diff --git a/Jinja2-3.1.3.tar.gz b/Jinja2-3.1.3.tar.gz deleted file mode 100644 index a0cc07e3ef9fbd14974b6b6c5dfbd6eccae6bde6..0000000000000000000000000000000000000000 Binary files a/Jinja2-3.1.3.tar.gz and /dev/null differ diff --git a/backport-CVE-2024-34064.patch b/backport-CVE-2024-34064.patch deleted file mode 100644 index b1843a0d1ac1613ba5b2835870c9edc716310bc2..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-34064.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 0668239dc6b44ef38e7a6c9f91f312fd4ca581cb Mon Sep 17 00:00:00 2001 -From: David Lord -Date: Thu, 2 May 2024 09:14:00 -0700 -Subject: [PATCH] disallow invalid characters in keys to xmlattr filter - -Reference:https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb -Conflict:NA - ---- - Jinja2-3.1.3/CHANGES.rst | 6 ++++++ - Jinja2-3.1.3/src/jinja2/filters.py | 22 +++++++++++++++++----- - Jinja2-3.1.3/tests/test_filters.py | 11 ++++++----- - 3 files changed, 29 insertions(+), 10 deletions(-) - -diff --git a/Jinja2-3.1.3/CHANGES.rst b/Jinja2-3.1.3/CHANGES.rst -index 08a1785..f70cacb 100644 ---- a/Jinja2-3.1.3/CHANGES.rst -+++ b/Jinja2-3.1.3/CHANGES.rst -@@ -1,5 +1,11 @@ - .. currentmodule:: jinja2 - -+- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>`` -+ greater-than sign, or ``=`` equals sign, in addition to disallowing spaces. -+ Regardless of any validation done by Jinja, user input should never be used -+ as keys to this filter, or must be separately validated first. -+ GHSA-h75v-3vvj-5mfj -+ - Version 3.1.3 - ------------- - -diff --git a/Jinja2-3.1.3/src/jinja2/filters.py b/Jinja2-3.1.3/src/jinja2/filters.py -index c7ecc9b..bdf6f22 100644 ---- a/Jinja2-3.1.3/src/jinja2/filters.py -+++ b/Jinja2-3.1.3/src/jinja2/filters.py -@@ -248,7 +248,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K - yield from value.items() - - --_space_re = re.compile(r"\s", flags=re.ASCII) -+# Check for characters that would move the parser state from key to value. -+# https://html.spec.whatwg.org/#attribute-name-state -+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII) - - - @pass_eval_context -@@ -257,8 +259,14 @@ def do_xmlattr( - ) -> str: - """Create an SGML/XML attribute string based on the items in a dict. - -- If any key contains a space, this fails with a ``ValueError``. Values that -- are neither ``none`` nor ``undefined`` are automatically escaped. -+ **Values** that are neither ``none`` nor ``undefined`` are automatically -+ escaped, safely allowing untrusted user input. -+ -+ User input should not be used as **keys** to this filter. If any key -+ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals -+ sign, this fails with a ``ValueError``. Regardless of this, user input -+ should never be used as keys to this filter, or must be separately validated -+ first. - - .. sourcecode:: html+jinja - -@@ -278,6 +286,10 @@ def do_xmlattr( - As you can see it automatically prepends a space in front of the item - if the filter returned something unless the second parameter is false. - -+ .. versionchanged:: 3.1.4 -+ Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign -+ are not allowed. -+ - .. versionchanged:: 3.1.3 - Keys with spaces are not allowed. - """ -@@ -287,8 +299,8 @@ def do_xmlattr( - if value is None or isinstance(value, Undefined): - continue - -- if _space_re.search(key) is not None: -- raise ValueError(f"Spaces are not allowed in attributes: '{key}'") -+ if _attr_key_re.search(key) is not None: -+ raise ValueError(f"Invalid character in attribute name: {key!r}") - - items.append(f'{escape(key)}="{escape(value)}"') - -diff --git a/Jinja2-3.1.3/tests/test_filters.py b/Jinja2-3.1.3/tests/test_filters.py -index f50ed13..d8e9114 100644 ---- a/Jinja2-3.1.3/tests/test_filters.py -+++ b/Jinja2-3.1.3/tests/test_filters.py -@@ -474,11 +474,12 @@ class TestFilter: - assert 'bar="23"' in out - assert 'blub:blub="<?