diff options
Diffstat (limited to 'backport-CVE-2024-34064.patch')
| -rw-r--r-- | backport-CVE-2024-34064.patch | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/backport-CVE-2024-34064.patch b/backport-CVE-2024-34064.patch new file mode 100644 index 0000000..b1843a0 --- /dev/null +++ b/backport-CVE-2024-34064.patch @@ -0,0 +1,109 @@ +From 0668239dc6b44ef38e7a6c9f91f312fd4ca581cb Mon Sep 17 00:00:00 2001 +From: David Lord <davidism@gmail.com> +Date: Thu, 2 May 2024 09:14:00 -0700 +Subject: [PATCH] disallow invalid characters in keys to xmlattr filter + +Reference:https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb +Conflict:NA + +--- + Jinja2-3.1.3/CHANGES.rst | 6 ++++++ + Jinja2-3.1.3/src/jinja2/filters.py | 22 +++++++++++++++++----- + Jinja2-3.1.3/tests/test_filters.py | 11 ++++++----- + 3 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/Jinja2-3.1.3/CHANGES.rst b/Jinja2-3.1.3/CHANGES.rst +index 08a1785..f70cacb 100644 +--- a/Jinja2-3.1.3/CHANGES.rst ++++ b/Jinja2-3.1.3/CHANGES.rst +@@ -1,5 +1,11 @@ + .. currentmodule:: jinja2 + ++- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>`` ++ greater-than sign, or ``=`` equals sign, in addition to disallowing spaces. ++ Regardless of any validation done by Jinja, user input should never be used ++ as keys to this filter, or must be separately validated first. ++ GHSA-h75v-3vvj-5mfj ++ + Version 3.1.3 + ------------- + +diff --git a/Jinja2-3.1.3/src/jinja2/filters.py b/Jinja2-3.1.3/src/jinja2/filters.py +index c7ecc9b..bdf6f22 100644 +--- a/Jinja2-3.1.3/src/jinja2/filters.py ++++ b/Jinja2-3.1.3/src/jinja2/filters.py +@@ -248,7 +248,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K + yield from value.items() + + +-_space_re = re.compile(r"\s", flags=re.ASCII) ++# Check for characters that would move the parser state from key to value. ++# https://html.spec.whatwg.org/#attribute-name-state ++_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII) + + + @pass_eval_context +@@ -257,8 +259,14 @@ def do_xmlattr( + ) -> str: + """Create an SGML/XML attribute string based on the items in a dict. + +- If any key contains a space, this fails with a ``ValueError``. Values that +- are neither ``none`` nor ``undefined`` are automatically escaped. ++ **Values** that are neither ``none`` nor ``undefined`` are automatically ++ escaped, safely allowing untrusted user input. ++ ++ User input should not be used as **keys** to this filter. If any key ++ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals ++ sign, this fails with a ``ValueError``. Regardless of this, user input ++ should never be used as keys to this filter, or must be separately validated ++ first. + + .. sourcecode:: html+jinja + +@@ -278,6 +286,10 @@ def do_xmlattr( + As you can see it automatically prepends a space in front of the item + if the filter returned something unless the second parameter is false. + ++ .. versionchanged:: 3.1.4 ++ Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign ++ are not allowed. ++ + .. versionchanged:: 3.1.3 + Keys with spaces are not allowed. + """ +@@ -287,8 +299,8 @@ def do_xmlattr( + if value is None or isinstance(value, Undefined): + continue + +- if _space_re.search(key) is not None: +- raise ValueError(f"Spaces are not allowed in attributes: '{key}'") ++ if _attr_key_re.search(key) is not None: ++ raise ValueError(f"Invalid character in attribute name: {key!r}") + + items.append(f'{escape(key)}="{escape(value)}"') + +diff --git a/Jinja2-3.1.3/tests/test_filters.py b/Jinja2-3.1.3/tests/test_filters.py +index f50ed13..d8e9114 100644 +--- a/Jinja2-3.1.3/tests/test_filters.py ++++ b/Jinja2-3.1.3/tests/test_filters.py +@@ -474,11 +474,12 @@ class TestFilter: + assert 'bar="23"' in out + assert 'blub:blub="<?>"' in out + +- def test_xmlattr_key_with_spaces(self, env): +- with pytest.raises(ValueError, match="Spaces are not allowed"): +- env.from_string( +- "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}" +- ).render() ++ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "=")) ++ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None: ++ with pytest.raises(ValueError, match="Invalid character"): ++ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render( ++ key=f"class{sep}onclick=alert(1)" ++ ) + + def test_sort1(self, env): + tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}") +-- +2.33.0 + |