Package init

CVE-2019-10906-sandbox-str-format_map.patch

@@ -0,0 +1,93 @@
+From a2a6c930bcca591a25d2b316fcfd2d6793897b26 Mon Sep 17 00:00:00 2001
+From: Armin Ronacher <armin.ronacher@active-4.com>
+Date: Sat, 6 Apr 2019 10:50:47 -0700
+Subject: [PATCH] sandbox str.format_map
+
+reason: fix CVE-2019-10906 python-jinja2:str.format_map allows sandbox
+escape.
+
+Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1698839
+---
+ jinja2/sandbox.py      | 17 ++++++++++++++---
+ tests/test_security.py | 19 +++++++++++++++++++
+ 2 files changed, 33 insertions(+), 3 deletions(-)
+
+diff --git a/Jinja2-2.10/jinja2/sandbox.py b/Jinja2-2.10/jinja2/sandbox.py
+index 93fb9d4..752e812 100644
+--- a/Jinja2-2.10/jinja2/sandbox.py
++++ b/Jinja2-2.10/jinja2/sandbox.py
+@@ -137,7 +137,7 @@ class _MagicFormatMapping(Mapping):
+ def inspect_format_method(callable):
+     if not isinstance(callable, (types.MethodType,
+                                  types.BuiltinMethodType)) or \
+-       callable.__name__ != 'format':
++       callable.__name__ not in ('format', 'format_map'):
+         return None
+     obj = callable.__self__
+     if isinstance(obj, string_types):
+@@ -402,7 +402,7 @@ class SandboxedEnvironment(Environment):
+             obj.__class__.__name__
+         ), name=attribute, obj=obj, exc=SecurityError)
+ 
+-    def format_string(self, s, args, kwargs):
++    def format_string(self, s, args, kwargs, format_func=None):
+         """If a format call is detected, then this is routed through this
+         method so that our safety sandbox can be used for it.
+         """
+@@ -410,6 +410,17 @@ class SandboxedEnvironment(Environment):
+             formatter = SandboxedEscapeFormatter(self, s.escape)
+         else:
+             formatter = SandboxedFormatter(self)
++
++        if format_func is not None and format_func.__name__ == 'format_map':
++            if len(args) != 1 or kwargs:
++                raise TypeError(
++                    'format_map() takes exactly one argument %d given'
++                    % (len(args) + (kwargs is not None))
++                )
++
++            kwargs = args[0]
++            args = None
++
+         kwargs = _MagicFormatMapping(args, kwargs)
+         rv = formatter.vformat(s, args, kwargs)
+         return type(s)(rv)
+@@ -418,7 +429,7 @@ class SandboxedEnvironment(Environment):
+         """Call an object from sandboxed code."""
+         fmt = inspect_format_method(__obj)
+         if fmt is not None:
+-            return __self.format_string(fmt, args, kwargs)
++            return __self.format_string(fmt, args, kwargs, __obj)
+ 
+         # the double prefixes are to avoid double keyword argument
+         # errors when proxying the call.
+diff --git a/Jinja2-2.10/tests/test_security.py b/Jinja2-2.10/tests/test_security.py
+index 8e4222e..5c8639c 100644
+--- a/Jinja2-2.10/tests/test_security.py
++++ b/Jinja2-2.10/tests/test_security.py
+@@ -187,3 +187,22 @@ class TestStringFormat(object):
+         env = SandboxedEnvironment()
+         t = env.from_string('{{ ("a{0.foo}b{1}"|safe).format({"foo": 42}, "<foo>") }}')
+         assert t.render() == 'a42b&lt;foo&gt;'
++
++
++@pytest.mark.sandbox
++@pytest.mark.skipif(not hasattr(str, 'format_map'), reason='requires str.format_map method')
++class TestStringFormatMap(object):
++    def test_basic_format_safety(self):
++        env = SandboxedEnvironment()
++        t = env.from_string('{{ "a{x.__class__}b".format_map({"x":42}) }}')
++        assert t.render() == 'ab'
++
++    def test_basic_format_all_okay(self):
++        env = SandboxedEnvironment()
++        t = env.from_string('{{ "a{x.foo}b".format_map({"x":{"foo": 42}}) }}')
++        assert t.render() == 'a42b'
++
++    def test_safe_format_all_okay(self):
++        env = SandboxedEnvironment()
++        t = env.from_string('{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":"<foo>"}) }}')
++        assert t.render() == 'a42b&lt;foo&gt;'
+-- 
+1.8.3.1
+

