diff --git a/CVE-2024-34064.patch b/CVE-2024-34064.patch new file mode 100644 index 0000000000000000000000000000000000000000..2b1d706a70696de464d9ad86260df242933779f4 --- /dev/null +++ b/CVE-2024-34064.patch @@ -0,0 +1,77 @@ +From 5d0b496b29214838494b1d65bd04718113911450 Mon Sep 17 00:00:00 2001 +From: David Lord +Date: Thu, 9 May 2024 13:43:38 +0200 +Subject: [PATCH] disallow invalid characters in keys to xmlattr filter + +--- + Jinja2-2.10.1/jinja2/filters.py | 18 +++++++++++++----- + Jinja2-2.10.1/tests/test_filters.py | 11 ++++++----- + 2 files changed, 19 insertions(+), 10 deletions(-) + +diff --git a/Jinja2-2.10.1/jinja2/filters.py b/Jinja2-2.10.1/jinja2/filters.py +index d473058..3e33f57 100644 +--- a/Jinja2-2.10.1/jinja2/filters.py ++++ b/Jinja2-2.10.1/jinja2/filters.py +@@ -150,15 +150,23 @@ def do_lower(s): + return soft_unicode(s).lower() + + +-_space_re = re.compile(r"\s", flags=re.ASCII) ++# Check for characters that would move the parser state from key to value. ++# https://html.spec.whatwg.org/#attribute-name-state ++_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII) + + + @evalcontextfilter + def do_xmlattr(_eval_ctx, d, autospace=True): + """Create an SGML/XML attribute string based on the items in a dict. + +- If any key contains a space, this fails with a ``ValueError``. Values that +- are neither ``none`` nor ``undefined`` are automatically escaped. ++ **Values** that are neither ``none`` nor ``undefined`` are automatically ++ escaped, safely allowing untrusted user input. ++ ++ User input should not be used as **keys** to this filter. If any key ++ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals ++ sign, this fails with a ``ValueError``. Regardless of this, user input ++ should never be used as keys to this filter, or must be separately validated ++ first. + + .. sourcecode:: html+jinja + +@@ -184,8 +192,8 @@ def do_xmlattr(_eval_ctx, d, autospace=True): + if value is None or isinstance(value, Undefined): + continue + +- if _space_re.search(key) is not None: +- raise ValueError(f"Spaces are not allowed in attributes: '{key}'") ++ if _attr_key_re.search(key) is not None: ++ raise ValueError(f"Invalid character in attribute name: {key!r}") + + items.append(f'{escape(key)}="{escape(value)}"') + +diff --git a/Jinja2-2.10.1/tests/test_filters.py b/Jinja2-2.10.1/tests/test_filters.py +index 911d10a..153356d 100644 +--- a/Jinja2-2.10.1/tests/test_filters.py ++++ b/Jinja2-2.10.1/tests/test_filters.py +@@ -389,11 +389,12 @@ class TestFilter(object): + assert 'bar="23"' in out + assert 'blub:blub="<?>"' in out + +- def test_xmlattr_key_with_spaces(self, env): +- with pytest.raises(ValueError, match="Spaces are not allowed"): +- env.from_string( +- "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}" +- ).render() ++ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "=")) ++ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None: ++ with pytest.raises(ValueError, match="Invalid character"): ++ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render( ++ key=f"class{sep}onclick=alert(1)" ++ ) + + def test_sort1(self, env): + tmpl = env.from_string( +-- +2.45.0 + diff --git a/python-jinja2.spec b/python-jinja2.spec index 3d5eb81b211ffcacb04261bff72a9f4ef942046f..153554dc26d6cab2c36659b2090934f843a360d2 100755 --- a/python-jinja2.spec +++ b/python-jinja2.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.2 +%define anolis_release .0.3 %if 0%{?rhel} > 7 # Disable python2 build by default %bcond_with python2 @@ -42,6 +42,10 @@ Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-% Patch0: CVE-2020-28493.patch Patch1: CVE-2024-22195.patch +# Security fix for CVE-2024-34064 +# Resolved upstream: https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb +Patch2: CVE-2024-34064.patch + BuildArch: noarch %description @@ -137,6 +141,7 @@ environments. %patch0 -p1 %patch1 -p1 +%patch2 -p1 # cleanup find Jinja2-%{version} -name '*.pyo' -o -name '*.pyc' -delete @@ -244,6 +249,9 @@ popd %changelog +* Tue Jul 09 2024 songmingliang - 2.10.1-3.0.3 +- Fix CVE-2024-34064 + * Fri Jun 07 2024 Kai Song - 2.10.1-3.0.2 - Fix CVE-2024-22195