packages/python-jinja2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:10ea7ea39824f2400946a53b30fdb5ba5d1f1bb2
Branches Tags
packages:main
..
compare: packages:3de67368558245668a22f1eb4a1eb342bc783a39
Branches Tags
packages:main

No commits in common. "10ea7ea39824f2400946a53b30fdb5ba5d1f1bb2" and "3de67368558245668a22f1eb4a1eb342bc783a39" have entirely different histories.
10ea7ea398 ... 3de6736855

5 changed files with 2 additions and 497 deletions
Show Stats Expand all files Collapse all files

109
backport-CVE-2024-34064.patch
View File

@ -1,109 +0,0 @@
From 0668239dc6b44ef38e7a6c9f91f312fd4ca581cb Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Thu, 2 May 2024 09:14:00 -0700
Subject: [PATCH] disallow invalid characters in keys to xmlattr filter
Reference:https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb
Conflict:NA
---
Jinja2-3.0.3/CHANGES.rst | 6 ++++++
Jinja2-3.0.3/src/jinja2/filters.py | 22 +++++++++++++++++-----
Jinja2-3.0.3/tests/test_filters.py | 11 ++++++-----
3 files changed, 29 insertions(+), 10 deletions(-)
diff --git a/Jinja2-3.0.3/CHANGES.rst b/Jinja2-3.0.3/CHANGES.rst
index 9c58019..a62255b 100644
--- a/Jinja2-3.0.3/CHANGES.rst
+++ b/Jinja2-3.0.3/CHANGES.rst
@@ -1,5 +1,11 @@
.. currentmodule:: jinja2
+- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
+ greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
+ Regardless of any validation done by Jinja, user input should never be used
+ as keys to this filter, or must be separately validated first.
+ GHSA-h75v-3vvj-5mfj
+
Version 3.0.3
-------------
diff --git a/Jinja2-3.0.3/src/jinja2/filters.py b/Jinja2-3.0.3/src/jinja2/filters.py
index 002e129..f3d4fca 100644
--- a/Jinja2-3.0.3/src/jinja2/filters.py
+++ b/Jinja2-3.0.3/src/jinja2/filters.py
@@ -270,7 +270,9 @@ def do_lower(s: str) -> str:
"""Convert a value to lowercase."""
return soft_str(s).lower()
-_space_re = re.compile(r"\s", flags=re.ASCII)
+# Check for characters that would move the parser state from key to value.
+# https://html.spec.whatwg.org/#attribute-name-state
+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
@pass_eval_context
def do_xmlattr(
@@ -279,8 +281,14 @@ def do_xmlattr(
"""Create an SGML/XML attribute string based on the items in a dict.
All values that are neither `none` nor `undefined` are automatically
escaped:
- If any key contains a space, this fails with a ``ValueError``. Values that
- are neither ``none`` nor ``undefined`` are automatically escaped.
+ **Values** that are neither ``none`` nor ``undefined`` are automatically
+ escaped, safely allowing untrusted user input.
+
+ User input should not be used as **keys** to this filter. If any key
+ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
+ sign, this fails with a ``ValueError``. Regardless of this, user input
+ should never be used as keys to this filter, or must be separately validated
+ first.
.. sourcecode:: html+jinja
<ul{{ {'class': 'my_list', 'missing': none,
@@ -299,6 +307,10 @@ def do_xmlattr(
As you can see it automatically prepends a space in front of the item
if the filter returned something unless the second parameter is false.
+ .. versionchanged:: 3.1.4
+ Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign
+ are not allowed.
+
.. versionchanged:: 3.1.3
Keys with spaces are not allowed.
"""
@@ -308,8 +320,8 @@ def do_xmlattr(
if value is None or isinstance(value, Undefined):
continue
- if _space_re.search(key) is not None:
- raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
+ if _attr_key_re.search(key) is not None:
+ raise ValueError(f"Invalid character in attribute name: {key!r}")
items.append(f'{escape(key)}="{escape(value)}"')
diff --git a/Jinja2-3.0.3/tests/test_filters.py b/Jinja2-3.0.3/tests/test_filters.py
index 45843fd..6533370 100644
--- a/Jinja2-3.0.3/tests/test_filters.py
+++ b/Jinja2-3.0.3/tests/test_filters.py
@@ -463,11 +463,12 @@ class TestFilter:
assert 'bar="23"' in out
assert 'blub:blub="&lt;?&gt;"' in out
- def test_xmlattr_key_with_spaces(self, env):
- with pytest.raises(ValueError, match="Spaces are not allowed"):
- env.from_string(
- "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}"
- ).render()
+ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "="))
+ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None:
+ with pytest.raises(ValueError, match="Invalid character"):
+ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render(
+ key=f"class{sep}onclick=alert(1)"
+ )
def test_sort1(self, env):
tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}")
--
2.33.0

