packages/python-jinja2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!97 [sync] PR-94: fix CVE-2025-27516

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @yangyuan32 
Signed-off-by: @yangyuan32
This commit is contained in:
openeuler-ci-bot 2025-05-12 06:50:54 +00:00 committed by Gitee
commit ad740d5fb2
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 111 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
backport-CVE-2025-27516.patch Normal file
View File

@ -0,0 +1,103 @@
From b428dd9593a26e7191708572f294b24ddd1d156f Mon Sep 17 00:00:00 2001
From: maoyanping <maoyanping@xfusion.com>
Date: Fri, 18 Apr 2025 16:58:20 +0800
Subject: [PATCH] backport-CVE-2025-27516
---
Jinja2-3.1.3/CHANGES.rst | 3 +++
Jinja2-3.1.3/src/jinja2/filters.py | 35 +++++++++++++++--------------------
Jinja2-3.1.3/tests/test_security.py | 10 ++++++++++
3 files changed, 28 insertions(+), 20 deletions(-)
diff --git a/Jinja2-3.1.3/CHANGES.rst b/Jinja2-3.1.3/CHANGES.rst
index 2001e3c..af86746 100644
--- a/Jinja2-3.1.3/CHANGES.rst
+++ b/Jinja2-3.1.3/CHANGES.rst
@@ -1,5 +1,8 @@
.. currentmodule:: jinja2
+- The ``|attr`` filter does not bypass the environment's attribute lookup,
+ allowing the sandbox to apply its checks. :ghsa:`cpwx-vrp4-4pq7`
+
- Escape template name before formatting it into error messages, to avoid
issues with names that contain f-string syntax.
:issue:`1792`, :ghsa:`gmj6-6f8f-6699`
diff --git a/Jinja2-3.1.3/src/jinja2/filters.py b/Jinja2-3.1.3/src/jinja2/filters.py
index c73dd89..aacb30d 100644
--- a/Jinja2-3.1.3/src/jinja2/filters.py
+++ b/Jinja2-3.1.3/src/jinja2/filters.py
@@ -5,6 +5,7 @@ import re
import typing
import typing as t
from collections import abc
+from inspect import getattr_static
from itertools import chain
from itertools import groupby
@@ -1399,30 +1400,24 @@ def do_attr(
environment: "Environment", obj: t.Any, name: str
) -> t.Union[Undefined, t.Any]:
"""Get an attribute of an object. ``foo|attr("bar")`` works like
- ``foo.bar`` just that always an attribute is returned and items are not
- looked up.
+ ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
+ if the attribute doesn't exist.
See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
"""
+ # Environment.getattr will fall back to obj[name] if obj.name doesn't exist.
+ # But we want to call env.getattr to get behavior such as sandboxing.
+ # Determine if the attr exists first, so we know the fallback won't trigger.
try:
- name = str(name)
- except UnicodeError:
- pass
- else:
- try:
- value = getattr(obj, name)
- except AttributeError:
- pass
- else:
- if environment.sandboxed:
- environment = t.cast("SandboxedEnvironment", environment)
-
- if not environment.is_safe_attribute(obj, name, value):
- return environment.unsafe_undefined(obj, name)
-
- return value
-
- return environment.undefined(obj=obj, name=name)
+ # This avoids executing properties/descriptors, but misses __getattr__
+ # and __getattribute__ dynamic attrs.
+ getattr_static(obj, name)
+ except AttributeError:
+ # This finds dynamic attrs, and we know it's not a descriptor at this point.
+ if not hasattr(obj, name):
+ return environment.undefined(obj=obj, name=name)
+
+ return environment.getattr(obj, name)
@typing.overload
diff --git a/Jinja2-3.1.3/tests/test_security.py b/Jinja2-3.1.3/tests/test_security.py
index 9c8bad6..0a0fddf 100644
--- a/Jinja2-3.1.3/tests/test_security.py
+++ b/Jinja2-3.1.3/tests/test_security.py
@@ -189,3 +189,13 @@ class TestStringFormatMap:
with pytest.raises(SecurityError):
t.render()
+
+ def test_attr_filter(self) -> None:
+ env = SandboxedEnvironment()
+ t = env.from_string(
+ """{{ "{0.__call__.__builtins__[__import__]}"
+ | attr("format")(not_here) }}"""
+ )
+
+ with pytest.raises(SecurityError):
+ t.render()
\ No newline at end of file
--
2.33.0

9
python-jinja2.spec
View File

@ -2,7 +2,7 @@
Name: python-jinja2 Name: python-jinja2
Version: 3.1.3 Version: 3.1.3
Release: 4 Release: 5
Summary: A full-featured template engine for Python Summary: A full-featured template engine for Python
License: BSD-3-Clause License: BSD-3-Clause
URL: http://jinja.pocoo.org/ URL: http://jinja.pocoo.org/
@ -13,6 +13,7 @@ BuildArch: noarch
Patch0001: 0001-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch Patch0001: 0001-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch
Patch0002: backport-CVE-2024-56326.patch Patch0002: backport-CVE-2024-56326.patch
Patch0003: backport-CVE-2024-56201.patch Patch0003: backport-CVE-2024-56201.patch
Patch0004: backport-CVE-2025-27516.patch
%description %description
Jinja2 is one of the most used template engines for Python. It is inspired by Django's Jinja2 is one of the most used template engines for Python. It is inspired by Django's
@ -66,6 +67,12 @@ popd
%doc Jinja2-%{version}/examples %doc Jinja2-%{version}/examples
%changelog %changelog
* Fri Apr 18 2025 maoyanping <maoyanping@xfusion.com> - 3.1.3-5
- Type: CVE
- CVE: CVE-2025-27516
- SUG: NA
- DESC: fix CVE-2025-27516
* Thu Dec 26 2024 weihaohao <weihaohao2@huawei.com> - 3.1.3-4 * Thu Dec 26 2024 weihaohao <weihaohao2@huawei.com> - 3.1.3-4
- Type: CVE - Type: CVE
- CVE: CVE-2024-56201 - CVE: CVE-2024-56201