summaryrefslogtreecommitdiff
path: root/backport-CVE-2024-56201.patch
diff options
context:
space:
mode:
Diffstat (limited to 'backport-CVE-2024-56201.patch')
-rw-r--r--backport-CVE-2024-56201.patch83
1 files changed, 83 insertions, 0 deletions
diff --git a/backport-CVE-2024-56201.patch b/backport-CVE-2024-56201.patch
new file mode 100644
index 0000000..09c32f1
--- /dev/null
+++ b/backport-CVE-2024-56201.patch
@@ -0,0 +1,83 @@
+From 56a724644b1ad9cb03745c10cca732715cdc79e9 Mon Sep 17 00:00:00 2001
+From: Sigurd Spieckermann <sigurd.spieckermann@gmail.com>
+Date: Fri, 26 May 2023 14:32:36 +0200
+Subject: [PATCH] fix f-string syntax error in code generation
+
+Reference:https://github.com/pallets/jinja/commit/56a724644b1ad9cb03745c10cca732715cdc79e9
+
+---
+ Jinja2-3.1.3/CHANGES.rst | 3 +++
+ Jinja2-3.1.3/src/jinja2/compiler.py | 7 ++++++-
+ Jinja2-3.1.3/tests/test_compile.py | 19 +++++++++++++++++++
+ 3 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/Jinja2-3.1.3/CHANGES.rst b/Jinja2-3.1.3/CHANGES.rst
+index f70cacb..b0e9a77 100644
+--- a/Jinja2-3.1.3/CHANGES.rst
++++ b/Jinja2-3.1.3/CHANGES.rst
+@@ -1,5 +1,8 @@
+ .. currentmodule:: jinja2
+
++- Escape template name before formatting it into error messages, to avoid
++ issues with names that contain f-string syntax.
++ :issue:`1792`, :ghsa:`gmj6-6f8f-6699`
+ - The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
+ greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
+ Regardless of any validation done by Jinja, user input should never be used
+diff --git a/Jinja2-3.1.3/src/jinja2/compiler.py b/Jinja2-3.1.3/src/jinja2/compiler.py
+index ff95c80..1ebdcd9 100644
+--- a/Jinja2-3.1.3/src/jinja2/compiler.py
++++ b/Jinja2-3.1.3/src/jinja2/compiler.py
+@@ -1121,9 +1121,14 @@ class CodeGenerator(NodeVisitor):
+ )
+ self.writeline(f"if {frame.symbols.ref(alias)} is missing:")
+ self.indent()
++ # The position will contain the template name, and will be formatted
++ # into a string that will be compiled into an f-string. Curly braces
++ # in the name must be replaced with escapes so that they will not be
++ # executed as part of the f-string.
++ position = self.position(node).replace("{", "{{").replace("}", "}}")
+ message = (
+ "the template {included_template.__name__!r}"
+- f" (imported on {self.position(node)})"
++ f" (imported on {position})"
+ f" does not export the requested name {name!r}"
+ )
+ self.writeline(
+diff --git a/Jinja2-3.1.3/tests/test_compile.py b/Jinja2-3.1.3/tests/test_compile.py
+index 42a773f..b33a877 100644
+--- a/Jinja2-3.1.3/tests/test_compile.py
++++ b/Jinja2-3.1.3/tests/test_compile.py
+@@ -1,6 +1,9 @@
+ import os
+ import re
+
++import pytest
++
++from jinja2 import UndefinedError
+ from jinja2.environment import Environment
+ from jinja2.loaders import DictLoader
+
+@@ -26,3 +29,19 @@ def test_import_as_with_context_deterministic(tmp_path):
+ expect = [f"'bar{i}': " for i in range(10)]
+ found = re.findall(r"'bar\d': ", content)[:10]
+ assert found == expect
++
++
++def test_undefined_import_curly_name():
++ env = Environment(
++ loader=DictLoader(
++ {
++ "{bad}": "{% from 'macro' import m %}{{ m() }}",
++ "macro": "",
++ }
++ )
++ )
++
++ # Must not raise `NameError: 'bad' is not defined`, as that would indicate
++ # that `{bad}` is being interpreted as an f-string. It must be escaped.
++ with pytest.raises(UndefinedError):
++ env.get_template("{bad}").render()
+--
+2.33.0
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-12 07:45:37 +0000