diff options
| author | CoprDistGit <infra@openeuler.org> | 2025-03-25 14:55:06 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2025-03-25 14:55:06 +0000 |
| commit | 447101da47378173fb4589543eeb47ed69b1fa51 (patch) | |
| tree | ed0f85f5707af6be6b94fab68f443444810d6735 | |
| parent | ea6823d1d2529db993ba19e5cea43f796083fc34 (diff) | |
automatic import of python-jinja2openeuler24.03_LTS_SP1
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | backport-CVE-2024-34064.patch | 109 | ||||
| -rw-r--r-- | backport-CVE-2024-56201.patch | 83 | ||||
| -rw-r--r-- | backport-CVE-2024-56326.patch | 172 | ||||
| -rw-r--r-- | python-jinja2.spec | 154 | ||||
| -rw-r--r-- | sources | 1 |
6 files changed, 520 insertions, 0 deletions
@@ -0,0 +1 @@ +/Jinja2-3.1.3.tar.gz diff --git a/backport-CVE-2024-34064.patch b/backport-CVE-2024-34064.patch new file mode 100644 index 0000000..b1843a0 --- /dev/null +++ b/backport-CVE-2024-34064.patch @@ -0,0 +1,109 @@ +From 0668239dc6b44ef38e7a6c9f91f312fd4ca581cb Mon Sep 17 00:00:00 2001 +From: David Lord <davidism@gmail.com> +Date: Thu, 2 May 2024 09:14:00 -0700 +Subject: [PATCH] disallow invalid characters in keys to xmlattr filter + +Reference:https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb +Conflict:NA + +--- + Jinja2-3.1.3/CHANGES.rst | 6 ++++++ + Jinja2-3.1.3/src/jinja2/filters.py | 22 +++++++++++++++++----- + Jinja2-3.1.3/tests/test_filters.py | 11 ++++++----- + 3 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/Jinja2-3.1.3/CHANGES.rst b/Jinja2-3.1.3/CHANGES.rst +index 08a1785..f70cacb 100644 +--- a/Jinja2-3.1.3/CHANGES.rst ++++ b/Jinja2-3.1.3/CHANGES.rst +@@ -1,5 +1,11 @@ + .. currentmodule:: jinja2 + ++- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>`` ++ greater-than sign, or ``=`` equals sign, in addition to disallowing spaces. ++ Regardless of any validation done by Jinja, user input should never be used ++ as keys to this filter, or must be separately validated first. ++ GHSA-h75v-3vvj-5mfj ++ + Version 3.1.3 + ------------- + +diff --git a/Jinja2-3.1.3/src/jinja2/filters.py b/Jinja2-3.1.3/src/jinja2/filters.py +index c7ecc9b..bdf6f22 100644 +--- a/Jinja2-3.1.3/src/jinja2/filters.py ++++ b/Jinja2-3.1.3/src/jinja2/filters.py +@@ -248,7 +248,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K + yield from value.items() + + +-_space_re = re.compile(r"\s", flags=re.ASCII) ++# Check for characters that would move the parser state from key to value. ++# https://html.spec.whatwg.org/#attribute-name-state ++_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII) + + + @pass_eval_context +@@ -257,8 +259,14 @@ def do_xmlattr( + ) -> str: + """Create an SGML/XML attribute string based on the items in a dict. + +- If any key contains a space, this fails with a ``ValueError``. Values that +- are neither ``none`` nor ``undefined`` are automatically escaped. ++ **Values** that are neither ``none`` nor ``undefined`` are automatically ++ escaped, safely allowing untrusted user input. ++ ++ User input should not be used as **keys** to this filter. If any key ++ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals ++ sign, this fails with a ``ValueError``. Regardless of this, user input ++ should never be used as keys to this filter, or must be separately validated ++ first. + + .. sourcecode:: html+jinja + +@@ -278,6 +286,10 @@ def do_xmlattr( + As you can see it automatically prepends a space in front of the item + if the filter returned something unless the second parameter is false. + ++ .. versionchanged:: 3.1.4 ++ Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign ++ are not allowed. ++ + .. versionchanged:: 3.1.3 + Keys with spaces are not allowed. + """ +@@ -287,8 +299,8 @@ def do_xmlattr( + if value is None or isinstance(value, Undefined): + continue + +- if _space_re.search(key) is not None: +- raise ValueError(f"Spaces are not allowed in attributes: '{key}'") ++ if _attr_key_re.search(key) is not None: ++ raise ValueError(f"Invalid character in attribute name: {key!r}") + + items.append(f'{escape(key)}="{escape(value)}"') + +diff --git a/Jinja2-3.1.3/tests/test_filters.py b/Jinja2-3.1.3/tests/test_filters.py +index f50ed13..d8e9114 100644 +--- a/Jinja2-3.1.3/tests/test_filters.py ++++ b/Jinja2-3.1.3/tests/test_filters.py +@@ -474,11 +474,12 @@ class TestFilter: + assert 'bar="23"' in out + assert 'blub:blub="<?>"' in out + +- def test_xmlattr_key_with_spaces(self, env): +- with pytest.raises(ValueError, match="Spaces are not allowed"): +- env.from_string( +- "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}" +- ).render() ++ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "=")) ++ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None: ++ with pytest.raises(ValueError, match="Invalid character"): ++ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render( ++ key=f"class{sep}onclick=alert(1)" ++ ) + + def test_sort1(self, env): + tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}") +-- +2.33.0 + diff --git a/backport-CVE-2024-56201.patch b/backport-CVE-2024-56201.patch new file mode 100644 index 0000000..09c32f1 --- /dev/null +++ b/backport-CVE-2024-56201.patch @@ -0,0 +1,83 @@ +From 56a724644b1ad9cb03745c10cca732715cdc79e9 Mon Sep 17 00:00:00 2001 +From: Sigurd Spieckermann <sigurd.spieckermann@gmail.com> +Date: Fri, 26 May 2023 14:32:36 +0200 +Subject: [PATCH] fix f-string syntax error in code generation + +Reference:https://github.com/pallets/jinja/commit/56a724644b1ad9cb03745c10cca732715cdc79e9 + +--- + Jinja2-3.1.3/CHANGES.rst | 3 +++ + Jinja2-3.1.3/src/jinja2/compiler.py | 7 ++++++- + Jinja2-3.1.3/tests/test_compile.py | 19 +++++++++++++++++++ + 3 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/Jinja2-3.1.3/CHANGES.rst b/Jinja2-3.1.3/CHANGES.rst +index f70cacb..b0e9a77 100644 +--- a/Jinja2-3.1.3/CHANGES.rst ++++ b/Jinja2-3.1.3/CHANGES.rst +@@ -1,5 +1,8 @@ + .. currentmodule:: jinja2 + ++- Escape template name before formatting it into error messages, to avoid ++ issues with names that contain f-string syntax. ++ :issue:`1792`, :ghsa:`gmj6-6f8f-6699` + - The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>`` + greater-than sign, or ``=`` equals sign, in addition to disallowing spaces. + Regardless of any validation done by Jinja, user input should never be used +diff --git a/Jinja2-3.1.3/src/jinja2/compiler.py b/Jinja2-3.1.3/src/jinja2/compiler.py +index ff95c80..1ebdcd9 100644 +--- a/Jinja2-3.1.3/src/jinja2/compiler.py ++++ b/Jinja2-3.1.3/src/jinja2/compiler.py +@@ -1121,9 +1121,14 @@ class CodeGenerator(NodeVisitor): + ) + self.writeline(f"if {frame.symbols.ref(alias)} is missing:") + self.indent() ++ # The position will contain the template name, and will be formatted ++ # into a string that will be compiled into an f-string. Curly braces ++ # in the name must be replaced with escapes so that they will not be ++ # executed as part of the f-string. ++ position = self.position(node).replace("{", "{{").replace("}", "}}") + message = ( + "the template {included_template.