diff --git a/CVE-2019-10906-sandbox-str-format_map.patch b/CVE-2019-10906-sandbox-str-format_map.patch deleted file mode 100644 index b3150bae1be36308f390d7d525b2912bebab358f..0000000000000000000000000000000000000000 --- a/CVE-2019-10906-sandbox-str-format_map.patch +++ /dev/null @@ -1,93 +0,0 @@ -From a2a6c930bcca591a25d2b316fcfd2d6793897b26 Mon Sep 17 00:00:00 2001 -From: Armin Ronacher -Date: Sat, 6 Apr 2019 10:50:47 -0700 -Subject: [PATCH] sandbox str.format_map - -reason: fix CVE-2019-10906 python-jinja2:str.format_map allows sandbox -escape. - -Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1698839 ---- - jinja2/sandbox.py | 17 ++++++++++++++--- - tests/test_security.py | 19 +++++++++++++++++++ - 2 files changed, 33 insertions(+), 3 deletions(-) - -diff --git a/Jinja2-2.10/jinja2/sandbox.py b/Jinja2-2.10/jinja2/sandbox.py -index 93fb9d4..752e812 100644 ---- a/Jinja2-2.10/jinja2/sandbox.py -+++ b/Jinja2-2.10/jinja2/sandbox.py -@@ -137,7 +137,7 @@ class _MagicFormatMapping(Mapping): - def inspect_format_method(callable): - if not isinstance(callable, (types.MethodType, - types.BuiltinMethodType)) or \ -- callable.__name__ != 'format': -+ callable.__name__ not in ('format', 'format_map'): - return None - obj = callable.__self__ - if isinstance(obj, string_types): -@@ -402,7 +402,7 @@ class SandboxedEnvironment(Environment): - obj.__class__.__name__ - ), name=attribute, obj=obj, exc=SecurityError) - -- def format_string(self, s, args, kwargs): -+ def format_string(self, s, args, kwargs, format_func=None): - """If a format call is detected, then this is routed through this - method so that our safety sandbox can be used for it. - """ -@@ -410,6 +410,17 @@ class SandboxedEnvironment(Environment): - formatter = SandboxedEscapeFormatter(self, s.escape) - else: - formatter = SandboxedFormatter(self) -+ -+ if format_func is not None and format_func.__name__ == 'format_map': -+ if len(args) != 1 or kwargs: -+ raise TypeError( -+ 'format_map() takes exactly one argument %d given' -+ % (len(args) + (kwargs is not None)) -+ ) -+ -+ kwargs = args[0] -+ args = None -+ - kwargs = _MagicFormatMapping(args, kwargs) - rv = formatter.vformat(s, args, kwargs) - return type(s)(rv) -@@ -418,7 +429,7 @@ class SandboxedEnvironment(Environment): - """Call an object from sandboxed code.""" - fmt = inspect_format_method(__obj) - if fmt is not None: -- return __self.format_string(fmt, args, kwargs) -+ return __self.format_string(fmt, args, kwargs, __obj) - - # the double prefixes are to avoid double keyword argument - # errors when proxying the call. -diff --git a/Jinja2-2.10/tests/test_security.py b/Jinja2-2.10/tests/test_security.py -index 8e4222e..5c8639c 100644 ---- a/Jinja2-2.10/tests/test_security.py -+++ b/Jinja2-2.10/tests/test_security.py -@@ -187,3 +187,22 @@ class TestStringFormat(object): - env = SandboxedEnvironment() - t = env.from_string('{{ ("a{0.foo}b{1}"|safe).format({"foo": 42}, "") }}') - assert t.render() == 'a42b<foo>' -+ -+ -+@pytest.mark.sandbox -+@pytest.mark.skipif(not hasattr(str, 'format_map'), reason='requires str.format_map method') -+class TestStringFormatMap(object): -+ def test_basic_format_safety(self): -+ env = SandboxedEnvironment() -+ t = env.from_string('{{ "a{x.__class__}b".format_map({"x":42}) }}') -+ assert t.render() == 'ab' -+ -+ def test_basic_format_all_okay(self): -+ env = SandboxedEnvironment() -+ t = env.from_string('{{ "a{x.foo}b".format_map({"x":{"foo": 42}}) }}') -+ assert t.render() == 'a42b' -+ -+ def test_safe_format_all_okay(self): -+ env = SandboxedEnvironment() -+ t = env.from_string('{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":""}) }}') -+ assert t.render() == 'a42b<foo>' --- -1.8.3.1 - diff --git a/Jinja2-2.10.tar.gz b/Jinja2-2.10.tar.gz deleted file mode 100644 index c311087add4d461c116ca80f26cd7f96b4c77be3..0000000000000000000000000000000000000000 Binary files a/Jinja2-2.10.tar.gz and /dev/null differ diff --git a/Jinja2-2.11.2.tar.gz b/Jinja2-2.11.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..ee8d0490bd6da55149d950bc1a1c8823fe32fe1d Binary files /dev/null and b/Jinja2-2.11.2.tar.gz differ diff --git a/python-jinja2.spec b/python-jinja2.spec index fe172f62f3b91e36bbea836203327ddbcc148246..f07c060042d1b130f7c3bd6127b92c8ea35dbdd3 100644 --- a/python-jinja2.spec +++ b/python-jinja2.spec @@ -1,16 +1,13 @@ %global _name Jinja2 Name: python-jinja2 -Version: 2.10 -Release: 10 +Version: 2.11.2 +Release: 1 Summary: A full-featured template engine for Python License: BSD URL: http://jinja.pocoo.org/ Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz -#PATCH-CVE-UPSTREAM -Patch6000: CVE-2019-10906-sandbox-str-format_map.patch - BuildArch: noarch %description @@ -49,7 +46,7 @@ This package is the python3 version of python-jinja2. %autosetup -c -n Jinja2-%{version} -p1 # fix EOL -sed -i 's|\r$||g' Jinja2-%{version}/LICENSE +sed -i 's|\r$||g' Jinja2-%{version}/LICENSE.rst cp -a Jinja2-%{version} python3 @@ -82,15 +79,13 @@ popd %if %{with python2} %files -n python2-jinja2 -%doc Jinja2-%{version}/AUTHORS -%license Jinja2-%{version}/LICENSE +%license Jinja2-%{version}/LICENSE.rst %{python2_sitelib}/jinja2 %{python2_sitelib}/Jinja2*-info %endif %files -n python3-jinja2 -%doc Jinja2-%{version}/AUTHORS -%license Jinja2-%{version}/LICENSE +%license Jinja2-%{version}/LICENSE.rst %{python3_sitelib}/jinja2 %{python3_sitelib}/Jinja2*-info @@ -99,6 +94,12 @@ popd %doc Jinja2-%{version}/ext Jinja2-%{version}/examples %changelog +* Mon Aug 31 2020 shixuantong - 2.11.2 +- Type:NA +- ID:NA +- SUG:NA +- DESC:update version to 2.11.2 + * Sat Sep 21 2019 shenyangyang - 2.10-10 - Type:enhancement - ID:NA