81
backport-CVE-2024-56201.patch
View File

@ -1,81 +0,0 @@
From 336315f75ea1a788b3254bab5fb75f3aec558b67 Mon Sep 17 00:00:00 2001
From: JackWei <weihaohao2@huawei.com>
Date: Thu, 26 Dec 2024 14:49:28 +0800
Subject: [PATCH] fix CVE-2024-56201
---
Jinja2-3.0.3/CHANGES.rst | 3 +++
Jinja2-3.0.3/src/jinja2/compiler.py | 7 ++++++-
Jinja2-3.0.3/tests/test_compile.py | 19 +++++++++++++++++++
3 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/Jinja2-3.0.3/CHANGES.rst b/Jinja2-3.0.3/CHANGES.rst
index a62255b..55d8a96 100644
--- a/Jinja2-3.0.3/CHANGES.rst
+++ b/Jinja2-3.0.3/CHANGES.rst
@@ -1,5 +1,8 @@
.. currentmodule:: jinja2
+- Escape template name before formatting it into error messages, to avoid
+ issues with names that contain f-string syntax.
+ :issue:`1792`, :ghsa:`gmj6-6f8f-6699`
- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
Regardless of any validation done by Jinja, user input should never be used
diff --git a/Jinja2-3.0.3/src/jinja2/compiler.py b/Jinja2-3.0.3/src/jinja2/compiler.py
index 52fd5b8..0314f67 100644
--- a/Jinja2-3.0.3/src/jinja2/compiler.py
+++ b/Jinja2-3.0.3/src/jinja2/compiler.py
@@ -1122,9 +1122,14 @@ class CodeGenerator(NodeVisitor):
)
self.writeline(f"if {frame.symbols.ref(alias)} is missing:")
self.indent()
+ # The position will contain the template name, and will be formatted
+ # into a string that will be compiled into an f-string. Curly braces
+ # in the name must be replaced with escapes so that they will not be
+ # executed as part of the f-string.
+ position = self.position(node).replace("{", "{{").replace("}", "}}")
message = (
"the template {included_template.__name__!r}"
- f" (imported on {self.position(node)})"
+ f" (imported on {position})"
f" does not export the requested name {name!r}"
)
self.writeline(
diff --git a/Jinja2-3.0.3/tests/test_compile.py b/Jinja2-3.0.3/tests/test_compile.py
index 42a773f..b33a877 100644
--- a/Jinja2-3.0.3/tests/test_compile.py
+++ b/Jinja2-3.0.3/tests/test_compile.py
@@ -1,6 +1,9 @@
import os
import re
+import pytest
+
+from jinja2 import UndefinedError
from jinja2.environment import Environment
from jinja2.loaders import DictLoader
@@ -26,3 +29,19 @@ def test_import_as_with_context_deterministic(tmp_path):
expect = [f"'bar{i}': " for i in range(10)]
found = re.findall(r"'bar\d': ", content)[:10]
assert found == expect
+
+
+def test_undefined_import_curly_name():
+ env = Environment(
+ loader=DictLoader(
+ {
+ "{bad}": "{% from 'macro' import m %}{{ m() }}",
+ "macro": "",
+ }
+ )
+ )
+
+ # Must not raise `NameError: 'bad' is not defined`, as that would indicate
+ # that `{bad}` is being interpreted as an f-string. It must be escaped.
+ with pytest.raises(UndefinedError):
+ env.get_template("{bad}").render()
--
2.33.0

