diff --git a/backport-CVE-2024-34064.patch b/backport-CVE-2024-34064.patch new file mode 100644 index 0000000000000000000000000000000000000000..08430d4a5d8462e438d222774d44b83a7a90dc2d --- /dev/null +++ b/backport-CVE-2024-34064.patch @@ -0,0 +1,109 @@ +From 0668239dc6b44ef38e7a6c9f91f312fd4ca581cb Mon Sep 17 00:00:00 2001 +From: David Lord +Date: Thu, 2 May 2024 09:14:00 -0700 +Subject: [PATCH] disallow invalid characters in keys to xmlattr filter + +Reference:https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb +Conflict:NA + +--- + Jinja2-3.0.3/CHANGES.rst | 6 ++++++ + Jinja2-3.0.3/src/jinja2/filters.py | 22 +++++++++++++++++----- + Jinja2-3.0.3/tests/test_filters.py | 11 ++++++----- + 3 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/Jinja2-3.0.3/CHANGES.rst b/Jinja2-3.0.3/CHANGES.rst +index 9c58019..a62255b 100644 +--- a/Jinja2-3.0.3/CHANGES.rst ++++ b/Jinja2-3.0.3/CHANGES.rst +@@ -1,5 +1,11 @@ + .. currentmodule:: jinja2 + ++- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>`` ++ greater-than sign, or ``=`` equals sign, in addition to disallowing spaces. ++ Regardless of any validation done by Jinja, user input should never be used ++ as keys to this filter, or must be separately validated first. ++ GHSA-h75v-3vvj-5mfj ++ + Version 3.0.3 + ------------- + +diff --git a/Jinja2-3.0.3/src/jinja2/filters.py b/Jinja2-3.0.3/src/jinja2/filters.py +index 002e129..f3d4fca 100644 +--- /Jinja2-3.0.3a/src/jinja2/filters.py ++++ b/Jinja2-3.0.3/src/jinja2/filters.py +@@ -270,7 +270,9 @@ def do_lower(s: str) -> str: + """Convert a value to lowercase.""" + return soft_str(s).lower() + +-_space_re = re.compile(r"\s", flags=re.ASCII) ++# Check for characters that would move the parser state from key to value. ++# https://html.spec.whatwg.org/#attribute-name-state ++_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII) + + @pass_eval_context + def do_xmlattr( +@@ -279,8 +281,14 @@ def do_xmlattr( + """Create an SGML/XML attribute string based on the items in a dict. + All values that are neither `none` nor `undefined` are automatically + escaped: +- If any key contains a space, this fails with a ``ValueError``. Values that +- are neither ``none`` nor ``undefined`` are automatically escaped. ++ **Values** that are neither ``none`` nor ``undefined`` are automatically ++ escaped, safely allowing untrusted user input. ++ ++ User input should not be used as **keys** to this filter. If any key ++ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals ++ sign, this fails with a ``ValueError``. Regardless of this, user input ++ should never be used as keys to this filter, or must be separately validated ++ first. + .. sourcecode:: html+jinja + + `` greater-than sign, or ``=`` equals sign ++ are not allowed. ++ + .. versionchanged:: 3.1.3 + Keys with spaces are not allowed. + """ +@@ -308,8 +320,8 @@ def do_xmlattr( + if value is None or isinstance(value, Undefined): + continue + +- if _space_re.search(key) is not None: +- raise ValueError(f"Spaces are not allowed in attributes: '{key}'") ++ if _attr_key_re.search(key) is not None: ++ raise ValueError(f"Invalid character in attribute name: {key!r}") + + items.append(f'{escape(key)}="{escape(value)}"') + +diff --git a/Jinja2-3.0.3/tests/test_filters.py b/Jinja2-3.0.3/tests/test_filters.py +index 45843fd..6533370 100644 +--- a/Jinja2-3.0.3/tests/test_filters.py ++++ b/Jinja2-3.0.3/tests/test_filters.py +@@ -463,11 +463,12 @@ class TestFilter: + assert 'bar="23"' in out + assert 'blub:blub="<?>"' in out + +- def test_xmlattr_key_with_spaces(self, env): +- with pytest.raises(ValueError, match="Spaces are not allowed"): +- env.from_string( +- "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}" +- ).render() ++ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "=")) ++ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None: ++ with pytest.raises(ValueError, match="Invalid character"): ++ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render( ++ key=f"class{sep}onclick=alert(1)" ++ ) + + def test_sort1(self, env): + tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}") +-- +2.33.0 + diff --git a/python-jinja2.spec b/python-jinja2.spec index 104a5879d88016b546029e6fa01df2dfddfae5c9..14fe1eef21f0fb3422c9d799513ef22e9c8825d4 100644 --- a/python-jinja2.spec +++ b/python-jinja2.spec @@ -2,13 +2,14 @@ Name: python-jinja2 Version: 3.0.3 -Release: 3 +Release: 4 Summary: A full-featured template engine for Python License: BSD URL: http://jinja.pocoo.org/ Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz Patch6000: backport-CVE-2024-22195.patch +Patch6001: backport-CVE-2024-34064.patch BuildArch: noarch @@ -64,7 +65,13 @@ popd %doc Jinja2-%{version}/examples %changelog -* Mon Jan 22 2024 weihaohao - 3.0.3-3 +* Fri May 10 2024 weihaohao - 3.0.3-4 +- Type:CVE +- CVE:CVE-2024-34064 +- SUG:NA +- DESC:fix CVE-2024-34064 + +* Mon Jan 22 2024 weihaohao - 3.0.3-3 - Type:CVE - CVE:CVE-2024-22195 - SUG:NA