packages/python-jinja2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!47 fix CVE-2024-34064

Browse Source 
From: @xuchenc 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot 2024-05-07 08:32:51 +00:00 committed by Gitee
commit bf97ca7b4d
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 114 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
0001-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch Normal file
View File

@ -0,0 +1,105 @@
From d655030770081e2dfe46f90e27620472a502289d Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Tue, 7 May 2024 10:19:28 +0800
Subject: [PATCH] disallow invalid characters in keys to xmlattr filter
---
Jinja2-3.1.3/CHANGES.rst | 6 ++++++
Jinja2-3.1.3/src/jinja2/filters.py | 21 ++++++++++++++++-----
Jinja2-3.1.3/tests/test_filters.py | 11 ++++++-----
3 files changed, 28 insertions(+), 10 deletions(-)
diff --git a/Jinja2-3.1.3/CHANGES.rst b/Jinja2-3.1.3/CHANGES.rst
index 08a1785..f70cacb 100644
--- a/Jinja2-3.1.3/CHANGES.rst
+++ b/Jinja2-3.1.3/CHANGES.rst
@@ -1,5 +1,11 @@
.. currentmodule:: jinja2
+- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
+ greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
+ Regardless of any validation done by Jinja, user input should never be used
+ as keys to this filter, or must be separately validated first.
+ GHSA-h75v-3vvj-5mfj
+
Version 3.1.3
-------------
diff --git a/Jinja2-3.1.3/src/jinja2/filters.py b/Jinja2-3.1.3/src/jinja2/filters.py
index c7ecc9b..c73dd89 100644
--- a/Jinja2-3.1.3/src/jinja2/filters.py
+++ b/Jinja2-3.1.3/src/jinja2/filters.py
@@ -248,7 +248,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K
yield from value.items()
-_space_re = re.compile(r"\s", flags=re.ASCII)
+# Check for characters that would move the parser state from key to value.
+# https://html.spec.whatwg.org/#attribute-name-state
+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
@pass_eval_context
@@ -257,8 +259,13 @@ def do_xmlattr(
) -> str:
"""Create an SGML/XML attribute string based on the items in a dict.
- If any key contains a space, this fails with a ``ValueError``. Values that
- are neither ``none`` nor ``undefined`` are automatically escaped.
+ **Values** that are neither ``none`` nor ``undefined`` are automatically
+ escaped, safely allowing untrusted user input.
+ User input should not be used as **keys** to this filter. If any key
+ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
+ sign, this fails with a ``ValueError``. Regardless of this, user input
+ should never be used as keys to this filter, or must be separately validated
+ first.
.. sourcecode:: html+jinja
@@ -278,6 +285,10 @@ def do_xmlattr(
As you can see it automatically prepends a space in front of the item
if the filter returned something unless the second parameter is false.
+ .. versionchanged:: 3.1.4
+ Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign
+ are not allowed.
+
.. versionchanged:: 3.1.3
Keys with spaces are not allowed.
"""
@@ -287,8 +298,8 @@ def do_xmlattr(
if value is None or isinstance(value, Undefined):
continue
- if _space_re.search(key) is not None:
- raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
+ if _attr_key_re.search(key) is not None:
+ raise ValueError(f"Invalid character in attribute name: {key!r}")
items.append(f'{escape(key)}="{escape(value)}"')
diff --git a/Jinja2-3.1.3/tests/test_filters.py b/Jinja2-3.1.3/tests/test_filters.py
index f50ed13..d8e9114 100644
--- a/Jinja2-3.1.3/tests/test_filters.py
+++ b/Jinja2-3.1.3/tests/test_filters.py
@@ -474,11 +474,12 @@ class TestFilter:
assert 'bar="23"' in out
assert 'blub:blub="&lt;?&gt;"' in out
- def test_xmlattr_key_with_spaces(self, env):
- with pytest.raises(ValueError, match="Spaces are not allowed"):
- env.from_string(
- "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}"
- ).render()
+ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "="))
+ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None:
+ with pytest.raises(ValueError, match="Invalid character"):
+ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render(
+ key=f"class{sep}onclick=alert(1)"
+ )
def test_sort1(self, env):
tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}")
--
2.27.0

10
python-jinja2.spec
View File

@ -2,7 +2,7 @@
Name: python-jinja2 Name: python-jinja2
Version: 3.1.3 Version: 3.1.3
Release: 1 Release: 2
Summary: A full-featured template engine for Python Summary: A full-featured template engine for Python
License: BSD-3-Clause License: BSD-3-Clause
URL: http://jinja.pocoo.org/ URL: http://jinja.pocoo.org/
@ -10,6 +10,8 @@ Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%
BuildArch: noarch BuildArch: noarch
Patch0001: 0001-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch
%description %description
Jinja2 is one of the most used template engines for Python. It is inspired by Django's Jinja2 is one of the most used template engines for Python. It is inspired by Django's
templating system but extends it with an expressive language that gives template authors templating system but extends it with an expressive language that gives template authors
@ -62,6 +64,12 @@ popd
%doc Jinja2-%{version}/examples %doc Jinja2-%{version}/examples
%changelog %changelog
* Tue May 7 2024 xuchenchen <xuchenchen@kylinos.cn> - 3.1.3-2
- Type: CVE
- CVE: CVE-2024-34064
- SUG: NA
- DESC: fix disallow invalid characters in keys to xmlattr filter
* Thu Jan 25 2024 shixuantong <shixuantong1@huawei.com> - 3.1.3-1 * Thu Jan 25 2024 shixuantong <shixuantong1@huawei.com> - 3.1.3-1
- Upgrade package to 3.1.3 - Upgrade package to 3.1.3