neither ``none`` nor ``undefined`` are automatically
++    escaped, safely allowing untrusted user input.
++
++    User input should not be used as **keys** to this filter. If any key
++    contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
++    sign, this fails with a ``ValueError``. Regardless of this, user input
++    should never be used as keys to this filter, or must be separately validated
++    first.
+ 
+     .. sourcecode:: html+jinja
+ 
+@@ -239,8 +247,8 @@ def do_xmlattr(_eval_ctx, d, autospace=True):
+         if value is None or isinstance(value, Undefined):
+             continue
+ 
+-        if _space_re.search(key) is not None:
+-            raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
++        if _attr_key_re.search(key) is not None:
++            raise ValueError(f"Invalid character in attribute name: {key!r}")
+ 
+         items.append(f'{escape(key)}="{escape(value)}"')
+ 
+diff --git a/tests/test_filters.py b/tests/test_filters.py
+index 6e697f3..f0dc1b1 100644
+--- a/tests/test_filters.py
++++ b/tests/test_filters.py
+@@ -440,11 +440,12 @@ class TestFilter(object):
+         assert 'bar="23"' in out
+         assert 'blub:blub="&lt;?&gt;"' in out
+ 
+-    def test_xmlattr_key_with_spaces(self, env):
+-        with pytest.raises(ValueError, match="Spaces are not allowed"):
+-            env.from_string(
+-                "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}"
+-            ).render()
++    @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "="))
++    def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None:
++        with pytest.raises(ValueError, match="Invalid character"):
++            env.from_string("{{ {key: 'my_class'}|xmlattr }}").render(
++                key=f"class{sep}onclick=alert(1)"
++            )
+ 
+     def test_sort1(self, env):
+         tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}")
+-- 
+2.45.0
+

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

plans.fmf

@@ -0,0 +1,4 @@
+discover:
+    how: fmf
+execute:
+    how: tmt

python-jinja2.spec

@@ -2,12 +2,22 @@
 
 Name:           python-jinja2
 Version:        2.11.3
-Release:        1%{?dist}
+Release:        6%{?dist}
 Summary:        General purpose template engine
 License:        BSD
 URL:            https://palletsprojects.com/p/jinja/
 Source0:        %{pypi_source}
+# cherry-picked patches to build with Python 3.10 (#1907442)
+Patch1:         0001-add-linetable-to-the-preserved-CodeType-attributes-1.patch
+Patch2:         0002-native_concat-pass-only-strings-to-literal_eval.patch
 
+# Security fix for CVE-2024-22195
+# Resolved upstream: https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23
+Patch3:         0003-CVE-2024-22195.patch
+
+# Security fix for CVE-2024-34064
+# Resolved upstream: https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb
+Patch4:         0004-CVE-2024-34064.patch
 
 %if 0%{?fedora} || 0%{?rhel} > 7
 # Enable python3 build by default
@@ -16,15 +26,14 @@ Source0:        %{pypi_source}
 %bcond_with python3
 %endif
 
-%if 0%{?rhel} > 7
+%if 0%{?fedora} > 33 || 0%{?rhel} > 7
 # Disable python2 build by default
 %bcond_with python2
 %else
 %bcond_without python2
 %endif
 
-# Enable building without docs to avoid a circular dependency between this
-# and python-sphinx:
+# No docs in RHEL 9: https://bugzilla.redhat.com/show_bug.cgi?id=1944567
 %bcond_with docs
 
 %if 0%{?fedora} || 0%{?rhel} > 7
@@ -34,10 +43,6 @@ Source0:        %{pypi_source}
 %endif
 
 BuildArch:      noarch
-# Exclude i686 arch. Due to a modularity issue it's being added to the
-# x86_64 compose of CRB, but we don't want to ship it at all.
-# See: https://projects.engineering.redhat.com/browse/RCM-72605
-ExcludeArch:    i686
 
 %description
 Jinja2 is a template engine written in pure Python.  It provides a
@@ -77,27 +82,26 @@ environments.
 
