diff --git a/backport-CVE-2024-56201.patch b/backport-CVE-2024-56201.patch new file mode 100644 index 0000000000000000000000000000000000000000..e51d293d29edaa8d6004122e5e6a306a81ee932b --- /dev/null +++ b/backport-CVE-2024-56201.patch @@ -0,0 +1,81 @@ +From 56a724644b1ad9cb03745c10cca732715cdc79e9 Mon Sep 17 00:00:00 2001 +From: Sigurd Spieckermann +Date: Fri, 26 May 2023 14:32:36 +0200 +Subject: [PATCH] fix f-string syntax error in code generation + +Reference:https://github.com/pallets/jinja/commit/56a724644b1ad9cb03745c10cca732715cdc79e9 + +--- + Jinja2-2.11.2/CHANGES.rst | 3 +++ + Jinja2-2.11.2/src/jinja2/compiler.py | 7 ++++++- + Jinja2-2.11.2/tests/test_compile.py | 20 ++++++++++++++++++++ + 3 files changed, 29 insertions(+), 1 deletion(-) + create mode 100644 Jinja2-2.11.2/tests/test_compile.py + +diff --git a/Jinja2-2.11.2/CHANGES.rst b/Jinja2-2.11.2/CHANGES.rst +index 2c7614b..6ef2d3d 100644 +--- a/Jinja2-2.11.2/CHANGES.rst ++++ b/Jinja2-2.11.2/CHANGES.rst +@@ -1,5 +1,8 @@ + .. currentmodule:: jinja2 + ++- Escape template name before formatting it into error messages, to avoid ++ issues with names that contain f-string syntax. ++ :issue:`1792`, :ghsa:`gmj6-6f8f-6699` + - The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>`` + greater-than sign, or ``=`` equals sign, in addition to disallowing spaces. + Regardless of any validation done by Jinja, user input should never be used +diff --git a/Jinja2-2.11.2/src/jinja2/compiler.py b/Jinja2-2.11.2/src/jinja2/compiler.py +index 63297b4..3d6e3d7 100644 +--- a/Jinja2-2.11.2/src/jinja2/compiler.py ++++ b/Jinja2-2.11.2/src/jinja2/compiler.py +@@ -1034,6 +1034,11 @@ class CodeGenerator(NodeVisitor): + ) + self.writeline("if %s is missing:" % frame.symbols.ref(alias)) + self.indent() ++ # The position will contain the template name, and will be formatted ++ # into a string that will be compiled into an f-string. Curly braces ++ # in the name must be replaced with escapes so that they will not be ++ # executed as part of the f-string. ++ position = self.position(node).replace("{", "{{").replace("}", "}}") + self.writeline( + "%s = undefined(%r %% " + "included_template.__name__, " +@@ -1042,7 +1047,7 @@ class CodeGenerator(NodeVisitor): + frame.symbols.ref(alias), + "the template %%r (imported on %s) does " + "not export the requested name %s" +- % (self.position(node), repr(name)), ++ % (position, repr(name)), + name, + ) + ) +diff --git a/Jinja2-2.11.2/tests/test_compile.py b/Jinja2-2.11.2/tests/test_compile.py +new file mode 100644 +index 0000000..12ce0e7 +--- /dev/null ++++ b/Jinja2-2.11.2/tests/test_compile.py +@@ -0,0 +1,20 @@ ++import pytest ++ ++from jinja2 import UndefinedError ++from jinja2.environment import Environment ++from jinja2.loaders import DictLoader ++ ++def test_undefined_import_curly_name(): ++ env = Environment( ++ loader=DictLoader( ++ { ++ "{bad}": "{% from 'macro' import m %}{{ m() }}", ++ "macro": "", ++ } ++ ) ++ ) ++ ++ # Must not raise `NameError: 'bad' is not defined`, as that would indicate ++ # that `{bad}` is being interpreted as an f-string. It must be escaped. ++ with pytest.raises(UndefinedError): ++ env.get_template("{bad}").render() +-- +2.33.0 + diff --git a/python-jinja2.spec b/python-jinja2.spec index 2ddb69c6bb0e818b8da82db38c08ffb10aedd1da..c4713d085382651b10d10a45d2be37014ad4a3c0 100644 --- a/python-jinja2.spec +++ b/python-jinja2.spec @@ -2,7 +2,7 @@ Name: python-jinja2 Version: 2.11.2 -Release: 8 +Release: 9 Summary: A full-featured template engine for Python License: BSD URL: http://jinja.pocoo.org/ @@ -16,6 +16,7 @@ Patch9000: huawei-replace-instances-of-the-older-style-tmpdir-fixture.patch Patch9001: backport-CVE-2024-56326.patch Patch9002: backport-CVE-2024-56326-2.patch Patch9003: backport-CVE-2024-56326-3.patch +Patch9004: backport-CVE-2024-56201.patch BuildArch: noarch @@ -113,6 +114,12 @@ popd %doc Jinja2-%{version}/ext Jinja2-%{version}/examples %changelog +* Thu Dec 26 2024 weihaohao - 2.11.2-9 + Type:CVE + CVE:CVE-2024-56201 + SUG:NA + DESC:fix CVE-2024-56201 + * Wed Dec 25 2024 changtao - 2.11.2-8 Type:CVE CVE:CVE-2024-56326