packages/python-jinja2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-56201

Browse Source
This commit is contained in:
JackWei 2024-12-26 14:20:11 +08:00
parent dc5e5c2b95
commit f5a073ff6c
2 changed files with 91 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
backport-CVE-2024-56201.patch Normal file
View File

@ -0,0 +1,83 @@
From 56a724644b1ad9cb03745c10cca732715cdc79e9 Mon Sep 17 00:00:00 2001
From: Sigurd Spieckermann <sigurd.spieckermann@gmail.com>
Date: Fri, 26 May 2023 14:32:36 +0200
Subject: [PATCH] fix f-string syntax error in code generation
Reference:https://github.com/pallets/jinja/commit/56a724644b1ad9cb03745c10cca732715cdc79e9
---
Jinja2-3.1.3/CHANGES.rst | 3 +++
Jinja2-3.1.3/src/jinja2/compiler.py | 7 ++++++-
Jinja2-3.1.3/tests/test_compile.py | 19 +++++++++++++++++++
3 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/Jinja2-3.1.3/CHANGES.rst b/Jinja2-3.1.3/CHANGES.rst
index f70cacb..b0e9a77 100644
--- a/Jinja2-3.1.3/CHANGES.rst
+++ b/Jinja2-3.1.3/CHANGES.rst
@@ -1,5 +1,8 @@
.. currentmodule:: jinja2
+- Escape template name before formatting it into error messages, to avoid
+ issues with names that contain f-string syntax.
+ :issue:`1792`, :ghsa:`gmj6-6f8f-6699`
- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
Regardless of any validation done by Jinja, user input should never be used
diff --git a/Jinja2-3.1.3/src/jinja2/compiler.py b/Jinja2-3.1.3/src/jinja2/compiler.py
index ff95c80..1ebdcd9 100644
--- a/Jinja2-3.1.3/src/jinja2/compiler.py
+++ b/Jinja2-3.1.3/src/jinja2/compiler.py
@@ -1121,9 +1121,14 @@ class CodeGenerator(NodeVisitor):
)
self.writeline(f"if {frame.symbols.ref(alias)} is missing:")
self.indent()
+ # The position will contain the template name, and will be formatted
+ # into a string that will be compiled into an f-string. Curly braces
+ # in the name must be replaced with escapes so that they will not be
+ # executed as part of the f-string.
+ position = self.position(node).replace("{", "{{").replace("}", "}}")
message = (
"the template {included_template.__name__!r}"
- f" (imported on {self.position(node)})"
+ f" (imported on {position})"
f" does not export the requested name {name!r}"
)
self.writeline(
diff --git a/Jinja2-3.1.3/tests/test_compile.py b/Jinja2-3.1.3/tests/test_compile.py
index 42a773f..b33a877 100644
--- a/Jinja2-3.1.3/tests/test_compile.py
+++ b/Jinja2-3.1.3/tests/test_compile.py
@@ -1,6 +1,9 @@
import os
import re
+import pytest
+
+from jinja2 import UndefinedError
from jinja2.environment import Environment
from jinja2.loaders import DictLoader
@@ -26,3 +29,19 @@ def test_import_as_with_context_deterministic(tmp_path):
expect = [f"'bar{i}': " for i in range(10)]
found = re.findall(r"'bar\d': ", content)[:10]
assert found == expect
+
+
+def test_undefined_import_curly_name():
+ env = Environment(
+ loader=DictLoader(
+ {
+ "{bad}": "{% from 'macro' import m %}{{ m() }}",
+ "macro": "",
+ }
+ )
+ )
+
+ # Must not raise `NameError: 'bad' is not defined`, as that would indicate
+ # that `{bad}` is being interpreted as an f-string. It must be escaped.
+ with pytest.raises(UndefinedError):
+ env.get_template("{bad}").render()
--
2.33.0

9
python-jinja2.spec
View File

@ -2,7 +2,7 @@
Name: python-jinja2
Version: 3.1.3
Release: 3
Release: 4
Summary: A full-featured template engine for Python
License: BSD-3-Clause
URL: http://jinja.pocoo.org/
@ -12,6 +12,7 @@ BuildArch: noarch
Patch0001: 0001-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch
Patch0002: backport-CVE-2024-56326.patch
Patch0003: backport-CVE-2024-56201.patch
%description
Jinja2 is one of the most used template engines for Python. It is inspired by Django's
@ -65,6 +66,12 @@ popd
%doc Jinja2-%{version}/examples
%changelog
* Thu Dec 26 2024 weihaohao <weihaohao2@huawei.com> - 3.1.3-4
- Type: CVE
- CVE: CVE-2024-56201
- SUG: NA
- DESC: fix CVE-2024-56201
* Thu Dec 26 2024 changtao <changtao@kylinos.cn> - 3.1.3-3
- Type: CVE
- CVE: CVE-2024-56326