 
 %if %{with python3}
-%package -n python%{python3_pkgversion}-jinja2
+%package -n python3-jinja2
 Summary:        General purpose template engine for python3
-BuildRequires:  python%{python3_pkgversion}-devel
-BuildRequires:  python%{python3_pkgversion}-setuptools
-BuildRequires:  python%{python3_pkgversion}-babel >= 0.8
-BuildRequires:  python%{python3_pkgversion}-markupsafe >= 0.23
-BuildRequires:  python%{python3_pkgversion}-pytest
-BuildRequires:  python%{python3_pkgversion}-rpm-macros
+BuildRequires:  python3-devel
+BuildRequires:  python3-setuptools
+BuildRequires:  python3-babel >= 0.8
+BuildRequires:  python3-markupsafe >= 0.23
+BuildRequires:  python3-pytest
 %if %{with docs}
-BuildRequires:  %{_bindir}/sphinx-build-3.8
+BuildRequires:  %{_bindir}/sphinx-build-3
 BuildRequires:  make
-BuildRequires:  python%{python3_pkgversion}-Pallets-Sphinx-Themes
-BuildRequires:  python%{python3_pkgversion}-sphinxcontrib-log-cabinet
-BuildRequires:  python%{python3_pkgversion}-sphinx-issues
+BuildRequires:  python3-Pallets-Sphinx-Themes
+BuildRequires:  python3-sphinxcontrib-log-cabinet
+BuildRequires:  python3-sphinx-issues
 %endif
-Requires:       python%{python3_pkgversion}-babel >= 0.8
-Requires:       python%{python3_pkgversion}-markupsafe >= 0.23
-Requires:       python%{python3_pkgversion}-setuptools
-%{?python_provide:%python_provide python%{python3_pkgversion}-jinja2}
+Requires:       python3-babel >= 0.8
+Requires:       python3-markupsafe >= 0.23
+Requires:       python3-setuptools
+%{?python_provide:%python_provide python3-jinja2}
 
-%description -n python%{python3_pkgversion}-jinja2
+%description -n python3-jinja2
 Jinja2 is a template engine written in pure Python.  It provides a
 Django inspired non-XML syntax but supports inline expressions and an
 optional sandboxed environment.
@@ -124,7 +128,7 @@ find . -name '*.pyo' -o -name '*.pyc' -delete
 %if %{with python3}
 %py3_build
 %if %{with docs}
-make -C docs html PYTHONPATH=$(pwd) SPHINXBUILD=sphinx-build-3
+make -C docs html PYTHONPATH=$(pwd)/src SPHINXBUILD=sphinx-build-3
 # remove hidden file
 rm -rf docs/_build/html/.buildinfo
 %endif # with docs
@@ -153,7 +157,7 @@ rm %{buildroot}%{python3_sitelib}/jinja2/asyncfilters.py
 
 %check
 %if %{with python3}
-PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest tests
+PYTHONPATH=$(pwd)/src %{__python3} -m pytest tests
 %endif # with python3
 
 
@@ -166,13 +170,13 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest tests
 %if %{with docs}
 %doc docs/_build/html
 %endif
-%{python2_sitelib}/jinja2
-%{python2_sitelib}/Jinja2-%{version}-py?.?.egg-info
+%{python2_sitelib}/jinja2/
+%{python2_sitelib}/Jinja2-*.egg-info/
 %endif # with python2
 
 
 %if %{with python3}
-%files -n python%{python3_pkgversion}-jinja2
+%files -n python3-jinja2
 %doc CHANGES.rst
 %doc ext
 %doc examples
@@ -180,27 +184,70 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest tests
 %if %{with docs}
 %doc docs/_build/html
 %endif
-%{python3_sitelib}/jinja2
-%{python3_sitelib}/Jinja2-%{version}-py?.?.egg-info
+%{python3_sitelib}/jinja2/
+%{python3_sitelib}/Jinja2-*.egg-info/
 %endif # with python3
 