>"' in out - -- def test_xmlattr_key_with_spaces(self, env): -- with pytest.raises(ValueError, match="Spaces are not allowed"): -- env.from_string( -- "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}" -- ).render() -+ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "=")) -+ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None: -+ with pytest.raises(ValueError, match="Invalid character"): -+ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render( -+ key=f"class{sep}onclick=alert(1)" -+ ) - - def test_sort1(self, env): - tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}") --- -2.33.0 - diff --git a/backport-CVE-2024-56201.patch b/backport-CVE-2024-56201.patch deleted file mode 100644 index 09c32f1c266790d3f702e178a6d5a20e402dacee..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-56201.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 56a724644b1ad9cb03745c10cca732715cdc79e9 Mon Sep 17 00:00:00 2001 -From: Sigurd Spieckermann -Date: Fri, 26 May 2023 14:32:36 +0200 -Subject: [PATCH] fix f-string syntax error in code generation - -Reference:https://github.com/pallets/jinja/commit/56a724644b1ad9cb03745c10cca732715cdc79e9 - ---- - Jinja2-3.1.3/CHANGES.rst | 3 +++ - Jinja2-3.1.3/src/jinja2/compiler.py | 7 ++++++- - Jinja2-3.1.3/tests/test_compile.py | 19 +++++++++++++++++++ - 3 files changed, 28 insertions(+), 1 deletion(-) - -diff --git a/Jinja2-3.1.3/CHANGES.rst b/Jinja2-3.1.3/CHANGES.rst -index f70cacb..b0e9a77 100644 ---- a/Jinja2-3.1.3/CHANGES.rst -+++ b/Jinja2-3.1.3/CHANGES.rst -@@ -1,5 +1,8 @@ - .. currentmodule:: jinja2 - -+- Escape template name before formatting it into error messages, to avoid -+ issues with names that contain f-string syntax. -+ :issue:`1792`, :ghsa:`gmj6-6f8f-6699` - - The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>`` - greater-than sign, or ``=`` equals sign, in addition to disallowing spaces. - Regardless of any validation done by Jinja, user input should never be used -diff --git a/Jinja2-3.1.3/src/jinja2/compiler.py b/Jinja2-3.1.3/src/jinja2/compiler.py -index ff95c80..1ebdcd9 100644 ---- a/Jinja2-3.1.3/src/jinja2/compiler.py -+++ b/Jinja2-3.1.3/src/jinja2/compiler.py -@@ -1121,9 +1121,14 @@ class CodeGenerator(NodeVisitor): - ) - self.writeline(f"if {frame.symbols.ref(alias)} is missing:") - self.indent() -+ # The position will contain the template name, and will be formatted -+ # into a string that will be compiled into an f-string. Curly braces -+ # in the name must be replaced with escapes so that they will not be -+ # executed as part of the f-string. -+ position = self.position(node).replace("{", "{{").replace("}", "}}") - message = ( - "the template {included_template.__name__!r}" -- f" (imported on {self.position(node)})" -+ f" (imported on {position})" - f" does not export the requested name {name!r}" - ) - self.writeline( -diff --git a/Jinja2-3.1.3/tests/test_compile.py b/Jinja2-3.1.3/tests/test_compile.py -index 42a773f..b33a877 100644 ---- a/Jinja2-3.1.3/tests/test_compile.py -+++ b/Jinja2-3.1.3/tests/test_compile.py -@@ -1,6 +1,9 @@ - import os - import re - -+import pytest -+ -+from jinja2 import UndefinedError - from jinja2.environment import Environment - from jinja2.loaders import DictLoader - -@@ -26,3 +29,19 @@ def test_import_as_with_context_deterministic(tmp_path): - expect = [f"'bar{i}': " for i in range(10)] - found = re.findall(r"'bar\d': ", content)[:10] - assert found == expect -+ -+ -+def test_undefined_import_curly_name(): -+ env = Environment( -+ loader=DictLoader( -+ { -+ "{bad}": "{% from 'macro' import m %}{{ m() }}", -+ "macro": "", -+ } -+ ) -+ ) -+ -+ # Must not raise `NameError: 'bad' is not defined`, as that would indicate -+ # that `{bad}` is being interpreted as an f-string. It must be escaped. -+ with pytest.raises(UndefinedError): -+ env.get_template("{bad}").render() --- -2.33.0 - diff --git a/backport-CVE-2024-56326.patch b/backport-CVE-2024-56326.patch deleted file mode 100644 index 6b3394e205f0a7f973ab5d860d1d789b462e4c45..