__name__!r}" +- f" (imported on {self.position(node)})" ++ f" (imported on {position})" + f" does not export the requested name {name!r}" + ) + self.writeline( +diff --git a/Jinja2-3.1.3/tests/test_compile.py b/Jinja2-3.1.3/tests/test_compile.py +index 42a773f..b33a877 100644 +--- a/Jinja2-3.1.3/tests/test_compile.py ++++ b/Jinja2-3.1.3/tests/test_compile.py +@@ -1,6 +1,9 @@ + import os + import re + ++import pytest ++ ++from jinja2 import UndefinedError + from jinja2.environment import Environment + from jinja2.loaders import DictLoader + +@@ -26,3 +29,19 @@ def test_import_as_with_context_deterministic(tmp_path): + expect = [f"'bar{i}': " for i in range(10)] + found = re.findall(r"'bar\d': ", content)[:10] + assert found == expect ++ ++ ++def test_undefined_import_curly_name(): ++ env = Environment( ++ loader=DictLoader( ++ { ++ "{bad}": "{% from 'macro' import m %}{{ m() }}", ++ "macro": "", ++ } ++ ) ++ ) ++ ++ # Must not raise `NameError: 'bad' is not defined`, as that would indicate ++ # that `{bad}` is being interpreted as an f-string. It must be escaped. ++ with pytest.raises(UndefinedError): ++ env.get_template("{bad}").render() +-- +2.33.0 + diff --git a/backport-CVE-2024-56326.patch b/backport-CVE-2024-56326.patch new file mode 100644 index 0000000..6b3394e --- /dev/null +++ b/backport-CVE-2024-56326.patch @@ -0,0 +1,172 @@ +From 91a972f5808973cd441f4dc06873b2f8378f30c7 Mon Sep 17 00:00:00 2001 +From: Lydxn <hlyndon20@gmail.com> +Date: Mon, 23 Sep 2024 15:09:10 -0700 +Subject: [PATCH] sandbox indirect calls to str.format +--- + Jinja2-3.1.3/src/jinja2/sandbox.py | 81 +++++++++++++++-------------- + Jinja2-3.1.3/tests/test_security.py | 18 +++++++ + 2 files changed, 60 insertions(+), 39 deletions(-) + +diff --git a/Jinja2-3.1.3/src/jinja2/sandbox.py b/Jinja2-3.1.3/src/jinja2/sandbox.py +index 06d7414..432d28f 100644 +--- a/Jinja2-3.1.3/src/jinja2/sandbox.py ++++ b/Jinja2-3.1.3/src/jinja2/sandbox.py +@@ -7,6 +7,7 @@ import typing as t + from _string import formatter_field_name_split # type: ignore + from collections import abc + from collections import deque ++from functools import update_wrapper + from string import Formatter + + from markupsafe import EscapeFormatter +@@ -79,21 +80,6 @@ _mutable_spec: t.Tuple[t.Tuple[t.Type, t.FrozenSet[str]], ...] = ( + ), + ) + +- +-def inspect_format_method(callable: t.Callable) -> t.Optional[str]: +- if not isinstance( +- callable, (types.MethodType, types.BuiltinMethodType) +- ) or callable.__name__ not in ("format", "format_map"): +- return None +- +- obj = callable.__self__ +- +- if isinstance(obj, str): +- return obj +- +- return None +- +- + def safe_range(*args: int) -> range: + """A range that can't generate ranges with a length of more than + MAX_RANGE items. +@@ -313,6 +299,9 @@ class SandboxedEnvironment(Environment): + except AttributeError: + pass + else: ++ fmt = self.wrap_str_format(value) ++ if fmt is not None: ++ return fmt + if self.is_safe_attribute(obj, argument, value): + return value + return self.unsafe_undefined(obj, argument) +@@ -330,6 +319,9 @@ class SandboxedEnvironment(Environment): + except (TypeError, LookupError): + pass + else: ++ fmt = self.wrap_str_format(value) ++ if fmt is not None: ++ return fmt + if self.is_safe_attribute(obj, attribute, value): + return value + return self.unsafe_undefined(obj, attribute) +@@ -345,34 +337,48 @@ class SandboxedEnvironment(Environment): + exc=SecurityError, + ) + +- def format_string( +- self, +- s: str, +- args: t.Tuple[t.Any, ...], +- kwargs: t.Dict[str, t.Any], +- format_func: t.Optional[t.Callable] = None, +- ) -> str: +- """If a format call is detected, then this is routed through this +- method so that our safety sandbox can be used for it. ++ def wrap_str_format(self, value: t.Any) -> t.Optional[t.Callable[..., str]]: ++ """If the given value is a ``str.format`` or ``str.format_map`` method, ++ return a new function than handles sandboxing. This is done at access ++ rather than in :meth:`call`, so that calls made without ``call`` are ++ also sandboxed. + """ ++ if not isinstance( ++ value, (types.MethodType, types.BuiltinMethodType) ++ ) or value.