python-jinja2.spec

@@ -0,0 +1,124 @@
+%global _name Jinja2
+
+Name:           python-jinja2
+Version:        2.10
+Release:        10
+Summary:        A full-featured template engine for Python
+License:        BSD
+URL:            http://jinja.pocoo.org/
+Source0:        https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
+
+#PATCH-CVE-UPSTREAM
+Patch6000:      CVE-2019-10906-sandbox-str-format_map.patch
+
+BuildArch:      noarch
+
+%description
+Jinja2 is one of the most used template engines for Python. It is inspired by Django's
+templating system but extends it with an expressive language that gives template authors
+a more powerful set of tools. On top of that it adds sandboxed execution and optional
+automatic escaping for applications where security is important.
+
+%if %{with python2}
+%package -n python2-jinja2
+Summary:        General purpose template engine for python2
+
+BuildRequires:  python2-markupsafe python2-babel
+BuildRequires:  python2-pytest python2-devel python2-setuptools
+Requires:       python2-babel python2-markupsafe python2-setuptools
+%{?python_provide:%python_provide python2-jinja2}
+
+%description -n python2-jinja2
+This package is the python2 version of python-jinja2.
+%endif
+
+%package -n python3-jinja2
+Summary:        General purpose template engine for python3
+
+BuildRequires:  python3-markupsafe python3-babel
+BuildRequires:  python3-pytest python3-devel python3-setuptools
+Requires:       python3-babel python3-markupsafe python3-setuptools
+%{?python_provide:%python_provide python3-jinja2}
+
+%description -n python3-jinja2
+This package is the python3 version of python-jinja2.
+
+%package_help
+
+%prep
+%autosetup -c -n Jinja2-%{version} -p1
+
+# fix EOL
+sed -i 's|\r$||g' Jinja2-%{version}/LICENSE
+
+cp -a Jinja2-%{version} python3
+
+%build
+%if %{with python2}
+pushd Jinja2-%{version}
+%py2_build
+popd
+%endif
+
+pushd python3
+%py3_build
+popd
+
+%install
+%if %{with python2}
+pushd Jinja2-%{version}
+%py2_install
+
+#valid on python above 3.6, if not removed, installation will fail
+rm %{buildroot}%{python2_sitelib}/jinja2/asyncsupport.py
+rm %{buildroot}%{python2_sitelib}/jinja2/asyncfilters.py
+
+popd
+%endif
+
+pushd python3
+%py3_install
+popd
+
+%if %{with python2}
+%files -n python2-jinja2
+%doc Jinja2-%{version}/AUTHORS
+%license Jinja2-%{version}/LICENSE
+%{python2_sitelib}/jinja2
+%{python2_sitelib}/Jinja2*-info
+%endif
+
+%files -n python3-jinja2
+%doc Jinja2-%{version}/AUTHORS
+%license Jinja2-%{version}/LICENSE
+%{python3_sitelib}/jinja2
+%{python3_sitelib}/Jinja2*-info
+
+%files help
+%doc Jinja2-%{version}/CHANGES.rst Jinja2-%{version}/PKG-INFO
+%doc Jinja2-%{version}/ext Jinja2-%{version}/examples
+
+%changelog
+* Sat Sep 21 2019 shenyangyang <shenyangyang4@huawei.com> - 2.10-10
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:revise description
+
+* Mon Sep 15 2019 shenyangyang <shenyangyang4@huawei.com> - 2.10-9
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:strenthen spec
+
+* Fri Aug 16 2019 Enbo Kang <kangenbo@huawei.com> - 2.10-8
+- Type:security
+- ID:CVE-2019-10906
+- SUG:NA
+- DESC:fix CVE-2019-10906 python-jinja2:str.format_map allows sandbox
+
+* Mon Aug 12 2019 alex chen <alex.chen@huawei.com> - 2.10-7
+- Enable python2 build by default
+
+* Wed Jul 18 2018 openEuler Buildteam <buildteam@openeuler.org> - 2.10-6
+- Package init