172
backport-CVE-2024-56326.patch
View File

@ -1,172 +0,0 @@
From 91a972f5808973cd441f4dc06873b2f8378f30c7 Mon Sep 17 00:00:00 2001
From: Lydxn <hlyndon20@gmail.com>
Date: Mon, 23 Sep 2024 15:09:10 -0700
Subject: [PATCH] sandbox indirect calls to str.format
---
Jinja2-3.0.3/src/jinja2/sandbox.py | 81 +++++++++++++++--------------
Jinja2-3.0.3/tests/test_security.py | 18 +++++++
2 files changed, 60 insertions(+), 39 deletions(-)
diff --git a/Jinja2-3.0.3/src/jinja2/sandbox.py b/Jinja2-3.0.3/src/jinja2/sandbox.py
index 4294884..2b328fe 100644
--- a/Jinja2-3.0.3/src/jinja2/sandbox.py
+++ b/Jinja2-3.0.3/src/jinja2/sandbox.py
@@ -7,6 +7,7 @@ import typing as t
from _string import formatter_field_name_split # type: ignore
from collections import abc
from collections import deque
+from functools import update_wrapper
from string import Formatter
from markupsafe import EscapeFormatter
@@ -79,21 +80,6 @@ _mutable_spec: t.Tuple[t.Tuple[t.Type, t.FrozenSet[str]], ...] = (
),
)
-
-def inspect_format_method(callable: t.Callable) -> t.Optional[str]:
- if not isinstance(
- callable, (types.MethodType, types.BuiltinMethodType)
- ) or callable.__name__ not in ("format", "format_map"):
- return None
-
- obj = callable.__self__
-
- if isinstance(obj, str):
- return obj
-
- return None
-
-
def safe_range(*args: int) -> range:
"""A range that can't generate ranges with a length of more than
MAX_RANGE items.
@@ -313,6 +299,9 @@ class SandboxedEnvironment(Environment):
except AttributeError:
pass
else:
+ fmt = self.wrap_str_format(value)
+ if fmt is not None:
+ return fmt
if self.is_safe_attribute(obj, argument, value):
return value
return self.unsafe_undefined(obj, argument)
@@ -330,6 +319,9 @@ class SandboxedEnvironment(Environment):
except (TypeError, LookupError):
pass
else:
+ fmt = self.wrap_str_format(value)
+ if fmt is not None:
+ return fmt
if self.is_safe_attribute(obj, attribute, value):
return value
return self.unsafe_undefined(obj, attribute)
@@ -345,34 +337,48 @@ class SandboxedEnvironment(Environment):
exc=SecurityError,
)
- def format_string(
- self,
- s: str,
- args: t.Tuple[t.Any, ...],
- kwargs: t.Dict[str, t.Any],
- format_func: t.Optional[t.Callable] = None,
- ) -> str:
- """If a format call is detected, then this is routed through this
- method so that our safety sandbox can be used for it.
+ def wrap_str_format(self, value: t.Any) -> t.Optional[t.Callable[..., str]]:
+ """If the given value is a ``str.format`` or ``str.format_map`` method,
+ return a new function than handles sandboxing. This is done at access
+ rather than in :meth:`call`, so that calls made without ``call`` are
+ also sandboxed.
"""
+ if not isinstance(
+ value, (types.MethodType, types.BuiltinMethodType)
+ ) or value.__name__ not in ("format", "format_map"):
+ return None
+
+ f_self: t.Any = value.__self__
+
+ if not isinstance(f_self, str):
+ return None
+
+ str_type: t.Type[str] = type(f_self)
+ is_format_map = value.__name__ == "format_map"
formatter: SandboxedFormatter
- if isinstance(s, Markup):
- formatter = SandboxedEscapeFormatter(self, escape=s.escape)
+
+ if isinstance(f_self, Markup):
+ formatter = SandboxedEscapeFormatter(self, escape=f_self.escape)
else:
formatter = SandboxedFormatter(self)
- if format_func is not None and format_func.__name__ == "format_map":
- if len(args) != 1 or kwargs:
- raise TypeError(
- "format_map() takes exactly one argument"
- f" {len(args) + (kwargs is not None)} given"
- )
+ vformat = formatter.vformat
+
+ def wrapper(*args: t.Any, **kwargs: t.Any) -> str:
+ if is_format_map:
+ if kwargs:
+ raise TypeError("format_map() takes no keyword arguments")
+
+ if len(args) != 1:
+ raise TypeError(
+ f"format_map() takes exactly one argument ({len(args)} given)"
+ )
- kwargs = args[0]
- args = ()
+ kwargs = args[0]
+ args = ()
+ return str_type(vformat(f_self, args, kwargs))
- rv = formatter.vformat(s, args, kwargs)
- return type(s)(rv)
+ return update_wrapper(wrapper, value)
def call(
__self, # noqa: B902
@@ -382,9 +388,6 @@ class SandboxedEnvironment(Environment):
**kwargs: t.Any,
) -> t.Any:
"""Call an object from sandboxed code."""
- fmt = inspect_format_method(__obj)
- if fmt is not None:
- return __self.format_string(fmt, args, kwargs, __obj)
# the double prefixes are to avoid double keyword argument
# errors when proxying the call.
diff --git a/Jinja2-3.0.3/tests/test_security.py b/Jinja2-3.0.3/tests/test_security.py
index 0e8dc5c..9c8bad6 100644
--- a/Jinja2-3.0.3/tests/test_security.py
+++ b/Jinja2-3.0.3/tests/test_security.py
@@ -171,3 +171,21 @@ class TestStringFormatMap:
'{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":"<foo>"}) }}'
)
assert t.render() == "a42b&lt;foo&gt;"
+
+
+ def test_indirect_call(self):
+ def run(value, arg):
+ return value.run(arg)
+
+ env = SandboxedEnvironment()
+ env.filters["run"] = run
+ t = env.from_string(
+ """{% set
+ ns = namespace(run="{0.__call__.__builtins__[__import__]}".format)
+ %}
+ {{ ns | run(not_here) }}
+ """
+ )
+
+ with pytest.raises(SecurityError):
+ t.render()
--
2.43.0

