update to 2.11.2

CVE-2019-10906-sandbox-str-format_map.patch

@@ -1,93 +0,0 @@
-From a2a6c930bcca591a25d2b316fcfd2d6793897b26 Mon Sep 17 00:00:00 2001
-From: Armin Ronacher <armin.ronacher@active-4.com>
-Date: Sat, 6 Apr 2019 10:50:47 -0700
-Subject: [PATCH] sandbox str.format_map
-
-reason: fix CVE-2019-10906 python-jinja2:str.format_map allows sandbox
-escape.
-
-Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1698839
----
- jinja2/sandbox.py      | 17 ++++++++++++++---
- tests/test_security.py | 19 +++++++++++++++++++
- 2 files changed, 33 insertions(+), 3 deletions(-)
-
-diff --git a/Jinja2-2.10/jinja2/sandbox.py b/Jinja2-2.10/jinja2/sandbox.py
-index 93fb9d4..752e812 100644
---- a/Jinja2-2.10/jinja2/sandbox.py
-+++ b/Jinja2-2.10/jinja2/sandbox.py
-@@ -137,7 +137,7 @@ class _MagicFormatMapping(Mapping):
- def inspect_format_method(callable):
-     if not isinstance(callable, (types.MethodType,
-                                  types.BuiltinMethodType)) or \
--       callable.__name__ != 'format':
-+       callable.__name__ not in ('format', 'format_map'):
-         return None
-     obj = callable.__self__
-     if isinstance(obj, string_types):
-@@ -402,7 +402,7 @@ class SandboxedEnvironment(Environment):
-             obj.__class__.__name__
-         ), name=attribute, obj=obj, exc=SecurityError)
- 
--    def format_string(self, s, args, kwargs):
-+    def format_string(self, s, args, kwargs, format_func=None):
-         """If a format call is detected, then this is routed through this
-         method so that our safety sandbox can be used for it.
-         """
-@@ -410,6 +410,17 @@ class SandboxedEnvironment(Environment):
-             formatter = SandboxedEscapeFormatter(self, s.escape)
-         else:
-             formatter = SandboxedFormatter(self)
-+
-+        if format_func is not None and format_func.__name__ == 'format_map':
-+            if len(args) != 1 or kwargs:
-+                raise TypeError(
-+                    'format_map() takes exactly one argument %d given'
-+                    % (len(args) + (kwargs is not None))
-+                )
-+
-+            kwargs = args[0]
-+            args = None
-+
-         kwargs = _MagicFormatMapping(args, kwargs)
-         rv = formatter.vformat(s, args, kwargs)
-         return type(s)(rv)
-@@ -418,7 +429,7 @@ class SandboxedEnvironment(Environment):
-         """Call an object from sandboxed code."""
-         fmt = inspect_format_method(__obj)
-         if fmt is not None:
--            return __self.format_string(fmt, args, kwargs)
-+            return __self.format_string(fmt, args, kwargs, __obj)
- 
-         # the double prefixes are to avoid double keyword argument
-         # errors when proxying the call.
-diff --git a/Jinja2-2.10/tests/test_security.py b/Jinja2-2.10/tests/test_security.py
-index 8e4222e..5c8639c 100644
---- a/Jinja2-2.10/tests/test_security.py
-+++ b/Jinja2-2.10/tests/test_security.py
-@@ -187,3 +187,22 @@ class TestStringFormat(object):
-         env = SandboxedEnvironment()
-         t = env.from_string('{{ ("a{0.foo}b{1}"|safe).format({"foo": 42}, "<foo>") }}')
-         assert t.render() == 'a42b&lt;foo&gt;'
-+
-+
-+@pytest.mark.sandbox
-+@pytest.mark.skipif(not hasattr(str, 'format_map'), reason='requires str.format_map method')
-+class TestStringFormatMap(object):
-+    def test_basic_format_safety(self):
-+        env = SandboxedEnvironment()
-+        t = env.from_string('{{ "a{x.__class__}b".format_map({"x":42}) }}')
-+        assert t.render() == 'ab'
-+
-+    def test_basic_format_all_okay(self):
-+        env = SandboxedEnvironment()
-+        t = env.from_string('{{ "a{x.foo}b".format_map({"x":{"foo": 42}}) }}')
-+        assert t.render() == 'a42b'
-+
-+    def test_safe_format_all_okay(self):
-+        env = SandboxedEnvironment()
-+        t = env.from_string('{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":"<foo>"}) }}')
-+        assert t.render() == 'a42b&lt;foo&gt;'
--- 
-1.8.3.1
-

python-jinja2.spec

@@ -1,15 +1,13 @@
 %global _name Jinja2
 
 Name:           python-jinja2
-Version:        2.10
-Release:        10
+Version:        2.11.2
+Release:        1
 Summary:        A full-featured template engine for Python
 License:        BSD
 URL:            http://jinja.pocoo.org/
 Source0:        https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
 
-#PATCH-CVE-UPSTREAM
-Patch6000:      CVE-2019-10906-sandbox-str-format_map.patch
 
 BuildArch:      noarch
 
@@ -49,7 +47,7 @@ This package is the python3 version of python-jinja2.
 %autosetup -c -n Jinja2-%{version} -p1
 
 # fix EOL
-sed -i 's|\r$||g' Jinja2-%{version}/LICENSE
+sed -i 's|\r$||g' Jinja2-%{version}/LICENSE.rst
 
 cp -a Jinja2-%{version} python3
 
@@ -82,15 +80,13 @@ popd
 
 %if %{with python2}
 %files -n python2-jinja2
-%doc Jinja2-%{version}/AUTHORS
-%license Jinja2-%{version}/LICENSE
+%license Jinja2-%{version}/LICENSE.rst
 %{python2_sitelib}/jinja2
 %{python2_sitelib}/Jinja2*-info
 %endif
 
 %files -n python3-jinja2
-%doc Jinja2-%{version}/AUTHORS
-%license Jinja2-%{version}/LICENSE
+%license Jinja2-%{version}/LICENSE.rst
 %{python3_sitelib}/jinja2
 %{python3_sitelib}/Jinja2*-info
 
@@ -99,6 +95,12 @@ popd
 %doc Jinja2-%{version}/ext Jinja2-%{version}/examples
 
 %changelog
+* Thu Jul 23 2020 dingyue <dingyue5@huawei.com> - 2.11.2-1
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:revise description
+
 * Sat Sep 21 2019 shenyangyang <shenyangyang4@huawei.com> - 2.10-10
 - Type:enhancement
 - ID:NA