 
 %changelog
-* Fri May 20 2022 Maxwell G <gotmax@e.email> - 2.11.3-1
+* Tue May 07 2024 Lumír Balhar <lbalhar@redhat.com> - 2.11.3-6
+- Security fix for CVE-2024-34064
+Resolves: RHEL-35653
+
+* Tue Jan 30 2024 Charalampos Stratakis <cstratak@redhat.com> - 2.11.3-5
+- Security fix for CVE-2024-22195
+Resolves: RHEL-21349
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2.11.3-4
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.11.3-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Apr 13 2021 Miro Hrončok <mhroncok@redhat.com> - 2.11.3-2
+- Disable documentation
+- Resolves: rhbz#1944567
+
+* Sat Feb  6 2021 Thomas Moschny <thomas.moschny@gmx.de> - 2.11.3-1
 - Update to 2.11.3.
-- Fix URL.
-- Remove patch that is included in this release.
-Resolves: rhbz#2086141.
+- Add patches to build with Python 3.10 (#1907442).
 
-* Fri Mar 12 2021 Lumír Balhar <lbalhar@redhat.com> - 2.10.3-5
-- Fix CVE-2020-28493: ReDOS vulnerability due to the sub-pattern
-Resolves: rhbz#1928707
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.11.2-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-* Fri Dec 13 2019 Tomas Orsava <torsava@redhat.com> - 2.10.3-4
-- Exclude unsupported i686 arch
+* Mon Dec 21 2020 Miro Hrončok <mhroncok@redhat.com> - 2.11.2-7
+- Drop python2-jinja2 on Fedora 34+
 
-* Wed Nov 20 2019 Lumír Balhar <lbalhar@redhat.com> - 2.10.3-3
-- Adjusted for Python 3.8 module in RHEL 8
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.11.2-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sun May 24 2020 Miro Hrončok <mhroncok@redhat.com> - 2.11.2-5
+- Rebuilt for Python 3.9
+
+* Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 2.11.2-4
+- Bootstrap for Python 3.9
+
+* Fri May 22 2020 Thomas Moschny <thomas.moschny@gmx.de> - 2.11.2-3
+- Re-add python2 subpackage (#1832057).
+
+* Wed May  6 2020 Thomas Moschny <thomas.moschny@gmx.de> - 2.11.2-2
+- Drop python2 subpackage from F33 on (#1832057).
+
+* Wed Apr 15 2020 Thomas Moschny <thomas.moschny@gmx.de> - 2.11.2-1
+- Re-add dependency on python-setuptools.
+
+* Wed Apr 15 2020 Dan Horák <dan[at]danny.cz> - 2.11.2-1
+- Update to 2.11.2
+
+* Mon Apr 06 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 2.11.1-2
+- Drop unneeded R: pythonX-setuptools
+
+* Sat Feb  8 2020 Thomas Moschny <thomas.moschny@gmx.de> - 2.11.1-1
+- Update to 2.11.1.
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.10.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
 * Wed Nov 20 2019 Thomas Moschny <thomas.moschny@gmx.de> - 2.10.3-2
 - Add missing BR on make.

sources

@@ -0,0 +1 @@
+SHA512 (Jinja2-2.11.3.tar.gz) = fce4f835795fe9afb622f8106f60344032a811f3f693806f31ba482f9b7c1400f93dfa1701b4db0b472cbed4b0793cb329778c8091811ef0e3b577150d28e004

tests/smoke.fmf

@@ -0,0 +1,7 @@
+description: |
+    Runs very simple jinja2 template which should always work
+test: python3 smoke.py
+framework: shell
+require:
+- python3
+- python3-jinja2

tests/smoke.py

@@ -0,0 +1,9 @@
+import jinja2
+
+
+TEMPLATE = "Text {{ variable }}"
+
+environment = jinja2.Environment()
+template = environment.from_string(TEMPLATE)
+output = template.render(variable="demo")
+assert output == "Text demo", f"got: {output}"