!82 fix CVE-2024-56201
From: @jack0240 Reviewed-by: @yangyuan32 Signed-off-by: @yangyuan32
This commit is contained in:
openeuler-ci-bot
Gitee
commit
077beb6857
83
backport-CVE-2024-56201.patch
Normal file
83
backport-CVE-2024-56201.patch
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
From 56a724644b1ad9cb03745c10cca732715cdc79e9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sigurd Spieckermann <sigurd.spieckermann@gmail.com>
|
||||||
|
Date: Fri, 26 May 2023 14:32:36 +0200
|
||||||
|
Subject: [PATCH] fix f-string syntax error in code generation
|
||||||
|
|
||||||
|
Reference:https://github.com/pallets/jinja/commit/56a724644b1ad9cb03745c10cca732715cdc79e9
|
||||||
|
|
||||||
|
---
|
||||||
|
Jinja2-3.1.3/CHANGES.rst | 3 +++
|
||||||
|
Jinja2-3.1.3/src/jinja2/compiler.py | 7 ++++++-
|
||||||
|
Jinja2-3.1.3/tests/test_compile.py | 19 +++++++++++++++++++
|
||||||
|
3 files changed, 28 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/Jinja2-3.1.3/CHANGES.rst b/Jinja2-3.1.3/CHANGES.rst
|
||||||
|
index f70cacb..b0e9a77 100644
|
||||||
|
--- a/Jinja2-3.1.3/CHANGES.rst
|
||||||
|
+++ b/Jinja2-3.1.3/CHANGES.rst
|
||||||
|
@@ -1,5 +1,8 @@
|
||||||
|
.. currentmodule:: jinja2
|
||||||
|
|
||||||
|
+- Escape template name before formatting it into error messages, to avoid
|
||||||
|
+ issues with names that contain f-string syntax.
|
||||||
|
+ :issue:`1792`, :ghsa:`gmj6-6f8f-6699`
|
||||||
|
- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
|
||||||
|
greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
|
||||||
|
Regardless of any validation done by Jinja, user input should never be used
|
||||||
|
diff --git a/Jinja2-3.1.3/src/jinja2/compiler.py b/Jinja2-3.1.3/src/jinja2/compiler.py
|
||||||
|
index ff95c80..1ebdcd9 100644
|
||||||
|
--- a/Jinja2-3.1.3/src/jinja2/compiler.py
|
||||||
|
+++ b/Jinja2-3.1.3/src/jinja2/compiler.py
|
||||||
|
@@ -1121,9 +1121,14 @@ class CodeGenerator(NodeVisitor):
|
||||||
|
)
|
||||||
|
self.writeline(f"if {frame.symbols.ref(alias)} is missing:")
|
||||||
|
self.indent()
|
||||||
|
+ # The position will contain the template name, and will be formatted
|
||||||
|
+ # into a string that will be compiled into an f-string. Curly braces
|
||||||
|
+ # in the name must be replaced with escapes so that they will not be
|
||||||
|
+ # executed as part of the f-string.
|
||||||
|
+ position = self.position(node).replace("{", "{{").replace("}", "}}")
|
||||||
|
message = (
|
||||||
|
"the template {included_template.__name__!r}"
|
||||||
|
- f" (imported on {self.position(node)})"
|
||||||
|
+ f" (imported on {position})"
|
||||||
|
f" does not export the requested name {name!r}"
|
||||||
|
)
|
||||||
|
self.writeline(
|
||||||
|
diff --git a/Jinja2-3.1.3/tests/test_compile.py b/Jinja2-3.1.3/tests/test_compile.py
|
||||||
|
index 42a773f..b33a877 100644
|
||||||
|
--- a/Jinja2-3.1.3/tests/test_compile.py
|
||||||
|
+++ b/Jinja2-3.1.3/tests/test_compile.py
|
||||||
|
@@ -1,6 +1,9 @@
|
||||||
|
import os
|
||||||
|
import re
|
||||||
|
|
||||||
|
+import pytest
|
||||||
|
+
|
||||||
|
+from jinja2 import UndefinedError
|
||||||
|
from jinja2.environment import Environment
|
||||||
|
from jinja2.loaders import DictLoader
|
||||||
|
|
||||||
|
@@ -26,3 +29,19 @@ def test_import_as_with_context_deterministic(tmp_path):
|
||||||
|
expect = [f"'bar{i}': " for i in range(10)]
|
||||||
|
found = re.findall(r"'bar\d': ", content)[:10]
|
||||||
|
assert found == expect
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+def test_undefined_import_curly_name():
|
||||||
|
+ env = Environment(
|
||||||
|
+ loader=DictLoader(
|
||||||
|
+ {
|
||||||
|
+ "{bad}": "{% from 'macro' import m %}{{ m() }}",
|
||||||
|
+ "macro": "",
|
||||||
|
+ }
|
||||||
|
+ )
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # Must not raise `NameError: 'bad' is not defined`, as that would indicate
|
||||||
|
+ # that `{bad}` is being interpreted as an f-string. It must be escaped.
|
||||||
|
+ with pytest.raises(UndefinedError):
|
||||||
|
+ env.get_template("{bad}").render()
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
||||||
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Name: python-jinja2
|
Name: python-jinja2
|
||||||
Version: 3.1.3
|
Version: 3.1.3
|
||||||
Release: 3
|
Release: 4
|
||||||
Summary: A full-featured template engine for Python
|
Summary: A full-featured template engine for Python
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
URL: http://jinja.pocoo.org/
|
URL: http://jinja.pocoo.org/
|
||||||
@ -12,6 +12,7 @@ BuildArch: noarch
|
|||||||
|
|
||||||
Patch0001: 0001-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch
|
Patch0001: 0001-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch
|
||||||
Patch0002: backport-CVE-2024-56326.patch
|
Patch0002: backport-CVE-2024-56326.patch
|
||||||
|
Patch0003: backport-CVE-2024-56201.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Jinja2 is one of the most used template engines for Python. It is inspired by Django's
|
Jinja2 is one of the most used template engines for Python. It is inspired by Django's
|
||||||
@ -65,6 +66,12 @@ popd
|
|||||||
%doc Jinja2-%{version}/examples
|
%doc Jinja2-%{version}/examples
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Dec 26 2024 weihaohao <weihaohao2@huawei.com> - 3.1.3-4
|
||||||
|
- Type: CVE
|
||||||
|
- CVE: CVE-2024-56201
|
||||||
|
- SUG: NA
|
||||||
|
- DESC: fix CVE-2024-56201
|
||||||
|
|
||||||
* Thu Dec 26 2024 changtao <changtao@kylinos.cn> - 3.1.3-3
|
* Thu Dec 26 2024 changtao <changtao@kylinos.cn> - 3.1.3-3
|
||||||
- Type: CVE
|
- Type: CVE
|
||||||
- CVE: CVE-2024-56326
|
- CVE: CVE-2024-56326
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user