packages/python-jinja2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 2.11.2

Browse Source
This commit is contained in:
yeah_wang 2020-07-23 19:17:23 +08:00
parent 10b56f0ec7
commit 6649e3cd33
4 changed files with 11 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
CVE-2019-10906-sandbox-str-format_map.patch
View File

@ -1,93 +0,0 @@
From a2a6c930bcca591a25d2b316fcfd2d6793897b26 Mon Sep 17 00:00:00 2001
From: Armin Ronacher <armin.ronacher@active-4.com>
Date: Sat, 6 Apr 2019 10:50:47 -0700
Subject: [PATCH] sandbox str.format_map
reason: fix CVE-2019-10906 python-jinja2:str.format_map allows sandbox
escape.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1698839
---
jinja2/sandbox.py | 17 ++++++++++++++---
tests/test_security.py | 19 +++++++++++++++++++
2 files changed, 33 insertions(+), 3 deletions(-)
diff --git a/Jinja2-2.10/jinja2/sandbox.py b/Jinja2-2.10/jinja2/sandbox.py
index 93fb9d4..752e812 100644
--- a/Jinja2-2.10/jinja2/sandbox.py
+++ b/Jinja2-2.10/jinja2/sandbox.py
@@ -137,7 +137,7 @@ class _MagicFormatMapping(Mapping):
def inspect_format_method(callable):
if not isinstance(callable, (types.MethodType,
types.BuiltinMethodType)) or \
- callable.__name__ != 'format':
+ callable.__name__ not in ('format', 'format_map'):
return None
obj = callable.__self__
if isinstance(obj, string_types):
@@ -402,7 +402,7 @@ class SandboxedEnvironment(Environment):
obj.__class__.__name__
), name=attribute, obj=obj, exc=SecurityError)
- def format_string(self, s, args, kwargs):
+ def format_string(self, s, args, kwargs, format_func=None):
"""If a format call is detected, then this is routed through this
method so that our safety sandbox can be used for it.
"""
@@ -410,6 +410,17 @@ class SandboxedEnvironment(Environment):
formatter = SandboxedEscapeFormatter(self, s.escape)
else:
formatter = SandboxedFormatter(self)
+
+ if format_func is not None and format_func.__name__ == 'format_map':
+ if len(args) != 1 or kwargs:
+ raise TypeError(
+ 'format_map() takes exactly one argument %d given'
+ % (len(args) + (kwargs is not None))
+ )
+
+ kwargs = args[0]
+ args = None
+
kwargs = _MagicFormatMapping(args, kwargs)
rv = formatter.vformat(s, args, kwargs)
return type(s)(rv)
@@ -418,7 +429,7 @@ class SandboxedEnvironment(Environment):
"""Call an object from sandboxed code."""
fmt = inspect_format_method(__obj)
if fmt is not None:
- return __self.format_string(fmt, args, kwargs)
+ return __self.format_string(fmt, args, kwargs, __obj)
# the double prefixes are to avoid double keyword argument
# errors when proxying the call.
diff --git a/Jinja2-2.10/tests/test_security.py b/Jinja2-2.10/tests/test_security.py
index 8e4222e..5c8639c 100644
--- a/Jinja2-2.10/tests/test_security.py
+++ b/Jinja2-2.10/tests/test_security.py
@@ -187,3 +187,22 @@ class TestStringFormat(object):
env = SandboxedEnvironment()
t = env.from_string('{{ ("a{0.foo}b{1}"|safe).format({"foo": 42}, "<foo>") }}')
assert t.render() == 'a42b&lt;foo&gt;'
+
+
+@pytest.mark.sandbox
+@pytest.mark.skipif(not hasattr(str, 'format_map'), reason='requires str.format_map method')
+class TestStringFormatMap(object):
+ def test_basic_format_safety(self):
+ env = SandboxedEnvironment()
+ t = env.from_string('{{ "a{x.__class__}b".format_map({"x":42}) }}')
+ assert t.render() == 'ab'
+
+ def test_basic_format_all_okay(self):
+ env = SandboxedEnvironment()
+ t = env.from_string('{{ "a{x.foo}b".format_map({"x":{"foo": 42}}) }}')
+ assert t.render() == 'a42b'
+
+ def test_safe_format_all_okay(self):
+ env = SandboxedEnvironment()
+ t = env.from_string('{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":"<foo>"}) }}')
+ assert t.render() == 'a42b&lt;foo&gt;'
--
1.8.3.1

BIN
Jinja2-2.10.tar.gz
View File

Binary file not shown.

BIN
Jinja2-2.11.2.tar.gz Normal file
View File

Binary file not shown.

20
python-jinja2.spec
View File

@ -1,15 +1,13 @@
%global _name Jinja2 %global _name Jinja2
Name: python-jinja2 Name: python-jinja2
Version: 2.10 Version: 2.11.2
Release: 10 Release: 1
Summary: A full-featured template engine for Python Summary: A full-featured template engine for Python
License: BSD License: BSD
URL: http://jinja.pocoo.org/ URL: http://jinja.pocoo.org/
Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
#PATCH-CVE-UPSTREAM
Patch6000: CVE-2019-10906-sandbox-str-format_map.patch
BuildArch: noarch BuildArch: noarch
@ -49,7 +47,7 @@ This package is the python3 version of python-jinja2.
%autosetup -c -n Jinja2-%{version} -p1 %autosetup -c -n Jinja2-%{version} -p1
# fix EOL # fix EOL
sed -i 's|\r$||g' Jinja2-%{version}/LICENSE sed -i 's|\r$||g' Jinja2-%{version}/LICENSE.rst
cp -a Jinja2-%{version} python3 cp -a Jinja2-%{version} python3
@ -82,15 +80,13 @@ popd
%if %{with python2} %if %{with python2}
%files -n python2-jinja2 %files -n python2-jinja2
%doc Jinja2-%{version}/AUTHORS %license Jinja2-%{version}/LICENSE.rst
%license Jinja2-%{version}/LICENSE
%{python2_sitelib}/jinja2 %{python2_sitelib}/jinja2
%{python2_sitelib}/Jinja2*-info %{python2_sitelib}/Jinja2*-info
%endif %endif
%files -n python3-jinja2 %files -n python3-jinja2
%doc Jinja2-%{version}/AUTHORS %license Jinja2-%{version}/LICENSE.rst
%license Jinja2-%{version}/LICENSE
%{python3_sitelib}/jinja2 %{python3_sitelib}/jinja2
%{python3_sitelib}/Jinja2*-info %{python3_sitelib}/Jinja2*-info
@ -99,6 +95,12 @@ popd
%doc Jinja2-%{version}/ext Jinja2-%{version}/examples %doc Jinja2-%{version}/ext Jinja2-%{version}/examples
%changelog %changelog
* Thu Jul 23 2020 dingyue <dingyue5@huawei.com> - 2.11.2-1
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:revise description
* Sat Sep 21 2019 shenyangyang <shenyangyang4@huawei.com> - 2.10-10 * Sat Sep 21 2019 shenyangyang <shenyangyang4@huawei.com> - 2.10-10
- Type:enhancement - Type:enhancement
- ID:NA - ID:NA