diff --git a/backport-CVE-2024-56201.patch b/backport-CVE-2024-56201.patch new file mode 100644 index 0000000000000000000000000000000000000000..9b55ec68d5f5bb2abab03d0b0877da913ccc9eeb --- /dev/null +++ b/backport-CVE-2024-56201.patch @@ -0,0 +1,81 @@ +From 336315f75ea1a788b3254bab5fb75f3aec558b67 Mon Sep 17 00:00:00 2001 +From: JackWei +Date: Thu, 26 Dec 2024 14:49:28 +0800 +Subject: [PATCH] fix CVE-2024-56201 + +--- + Jinja2-3.0.3/CHANGES.rst | 3 +++ + Jinja2-3.0.3/src/jinja2/compiler.py | 7 ++++++- + Jinja2-3.0.3/tests/test_compile.py | 19 +++++++++++++++++++ + 3 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/Jinja2-3.0.3/CHANGES.rst b/Jinja2-3.0.3/CHANGES.rst +index a62255b..55d8a96 100644 +--- a/Jinja2-3.0.3/CHANGES.rst ++++ b/Jinja2-3.0.3/CHANGES.rst +@@ -1,5 +1,8 @@ + .. currentmodule:: jinja2 + ++- Escape template name before formatting it into error messages, to avoid ++ issues with names that contain f-string syntax. ++ :issue:`1792`, :ghsa:`gmj6-6f8f-6699` + - The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>`` + greater-than sign, or ``=`` equals sign, in addition to disallowing spaces. + Regardless of any validation done by Jinja, user input should never be used +diff --git a/Jinja2-3.0.3/src/jinja2/compiler.py b/Jinja2-3.0.3/src/jinja2/compiler.py +index 52fd5b8..0314f67 100644 +--- a/Jinja2-3.0.3/src/jinja2/compiler.py ++++ b/Jinja2-3.0.3/src/jinja2/compiler.py +@@ -1122,9 +1122,14 @@ class CodeGenerator(NodeVisitor): + ) + self.writeline(f"if {frame.symbols.ref(alias)} is missing:") + self.indent() ++ # The position will contain the template name, and will be formatted ++ # into a string that will be compiled into an f-string. Curly braces ++ # in the name must be replaced with escapes so that they will not be ++ # executed as part of the f-string. ++ position = self.position(node).replace("{", "{{").replace("}", "}}") + message = ( + "the template {included_template.__name__!r}" +- f" (imported on {self.position(node)})" ++ f" (imported on {position})" + f" does not export the requested name {name!r}" + ) + self.writeline( +diff --git a/Jinja2-3.0.3/tests/test_compile.py b/Jinja2-3.0.3/tests/test_compile.py +index 42a773f..b33a877 100644 +--- a/Jinja2-3.0.3/tests/test_compile.py ++++ b/Jinja2-3.0.3/tests/test_compile.py +@@ -1,6 +1,9 @@ + import os + import re + ++import pytest ++ ++from jinja2 import UndefinedError + from jinja2.environment import Environment + from jinja2.loaders import DictLoader + +@@ -26,3 +29,19 @@ def test_import_as_with_context_deterministic(tmp_path): + expect = [f"'bar{i}': " for i in range(10)] + found = re.findall(r"'bar\d': ", content)[:10] + assert found == expect ++ ++ ++def test_undefined_import_curly_name(): ++ env = Environment( ++ loader=DictLoader( ++ { ++ "{bad}": "{% from 'macro' import m %}{{ m() }}", ++ "macro": "", ++ } ++ ) ++ ) ++ ++ # Must not raise `NameError: 'bad' is not defined`, as that would indicate ++ # that `{bad}` is being interpreted as an f-string. It must be escaped. ++ with pytest.raises(UndefinedError): ++ env.get_template("{bad}").render() +-- +2.33.0 + diff --git a/python-jinja2.spec b/python-jinja2.spec index c11bd230c140702be33d2a56d17fab90994dd509..18d9a0b6e97d9161dfc99ef18617c66adfe080cc 100644 --- a/python-jinja2.spec +++ b/python-jinja2.spec @@ -2,7 +2,7 @@ Name: python-jinja2 Version: 3.0.3 -Release: 5 +Release: 6 Summary: A full-featured template engine for Python License: BSD URL: http://jinja.pocoo.org/ @@ -11,6 +11,7 @@ Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-% Patch6000: backport-CVE-2024-22195.patch Patch6001: backport-CVE-2024-34064.patch Patch6002: backport-CVE-2024-56326.patch +Patch6003: backport-CVE-2024-56201.patch BuildArch: noarch @@ -66,6 +67,12 @@ popd %doc Jinja2-%{version}/examples %changelog +* Thu Dec 26 2024 weihaohao - 3.0.3-6 +- Type:CVE +- CVE:CVE-2024-56201 +- SUG:NA +- DESC:fix CVE-2024-56201 + * Wed Dec 25 2024 changtao - 3.0.3-5 - Type:CVE - CVE:CVE-2024-56326