diff --git a/backport-CVE-2024-56201.patch b/backport-CVE-2024-56201.patch new file mode 100644 index 0000000000000000000000000000000000000000..e7fe9d42949264b0f74110bed0a0d932c846ce5e --- /dev/null +++ b/backport-CVE-2024-56201.patch @@ -0,0 +1,86 @@ +From 56a724644b1ad9cb03745c10cca732715cdc79e9 Mon Sep 17 00:00:00 2001 +From: Sigurd Spieckermann +Date: Fri, 26 May 2023 14:32:36 +0200 +Subject: [PATCH] fix f-string syntax error in code generation + +Reference:https://github.com/pallets/jinja/commit/56a724644b1ad9cb03745c10cca732715cdc79e9 + +--- + Jinja2-3.0.3/CHANGES.rst | 3 +++ + Jinja2-3.0.3/src/jinja2/compiler.py | 7 ++++++- + Jinja2-3.0.3/tests/test_compile.py | 21 +++++++++++++++++++++ + 3 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/Jinja2-3.0.3/CHANGES.rst b/Jinja2-3.0.3/CHANGES.rst +index a62255b..0e6ce07 100644 +--- a/Jinja2-3.0.3/CHANGES.rst ++++ b/Jinja2-3.0.3/CHANGES.rst +@@ -11,6 +11,9 @@ Version 3.0.3 + + Released 2021-11-09 + ++- Escape template name before formatting it into error messages, to avoid ++ issues with names that contain f-string syntax. ++ :issue:`1792`, :ghsa:`gmj6-6f8f-6699` + - Fix traceback rewriting internals for Python 3.10 and 3.11. + :issue:`1535` + - Fix how the native environment treats leading and trailing spaces +diff --git a/Jinja2-3.0.3/src/jinja2/compiler.py b/Jinja2-3.0.3/src/jinja2/compiler.py +index 52fd5b8..0314f67 100644 +--- a/Jinja2-3.0.3/src/jinja2/compiler.py ++++ b/Jinja2-3.0.3/src/jinja2/compiler.py +@@ -1122,9 +1122,14 @@ class CodeGenerator(NodeVisitor): + ) + self.writeline(f"if {frame.symbols.ref(alias)} is missing:") + self.indent() ++ # The position will contain the template name, and will be formatted ++ # into a string that will be compiled into an f-string. Curly braces ++ # in the name must be replaced with escapes so that they will not be ++ # executed as part of the f-string. ++ position = self.position(node).replace("{", "{{").replace("}", "}}") + message = ( + "the template {included_template.__name__!r}" +- f" (imported on {self.position(node)})" ++ f" (imported on {position})" + f" does not export the requested name {name!r}" + ) + self.writeline( +diff --git a/Jinja2-3.0.3/tests/test_compile.py b/Jinja2-3.0.3/tests/test_compile.py +index 42a773f..bb47651 100644 +--- a/Jinja2-3.0.3/tests/test_compile.py ++++ b/Jinja2-3.0.3/tests/test_compile.py +@@ -1,6 +1,9 @@ + import os + import re + ++import pytest ++ ++from jinja2 import UndefinedError + from jinja2.environment import Environment + from jinja2.loaders import DictLoader + +@@ -26,3 +29,21 @@ def test_import_as_with_context_deterministic(tmp_path): + expect = [f"'bar{i}': " for i in range(10)] + found = re.findall(r"'bar\d': ", content)[:10] + assert found == expect ++ ++ ++ ++ ++def test_undefined_import_curly_name(): ++ env = Environment( ++ loader=DictLoader( ++ { ++ "{bad}": "{% from 'macro' import m %}{{ m() }}", ++ "macro": "", ++ } ++ ) ++ ) ++ ++ # Must not raise `NameError: 'bad' is not defined`, as that would indicate ++ # that `{bad}` is being interpreted as an f-string. It must be escaped. ++ with pytest.raises(UndefinedError): ++ env.get_template("{bad}").render() +-- +2.43.0 + diff --git a/python-jinja2.spec b/python-jinja2.spec index c11bd230c140702be33d2a56d17fab90994dd509..6e2ee8c26e55465a446da841228d39b6717156c3 100644 --- a/python-jinja2.spec +++ b/python-jinja2.spec @@ -2,7 +2,7 @@ Name: python-jinja2 Version: 3.0.3 -Release: 5 +Release: 6 Summary: A full-featured template engine for Python License: BSD URL: http://jinja.pocoo.org/ @@ -11,6 +11,7 @@ Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-% Patch6000: backport-CVE-2024-22195.patch Patch6001: backport-CVE-2024-34064.patch Patch6002: backport-CVE-2024-56326.patch +Patch6003: backport-CVE-2024-56201.patch BuildArch: noarch @@ -66,6 +67,12 @@ popd %doc Jinja2-%{version}/examples %changelog +* Thu Dec 26 2024 changtao - 3.0.3-6 +- Type:CVE +- CVE:CVE-2024-56201 +- SUG:NA +- DESC:fix CVE-2024-56201 + * Wed Dec 25 2024 changtao - 3.0.3-5 - Type:CVE - CVE:CVE-2024-56326