commit f58d1e798aa6b9fd2bb8734cb7b1b50e3077a510 Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 11:15:04 2019 -0400 Package init diff --git a/CVE-2019-10906-sandbox-str-format_map.patch b/CVE-2019-10906-sandbox-str-format_map.patch new file mode 100644 index 0000000..b3150ba --- /dev/null +++ b/CVE-2019-10906-sandbox-str-format_map.patch @@ -0,0 +1,93 @@ +From a2a6c930bcca591a25d2b316fcfd2d6793897b26 Mon Sep 17 00:00:00 2001 +From: Armin Ronacher +Date: Sat, 6 Apr 2019 10:50:47 -0700 +Subject: [PATCH] sandbox str.format_map + +reason: fix CVE-2019-10906 python-jinja2:str.format_map allows sandbox +escape. + +Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1698839 +--- + jinja2/sandbox.py | 17 ++++++++++++++--- + tests/test_security.py | 19 +++++++++++++++++++ + 2 files changed, 33 insertions(+), 3 deletions(-) + +diff --git a/Jinja2-2.10/jinja2/sandbox.py b/Jinja2-2.10/jinja2/sandbox.py +index 93fb9d4..752e812 100644 +--- a/Jinja2-2.10/jinja2/sandbox.py ++++ b/Jinja2-2.10/jinja2/sandbox.py +@@ -137,7 +137,7 @@ class _MagicFormatMapping(Mapping): + def inspect_format_method(callable): + if not isinstance(callable, (types.MethodType, + types.BuiltinMethodType)) or \ +- callable.__name__ != 'format': ++ callable.__name__ not in ('format', 'format_map'): + return None + obj = callable.__self__ + if isinstance(obj, string_types): +@@ -402,7 +402,7 @@ class SandboxedEnvironment(Environment): + obj.__class__.__name__ + ), name=attribute, obj=obj, exc=SecurityError) + +- def format_string(self, s, args, kwargs): ++ def format_string(self, s, args, kwargs, format_func=None): + """If a format call is detected, then this is routed through this + method so that our safety sandbox can be used for it. + """ +@@ -410,6 +410,17 @@ class SandboxedEnvironment(Environment): + formatter = SandboxedEscapeFormatter(self, s.escape) + else: + formatter = SandboxedFormatter(self) ++ ++ if format_func is not None and format_func.__name__ == 'format_map': ++ if len(args) != 1 or kwargs: ++ raise TypeError( ++ 'format_map() takes exactly one argument %d given' ++ % (len(args) + (kwargs is not None)) ++ ) ++ ++ kwargs = args[0] ++ args = None ++ + kwargs = _MagicFormatMapping(args, kwargs) + rv = formatter.vformat(s, args, kwargs) + return type(s)(rv) +@@ -418,7 +429,7 @@ class SandboxedEnvironment(Environment): + """Call an object from sandboxed code.""" + fmt = inspect_format_method(__obj) + if fmt is not None: +- return __self.format_string(fmt, args, kwargs) ++ return __self.format_string(fmt, args, kwargs, __obj) + + # the double prefixes are to avoid double keyword argument + # errors when proxying the call. +diff --git a/Jinja2-2.10/tests/test_security.py b/Jinja2-2.10/tests/test_security.py +index 8e4222e..5c8639c 100644 +--- a/Jinja2-2.10/tests/test_security.py ++++ b/Jinja2-2.10/tests/test_security.py +@@ -187,3 +187,22 @@ class TestStringFormat(object): + env = SandboxedEnvironment() + t = env.from_string('{{ ("a{0.foo}b{1}"|safe).format({"foo": 42}, "") }}') + assert t.render() == 'a42b<foo>' ++ ++ ++@pytest.mark.sandbox ++@pytest.mark.skipif(not hasattr(str, 'format_map'), reason='requires str.format_map method') ++class TestStringFormatMap(object): ++ def test_basic_format_safety(self): ++ env = SandboxedEnvironment() ++ t = env.from_string('{{ "a{x.