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-56326.patch +++ /dev/null @@ -1,172 +0,0 @@ -From 91a972f5808973cd441f4dc06873b2f8378f30c7 Mon Sep 17 00:00:00 2001 -From: Lydxn -Date: Mon, 23 Sep 2024 15:09:10 -0700 -Subject: [PATCH] sandbox indirect calls to str.format ---- - Jinja2-3.1.3/src/jinja2/sandbox.py | 81 +++++++++++++++-------------- - Jinja2-3.1.3/tests/test_security.py | 18 +++++++ - 2 files changed, 60 insertions(+), 39 deletions(-) - -diff --git a/Jinja2-3.1.3/src/jinja2/sandbox.py b/Jinja2-3.1.3/src/jinja2/sandbox.py -index 06d7414..432d28f 100644 ---- a/Jinja2-3.1.3/src/jinja2/sandbox.py -+++ b/Jinja2-3.1.3/src/jinja2/sandbox.py -@@ -7,6 +7,7 @@ import typing as t - from _string import formatter_field_name_split # type: ignore - from collections import abc - from collections import deque -+from functools import update_wrapper - from string import Formatter - - from markupsafe import EscapeFormatter -@@ -79,21 +80,6 @@ _mutable_spec: t.Tuple[t.Tuple[t.Type, t.FrozenSet[str]], ...] = ( - ), - ) - -- --def inspect_format_method(callable: t.Callable) -> t.Optional[str]: -- if not isinstance( -- callable, (types.MethodType, types.BuiltinMethodType) -- ) or callable.__name__ not in ("format", "format_map"): -- return None -- -- obj = callable.__self__ -- -- if isinstance(obj, str): -- return obj -- -- return None -- -- - def safe_range(*args: int) -> range: - """A range that can't generate ranges with a length of more than - MAX_RANGE items. -@@ -313,6 +299,9 @@ class SandboxedEnvironment(Environment): - except AttributeError: - pass - else: -+ fmt = self.wrap_str_format(value) -+ if fmt is not None: -+ return fmt - if self.is_safe_attribute(obj, argument, value): - return value - return self.unsafe_undefined(obj, argument) -@@ -330,6 +319,9 @@ class SandboxedEnvironment(Environment): - except (TypeError, LookupError): - pass - else: -+ fmt = self.wrap_str_format(value) -+ if fmt is not None: -+ return fmt - if self.is_safe_attribute(obj, attribute, value): - return value - return self.unsafe_undefined(obj, attribute) -@@ -345,34 +337,48 @@ class SandboxedEnvironment(Environment): - exc=SecurityError, - ) - -- def format_string( -- self, -- s: str, -- args: t.Tuple[t.Any, ...], -- kwargs: t.Dict[str, t.Any], -- format_func: t.Optional[t.Callable] = None, -- ) -> str: -- """If a format call is detected, then this is routed through this -- method so that our safety sandbox can be used for it. -+ def wrap_str_format(self, value: t.Any) -> t.Optional[t.Callable[..., str]]: -+ """If the given value is a ``str.format`` or ``str.format_map`` method, -+ return a new function than handles sandboxing. This is done at access -+ rather than in :meth:`call`, so that calls made without ``call`` are -+ also sandboxed. - """ -+ if not isinstance( -+ value, (types.MethodType, types.BuiltinMethodType) -+ ) or value.__name__ not in ("format", "format_map"): -+ return None -+ -+ f_self: t.Any = value.__self__ -+ -+ if not isinstance(f_self, str): -+ return None -+ -+ str_type: t.Type[str] = type(f_self) -+ is_format_map = value.__name__ == "format_map" - formatter: SandboxedFormatter -- if isinstance(s, Markup): -- formatter = SandboxedEscapeFormatter(self, escape=s.escape) -+ -+ if isinstance(f_self, Markup): -+ formatter = SandboxedEscapeFormatter(self, escape=f_self.escape) - else: - formatter = SandboxedFormatter(self) - -- if format_func is not None and format_func.__name__ == "format_map": -- if len(args) != 1 or kwargs: -- raise TypeError( -- "format_map() takes exactly one argument" -- f" {len(args) + (kwargs is not None)} given" -- ) -+ vformat = formatter.vformat -+ -+ def wrapper(*args: t.Any, **kwargs: t.Any) -> str: -+ if is_format_map: -+ if kwargs: -+ raise TypeError("format_map() takes no keyword arguments") -+ -+ if len(args) != 1: -+ raise TypeError( -+ f"format_map() takes exactly one argument ({len(args)} given)" -+ ) - -- kwargs = args[0] -- args = () -+ kwargs = args[0] -+ args = () - -- rv = formatter.vformat(s, args, kwargs) -- return type(s)(rv) -+ return str_type(vformat(f_self, args, kwargs)) -+ return update_wrapper(wrapper, value) - - def call( - __self, # noqa: B902 -@@ -382,9 +388,6 @@ class SandboxedEnvironment(Environment): - **kwargs: t.Any, - ) -> t.Any: - """Call