rpms/python-mako
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import python-mako-1.1.4-6.el9

Browse Source
This commit is contained in:
CentOS Sources 2023-05-09 05:27:39 +00:00 committed by Stepan Oksanichenko
parent 13a12121c3
commit 42403f085e
2 changed files with 93 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
SOURCES/python-mako-1.1.14-CVE-2022-40023.patch Normal file
View File

@ -0,0 +1,87 @@
From 0969203d36a128f42d7e4025ca29b5dfa74e1a21 Mon Sep 17 00:00:00 2001
From: Mike Bayer <mike_mp@zzzcomputing.com>
Date: Mon, 29 Aug 2022 12:28:52 -0400
Subject: [PATCH] fix tag regexp to match quoted groups correctly
Fixed issue in lexer where the regexp used to match tags would not
correctly interpret quoted sections individually. While this parsing issue
still produced the same expected tag structure later on, the mis-handling
of quoted sections was also subject to a regexp crash if a tag had a large
number of quotes within its quoted sections.
Fixes: #366
Change-Id: I74e0d71ff7f419970711a7cd51adcf1bb90a44c0
---
doc/build/unreleased/366.rst | 9 +++++++++
mako/lexer.py | 12 ++++++++----
test/test_lexer.py | 4 ++++
3 files changed, 21 insertions(+), 4 deletions(-)
create mode 100644 doc/build/unreleased/366.rst
diff --git a/doc/build/unreleased/366.rst b/doc/build/unreleased/366.rst
new file mode 100644
index 0000000..27b0278
--- /dev/null
+++ b/doc/build/unreleased/366.rst
@@ -0,0 +1,9 @@
+.. change::
+ :tags: bug, lexer
+ :tickets: 366
+
+ Fixed issue in lexer where the regexp used to match tags would not
+ correctly interpret quoted sections individually. While this parsing issue
+ still produced the same expected tag structure later on, the mis-handling
+ of quoted sections was also subject to a regexp crash if a tag had a large
+ number of quotes within its quoted sections.
\ No newline at end of file
diff --git a/mako/lexer.py b/mako/lexer.py
index 6226e26..c8eee6f 100644
--- a/mako/lexer.py
+++ b/mako/lexer.py
@@ -295,20 +295,24 @@ class Lexer(object):
return self.template
def match_tag_start(self):
- match = self.match(
- r"""
+ reg = r"""
\<% # opening tag
([\w\.\:]+) # keyword
- ((?:\s+\w+|\s*=\s*|".*?"|'.*?')*) # attrname, = \
+ ((?:\s+\w+|\s*=\s*|"[^"]*?"|'[^']*?'|\s*,\s*)*) # attrname, = \
# sign, string expression
+ # comma is for backwards compat
+ # identified in #366
\s* # more whitespace
(/)?> # closing
- """,
+ """
+
+ match = self.match(
+ reg,
re.I | re.S | re.X,
)
diff --git a/test/test_lexer.py b/test/test_lexer.py
index 9807961..7d4b146 100644
--- a/test/test_lexer.py
+++ b/test/test_lexer.py
@@ -146,6 +146,10 @@ class LexerTest(TemplateTest):
"""
self.assertRaises(exceptions.CompileException, Lexer(template).parse)
+ def test_tag_many_quotes(self):
+ template = "<%0" + '"' * 3000
+ self.assertRaises(exceptions.SyntaxException, Lexer(template).parse)
+
def test_unmatched_tag(self):
template = """
<%namespace name="bar">
--
2.38.1

7
SPECS/python-mako.spec
View File

@ -1,6 +1,6 @@
Name: python-mako
Version: 1.1.4
Release: 5%{?dist}
Release: 6%{?dist}
BuildArch: noarch
# Mostly MIT, but _ast_util.py is Python licensed.
@ -9,6 +9,8 @@ License: (MIT and Python) and (BSD or GPLv2)
Summary: Mako template library for Python
URL: http://www.makotemplates.org/
Source0: https://github.com/sqlalchemy/mako/archive/rel_%(echo %{version} | sed "s/\./_/g").tar.gz
# https://bugzilla.redhat.com/show_bug.cgi?id=2133606
Patch0: python-mako-1.1.14-CVE-2022-40023.patch
BuildRequires: python3-devel
BuildRequires: python3-pytest
@ -89,6 +91,9 @@ pytest-3
%changelog
* Thu Nov 17 2022 David King <amigadave@amigadave.com> - 1.1.4-6
- Fix CVE-2022-40023 (#2133606)
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.1.4-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688