__class__}b".format_map({"x":42}) }}') ++ assert t.render() == 'ab' ++ ++ def test_basic_format_all_okay(self): ++ env = SandboxedEnvironment() ++ t = env.from_string('{{ "a{x.foo}b".format_map({"x":{"foo": 42}}) }}') ++ assert t.render() == 'a42b' ++ ++ def test_safe_format_all_okay(self): ++ env = SandboxedEnvironment() ++ t = env.from_string('{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":""}) }}') ++ assert t.render() == 'a42b<foo>' +-- +1.8.3.1 + diff --git a/Jinja2-2.10.tar.gz b/Jinja2-2.10.tar.gz new file mode 100644 index 0000000..c311087 Binary files /dev/null and b/Jinja2-2.10.tar.gz differ diff --git a/python-jinja2.spec b/python-jinja2.spec new file mode 100644 index 0000000..fe172f6 --- /dev/null +++ b/python-jinja2.spec @@ -0,0 +1,124 @@ +%global _name Jinja2 + +Name: python-jinja2 +Version: 2.10 +Release: 10 +Summary: A full-featured template engine for Python +License: BSD +URL: http://jinja.pocoo.org/ +Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz + +#PATCH-CVE-UPSTREAM +Patch6000: CVE-2019-10906-sandbox-str-format_map.patch + +BuildArch: noarch + +%description +Jinja2 is one of the most used template engines for Python. It is inspired by Django's +templating system but extends it with an expressive language that gives template authors +a more powerful set of tools. On top of that it adds sandboxed execution and optional +automatic escaping for applications where security is important. + +%if %{with python2} +%package -n python2-jinja2 +Summary: General purpose template engine for python2 + +BuildRequires: python2-markupsafe python2-babel +BuildRequires: python2-pytest python2-devel python2-setuptools +Requires: python2-babel python2-markupsafe python2-setuptools +%{?python_provide:%python_provide python2-jinja2} + +%description -n python2-jinja2 +This package is the python2 version of python-jinja2. +%endif + +%package -n python3-jinja2 +Summary: General purpose template engine for python3 + +BuildRequires: python3-markupsafe python3-babel +BuildRequires: python3-pytest python3-devel python3-setuptools +Requires: python3-babel python3-markupsafe python3-setuptools +%{?python_provide:%python_provide python3-jinja2} + +%description -n python3-jinja2 +This package is the python3 version of python-jinja2. + +%package_help + +%prep +%autosetup -c -n Jinja2-%{version} -p1 + +# fix EOL +sed -i 's|\r$||g' Jinja2-%{version}/LICENSE + +cp -a Jinja2-%{version} python3 + +%build +%if %{with python2} +pushd Jinja2-%{version} +%py2_build +popd +%endif + +pushd python3 +%py3_build +popd + +%install +%if %{with python2} +pushd Jinja2-%{version} +%py2_install + +#valid on python above 3.6, if not removed, installation will fail +rm %{buildroot}%{python2_sitelib}/jinja2/asyncsupport.py +rm %{buildroot}%{python2_sitelib}/jinja2/asyncfilters.py + +popd +%endif + +pushd python3 +%py3_install +popd + +%if %{with python2} +%files -n python2-jinja2 +%doc Jinja2-%{version}/AUTHORS +%license Jinja2-%{version}/LICENSE +%{python2_sitelib}/jinja2 +%{python2_sitelib}/Jinja2*-info +%endif + +%files -n python3-jinja2 +%doc Jinja2-%{version}/AUTHORS +%license Jinja2-%{version}/LICENSE +%{python3_sitelib}/jinja2 +%{python3_sitelib}/Jinja2*-info + +%files help +%doc Jinja2-%{version}/CHANGES.rst Jinja2-%{version}/PKG-INFO +%doc Jinja2-%{version}/ext Jinja2-%{version}/examples + +%changelog +* Sat Sep 21 2019 shenyangyang - 2.10-10 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:revise description + +* Mon Sep 15 2019 shenyangyang - 2.10-9 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:strenthen spec + +* Fri Aug 16 2019 Enbo Kang - 2.10-8 +- Type:security +- ID:CVE-2019-10906 +- SUG:NA +- DESC:fix CVE-2019-10906 python-jinja2:str.format_map allows sandbox + +* Mon Aug 12 2019 alex chen - 2.10-7 +- Enable python2 build by default + +* Wed Jul 18 2018 openEuler Buildteam - 2.10-6 +- Package init