an object from sandboxed code.""" -- fmt = inspect_format_method(__obj) -- if fmt is not None: -- return __self.format_string(fmt, args, kwargs, __obj) - - # the double prefixes are to avoid double keyword argument - # errors when proxying the call. -diff --git a/Jinja2-3.1.3/tests/test_security.py b/Jinja2-3.1.3/tests/test_security.py -index 0e8dc5c..9c8bad6 100644 ---- a/Jinja2-3.1.3/tests/test_security.py -+++ b/Jinja2-3.1.3/tests/test_security.py -@@ -171,3 +171,21 @@ class TestStringFormatMap: - '{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":""}) }}' - ) - assert t.render() == "a42b<foo>" -+ -+ -+ def test_indirect_call(self): -+ def run(value, arg): -+ return value.run(arg) -+ -+ env = SandboxedEnvironment() -+ env.filters["run"] = run -+ t = env.from_string( -+ """{% set -+ ns = namespace(run="{0.__call__.__builtins__[__import__]}".format) -+ %} -+ {{ ns | run(not_here) }} -+ """ -+ ) -+ -+ with pytest.raises(SecurityError): -+ t.render() --- -2.43.0 - diff --git a/jinja2-3.1.6.tar.gz b/jinja2-3.1.6.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..d7b6d0aa5d7c200cea655519692641a050116f3c Binary files /dev/null and b/jinja2-3.1.6.tar.gz differ diff --git a/python-jinja2.spec b/python-jinja2.spec index d0cc660491b28dbb9dedbca8c29135f3de1d60c0..e16a3ce250052ca050837813025f0f5087506c4c 100644 --- a/python-jinja2.spec +++ b/python-jinja2.spec @@ -1,16 +1,13 @@ %global _name Jinja2 +%global pkg_name jinja2 -Name: python-jinja2 -Version: 3.1.3 -Release: 4 +Name: python-%{pkg_name} +Version: 3.1.6 +Release: 1 Summary: A full-featured template engine for Python License: BSD-3-Clause URL: http://jinja.pocoo.org/ -Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz - -Patch1: backport-CVE-2024-34064.patch -Patch2: backport-CVE-2024-56326.patch -Patch3: backport-CVE-2024-56201.patch +Source0: https://files.pythonhosted.org/packages/df/bf/f7da0350254c0ed7c72f3e33cef02e048281fec7ecec5f032d4aac52226b/jinja2-3.1.6.tar.gz BuildArch: noarch @@ -20,52 +17,49 @@ templating system but extends it with an expressive language that gives template a more powerful set of tools. On top of that it adds sandboxed execution and optional automatic escaping for applications where security is important. -%package -n python3-jinja2 +%package -n python3-%{pkg_name} Summary: General purpose template engine for python3 BuildRequires: python3-markupsafe python3-babel BuildRequires: python3-pytest python3-devel python3-setuptools +BuildRequires: python3-flit-core +BuildRequires: python3-pip +BuildRequires: python3-trio Requires: python3-babel python3-markupsafe python3-setuptools -%{?python_provide:%python_provide python3-jinja2} +%{?python_provide:%python_provide python3-%{pkg_name}} -%description -n python3-jinja2 -This package is the python3 version of python-jinja2. +%description -n python3-%{pkg_name} +This package is the python3 version of %{name} %package_help %prep -%autosetup -c -n Jinja2-%{version} -p1 - -# fix EOL -sed -i 's|\r$||g' Jinja2-%{version}/LICENSE.rst - -cp -a Jinja2-%{version} python3 +%autosetup -n %{pkg_name}-%{version} %build -pushd python3 -%py3_build -popd +%pyproject_build %install -pushd python3 -%py3_install -popd +%pyproject_install %check -pushd python3 -PYTHONPATH=$(pwd)/src python3 -m pytest tests -popd +# The old setuptools will complain DeprecationWarning +# Which is slient in newer version, we can ignore it +PYTHONPATH=$(pwd)/src python3 -m pytest tests -W ignore::DeprecationWarning -%files -n python3-jinja2 -%license Jinja2-%{version}/LICENSE.rst +%files -n python3-%{pkg_name} +%license LICENSE.txt %{python3_sitelib}/jinja2 -%{python3_sitelib}/Jinja2*-info +%{python3_sitelib}/jinja2*-info %files help -%doc Jinja2-%{version}/CHANGES.rst Jinja2-%{version}/PKG-INFO -%doc Jinja2-%{version}/examples +%doc docs/changes.rst PKG-INFO +%doc docs/examples %changelog +* Tue Mar 25 2025 li chaoran - 3.1.6-1 +- Upgrade to 3.1.6, drop the backport CVE patches, these CVEs are already fixed in 3.15 + * Thu Dec 26 2024 weihaohao - 3.1.3-4 - Type:CVE - CVE:CVE-2024-56201