105
backport-CVE-2025-27516.patch
View File

@ -1,105 +0,0 @@
From 065334d1ee5b7210e1a0a93c37238c86858f2af7 Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Wed, 5 Mar 2025 10:08:48 -0800
Subject: [PATCH] attr filter uses env.getattr
---
Jinja2-3.0.3/CHANGES.rst | 3 +++
Jinja2-3.0.3/src/jinja2/filters.py | 38 ++++++++++++-----------------
Jinja2-3.0.3/tests/test_security.py | 11 +++++++++
3 files changed, 30 insertions(+), 22 deletions(-)
diff --git a/Jinja2-3.0.3/CHANGES.rst b/Jinja2-3.0.3/CHANGES.rst
index 55d8a96..9170467 100644
--- a/Jinja2-3.0.3/CHANGES.rst
+++ b/Jinja2-3.0.3/CHANGES.rst
@@ -1,5 +1,8 @@
.. currentmodule:: jinja2
+- The ``|attr`` filter does not bypass the environment's attribute lookup,
+ allowing the sandbox to apply its checks. :ghsa:`cpwx-vrp4-4pq7`
+
- Escape template name before formatting it into error messages, to avoid
issues with names that contain f-string syntax.
:issue:`1792`, :ghsa:`gmj6-6f8f-6699`
diff --git a/Jinja2-3.0.3/src/jinja2/filters.py b/Jinja2-3.0.3/src/jinja2/filters.py
index f3d4fca..0449901 100644
--- a/Jinja2-3.0.3/src/jinja2/filters.py
+++ b/Jinja2-3.0.3/src/jinja2/filters.py
@@ -6,6 +6,7 @@ import typing
import typing as t
import warnings
from collections import abc
+from inspect import getattr_static
from itertools import chain
from itertools import groupby
@@ -1382,32 +1383,25 @@ def do_reverse(value: t.Union[str, t.Iterable[V]]) -> t.Union[str, t.Iterable[V]
def do_attr(
environment: "Environment", obj: t.Any, name: str
) -> t.Union[Undefined, t.Any]:
- """Get an attribute of an object. ``foo|attr("bar")`` works like
- ``foo.bar`` just that always an attribute is returned and items are not
- looked up.
+ """Get an attribute of an object. ``foo|attr("bar")`` works like
+ ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
+ if the attribute doesn't exist.
See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
"""
+ # Environment.getattr will fall back to obj[name] if obj.name doesn't exist.
+ # But we want to call env.getattr to get behavior such as sandboxing.
+ # Determine if the attr exists first, so we know the fallback won't trigger.
try:
- name = str(name)
- except UnicodeError:
- pass
- else:
- try:
- value = getattr(obj, name)
- except AttributeError:
- pass
- else:
- if environment.sandboxed:
- environment = t.cast("SandboxedEnvironment", environment)
-
- if not environment.is_safe_attribute(obj, name, value):
- return environment.unsafe_undefined(obj, name)
-
- return value
-
- return environment.undefined(obj=obj, name=name)
-
+ # This avoids executing properties/descriptors, but misses __getattr__
+ # and __getattribute__ dynamic attrs.
+ getattr_static(obj, name)
+ except AttributeError:
+ # This finds dynamic attrs, and we know it's not a descriptor at this point.
+ if not hasattr(obj, name):
+ return environment.undefined(obj=obj, name=name)
+
+ return environment.getattr(obj, name)
@typing.overload
def sync_do_map(
diff --git a/Jinja2-3.0.3/tests/test_security.py b/Jinja2-3.0.3/tests/test_security.py
index 9c8bad6..323c6b5 100644
--- a/Jinja2-3.0.3/tests/test_security.py
+++ b/Jinja2-3.0.3/tests/test_security.py
@@ -189,3 +189,14 @@ class TestStringFormatMap:
with pytest.raises(SecurityError):
t.render()
+
+
+ def test_attr_filter(self) -> None:
+ env = SandboxedEnvironment()
+ t = env.from_string(
+ """{{ "{0.__call__.__builtins__[__import__]}"
+ | attr("format")(not_here) }}"""
+ )
+
+ with pytest.raises(SecurityError):
+ t.render()
--
2.46.0