__name__ not in ("format", "format_map"): ++ return None ++ ++ f_self: t.Any = value.__self__ ++ ++ if not isinstance(f_self, str): ++ return None ++ ++ str_type: t.Type[str] = type(f_self) ++ is_format_map = value.__name__ == "format_map" + formatter: SandboxedFormatter +- if isinstance(s, Markup): +- formatter = SandboxedEscapeFormatter(self, escape=s.escape) ++ ++ if isinstance(f_self, Markup): ++ formatter = SandboxedEscapeFormatter(self, escape=f_self.escape) + else: + formatter = SandboxedFormatter(self) + +- if format_func is not None and format_func.__name__ == "format_map": +- if len(args) != 1 or kwargs: +- raise TypeError( +- "format_map() takes exactly one argument" +- f" {len(args) + (kwargs is not None)} given" +- ) ++ vformat = formatter.vformat ++ ++ def wrapper(*args: t.Any, **kwargs: t.Any) -> str: ++ if is_format_map: ++ if kwargs: ++ raise TypeError("format_map() takes no keyword arguments") ++ ++ if len(args) != 1: ++ raise TypeError( ++ f"format_map() takes exactly one argument ({len(args)} given)" ++ ) + +- kwargs = args[0] +- args = () ++ kwargs = args[0] ++ args = () + +- rv = formatter.vformat(s, args, kwargs) +- return type(s)(rv) ++ return str_type(vformat(f_self, args, kwargs)) ++ return update_wrapper(wrapper, value) + + def call( + __self, # noqa: B902 +@@ -382,9 +388,6 @@ class SandboxedEnvironment(Environment): + **kwargs: t.Any, + ) -> t.Any: + """Call an object from sandboxed code.""" +- fmt = inspect_format_method(__obj) +- if fmt is not None: +- return __self.format_string(fmt, args, kwargs, __obj) + + # the double prefixes are to avoid double keyword argument + # errors when proxying the call. +diff --git a/Jinja2-3.1.3/tests/test_security.py b/Jinja2-3.1.3/tests/test_security.py +index 0e8dc5c..9c8bad6 100644 +--- a/Jinja2-3.1.3/tests/test_security.py ++++ b/Jinja2-3.1.3/tests/test_security.py +@@ -171,3 +171,21 @@ class TestStringFormatMap: + '{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":"<foo>"}) }}' + ) + assert t.render() == "a42b<foo>" ++ ++ ++ def test_indirect_call(self): ++ def run(value, arg): ++ return value.run(arg) ++ ++ env = SandboxedEnvironment() ++ env.filters["run"] = run ++ t = env.from_string( ++ """{% set ++ ns = namespace(run="{0.__call__.__builtins__[__import__]}".format) ++ %} ++ {{ ns | run(not_here) }} ++ """ ++ ) ++ ++ with pytest.raises(SecurityError): ++ t.render() +-- +2.43.0 + diff --git a/python-jinja2.spec b/python-jinja2.spec new file mode 100644 index 0000000..d0cc660 --- /dev/null +++ b/python-jinja2.spec @@ -0,0 +1,154 @@ +%global _name Jinja2 + +Name: python-jinja2 +Version: 3.1.3 +Release: 4 +Summary: A full-featured template engine for Python +License: BSD-3-Clause +URL: http://jinja.pocoo.org/ +Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz + +Patch1: backport-CVE-2024-34064.patch +Patch2: backport-CVE-2024-56326.patch +Patch3: backport-CVE-2024-56201.patch + +BuildArch: noarch + +%description +Jinja2 is one of the most used template engines for Python. It is inspired by Django's +templating system but extends it with an expressive language that gives template authors +a more powerful set of tools. On top of that it adds sandboxed execution and optional +automatic escaping for applications where security is important. + +%package -n python3-jinja2 +Summary: General purpose template engine for python3 + +BuildRequires: python3-markupsafe python3-babel +BuildRequires: python3-pytest python3-devel python3-setuptools +Requires: python3-babel python3-markupsafe python3-setuptools +%{?python_provide:%python_provide python3-jinja2} + +%description -n python3-jinja2 +This package is the python3 version of python-jinja2. + +%package_help + +%prep +%autosetup -c -n Jinja2-%{version} -p1 + +# fix EOL +sed -i 's|\r$||g' Jinja2-%{version}/LICENSE.rst + +cp -a Jinja2-%{version} python3 + +%build +pushd python3 +%py3_build +popd + +%install +pushd python3 +%py3_install +popd + +%check +pushd python3 +PYTHONPATH=$(pwd)/src python3 -m pytest tests +popd + +%files -n python3-jinja2 +%license Jinja2-%{version}/LICENSE.rst +%{python3_sitelib}/jinja2 +%{python3_sitelib}/Jinja2*-info + +%files help +%doc Jinja2-%{version}/CHANGES.rst Jinja2-%{version}/PKG-INFO +%doc Jinja2-%{version}/examples + +%changelog +* Thu Dec 26 2024 weihaohao <weihaohao2@huawei.com> - 3.1.3-4 +- Type:CVE +- CVE:CVE-2024-56201 +- SUG:NA +- DESC:fix CVE-2024-56201 + +* Wed Dec 25 2024 changtao <changtao@kylinos.cn> - 3.1.3-3 +- Type:CVE +- CVE:CVE-2024-56326 +- SUG:NA +- DESC:fix CVE-2024-56326 + +* Fri May 10 2024 weihaohao <weihaohao2@huawei.com> - 3.1.3-2 +- Type:CVE +- CVE:CVE-2024-34064 +- SUG:NA +- DESC:fix CVE-2024-34064 + +* Thu Jan 25 2024 shixuantong <shixuantong1@huawei.com> - 3.1.3-1 +- Upgrade package to 3.1.3 + +* Thu Jan 18 2024 weihaohao <weihaohao2@huawei.com> - 3.1.2-3 +- Type:CVE +- CVE:CVE-2024-22195 +- SUG:NA +- DESC:fix CVE-2024-22195 + +* Mon Jul 31 2023 zhuofeng <zhuofeng2@huawei.com> - 3.1.2-2 +- fix test failed + +* Tue Jan 31 2023 huangduirong <huangduirong@huawei.com> - 3.1.2-1 +- Upgrade package to 3.1.2 + +* Fri Jun 17 2022 liukuo <liukuo@kylinos.cn> - 3.0.3-3 +- License compliance rectification + +* Wed Feb 16 2022 liudabo <liudabo1@huawei.com> - 3.0.3-2 +- enable check + +* Mon Jan 24 2022 tianwei <tianwei12@huawei.com> - 3.0.3-1 +- Upgrade version to 3.0.3 + +* Mon Jul 12 2021 huangtianhua <huangtianhua@huawei.com> - 2.11.3 +- Upgrade to 2.11.3 to support OpenStack-W + +* Fri Apr 23 2021 shangyibin <shangyibin1@huawei.com> - 2.11.2-3 +- Type:bugfix +- ID:CVE-2020-28493 +- SUG:NA +- DESC:fix cve-2020-28493 + +* Thu Oct 29 2020 tianwei <tianwei12@huawei.com> - 2.11.2-2 +- Type:NA +- ID:NA +- SUG:NA +- DESC:delete python2 require + +* Thu Jul 23 2020 dingyue <dingyue5@huawei.com> - 2.11.2-1 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:revise description + +* Sat Sep 21 2019 shenyangyang <shenyangyang4@huawei.com> - 2.10-10 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:revise description + +* Mon Sep 15 2019 shenyangyang <shenyangyang4@huawei.com> - 2.10-9 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:strenthen spec + +* Fri Aug 16 2019 Enbo Kang <kangenbo@huawei.com> - 2.10-8 +- Type:security +- ID:CVE-2019-10906 +- SUG:NA +- DESC:fix CVE-2019-10906 python-jinja2:str.format_map allows sandbox + +* Mon Aug 12 2019 alex chen <alex.chen@huawei.com> - 2.10-7 +- Enable python2 build by default + +* Wed Jul 18 2018 openEuler Buildteam <buildteam@openeuler.org> - 2.10-6 +- Package init @@ -0,0 +1 @@ +caf5418c851eac59e70a78d9730d4cea Jinja2-3.1.3.tar.gz |