32
python-jinja2.spec
View File

@ -2,17 +2,13 @@
Name: python-jinja2 Name: python-jinja2
Version: 3.0.3 Version: 3.0.3
Release: 7 Release: 3
Summary: A full-featured template engine for Python Summary: A full-featured template engine for Python
License: BSD License: BSD
URL: http://jinja.pocoo.org/ URL: http://jinja.pocoo.org/
Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
Patch6000: backport-CVE-2024-22195.patch Patch6000: backport-CVE-2024-22195.patch
Patch6001: backport-CVE-2024-34064.patch
Patch6002: backport-CVE-2024-56326.patch
Patch6003: backport-CVE-2024-56201.patch
Patch6004: backport-CVE-2025-27516.patch
BuildArch: noarch BuildArch: noarch
@ -68,31 +64,7 @@ popd
%doc Jinja2-%{version}/examples %doc Jinja2-%{version}/examples
%changelog %changelog
* Mon Mar 10 2025 changtao <changtao@kylinos.cn> - 3.0.3-7 * Mon Jan 22 2024 weihaohao <weihaohao2.huawei.com> - 3.0.3-3
- Type:CVE
- CVE:CVE-2025-27516
- SUG:NA
- DESC:fix CVE-2025-27516
* Thu Dec 26 2024 weihaohao <weihaohao2@huawei.com> - 3.0.3-6
- Type:CVE
- CVE:CVE-2024-56201
- SUG:NA
- DESC:fix CVE-2024-56201
* Wed Dec 25 2024 changtao <changtao@kylinos.cn> - 3.0.3-5
- Type:CVE
- CVE:CVE-2024-56326
- SUG:NA
- DESC:fix CVE-2024-56326
* Fri May 10 2024 weihaohao <weihaohao2@huawei.com> - 3.0.3-4
- Type:CVE
- CVE:CVE-2024-34064
- SUG:NA
- DESC:fix CVE-2024-34064
* Mon Jan 22 2024 weihaohao <weihaohao2@huawei.com> - 3.0.3-3
- Type:CVE - Type:CVE
- CVE:CVE-2024-22195 - CVE:CVE-2024-22195
- SUG:NA - SUG:NA