!87 fix CVE-2024-56201

From: @jack0240 Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
2024-12-26 08:13:35 +00:00 · 2024-12-26 08:13:35 +00:00 · 4b1ac67819
commit 4b1ac67819
parent 310f6aa82b dcf676cbef
2 changed files with 89 additions and 1 deletions
--- a/backport-CVE-2024-56201.patch
+++ b/backport-CVE-2024-56201.patch
@ -0,0 +1,81 @@
+From 56a724644b1ad9cb03745c10cca732715cdc79e9 Mon Sep 17 00:00:00 2001
+From: Sigurd Spieckermann <sigurd.spieckermann@gmail.com>
+Date: Fri, 26 May 2023 14:32:36 +0200
+Subject: [PATCH] fix f-string syntax error in code generation
+
+Reference:https://github.com/pallets/jinja/commit/56a724644b1ad9cb03745c10cca732715cdc79e9
+
+---
+ Jinja2-2.11.2/CHANGES.rst            |  3 +++
+ Jinja2-2.11.2/src/jinja2/compiler.py |  7 ++++++-
+ Jinja2-2.11.2/tests/test_compile.py  | 20 ++++++++++++++++++++
+ 3 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 Jinja2-2.11.2/tests/test_compile.py
+
+diff --git a/Jinja2-2.11.2/CHANGES.rst b/Jinja2-2.11.2/CHANGES.rst
+index 2c7614b..6ef2d3d 100644
+--- a/Jinja2-2.11.2/CHANGES.rst
+++ b/Jinja2-2.11.2/CHANGES.rst
+@@ -1,5 +1,8 @@
+ .. currentmodule:: jinja2
+ 
+-   Escape template name before formatting it into error messages, to avoid
+    issues with names that contain f-string syntax.
+    :issue:`1792`, :ghsa:`gmj6-6f8f-6699`
+ -   The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
+     greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
+     Regardless of any validation done by Jinja, user input should never be used
+diff --git a/Jinja2-2.11.2/src/jinja2/compiler.py b/Jinja2-2.11.2/src/jinja2/compiler.py
+index 63297b4..3d6e3d7 100644
+--- a/Jinja2-2.11.2/src/jinja2/compiler.py
+++ b/Jinja2-2.11.2/src/jinja2/compiler.py
+@@ -1034,6 +1034,11 @@ class CodeGenerator(NodeVisitor):
+             )
+             self.writeline("if %s is missing:" % frame.symbols.ref(alias))
+             self.indent()
+            # The position will contain the template name, and will be formatted
+            # into a string that will be compiled into an f-string. Curly braces
+            # in the name must be replaced with escapes so that they will not be
+            # executed as part of the f-string.
+            position = self.position(node).replace("{", "{{").replace("}", "}}")
+             self.writeline(
+                 "%s = undefined(%r %% "
+                 "included_template.__name__, "
+@@ -1042,7 +1047,7 @@ class CodeGenerator(NodeVisitor):
+                     frame.symbols.ref(alias),
+                     "the template %%r (imported on %s) does "
+                     "not export the requested name %s"
+-                    % (self.position(node), repr(name)),
+                    % (position, repr(name)),
+                     name,
+                 )
+             )
+diff --git a/Jinja2-2.11.2/tests/test_compile.py b/Jinja2-2.11.2/tests/test_compile.py
+new file mode 100644
+index 0000000..12ce0e7
+--- /dev/null
+++ b/Jinja2-2.11.2/tests/test_compile.py
+@@ -0,0 +1,20 @@
+import pytest
+
+from jinja2 import UndefinedError
+from jinja2.environment import Environment
+from jinja2.loaders import DictLoader
+
+def test_undefined_import_curly_name():
+    env = Environment(
+        loader=DictLoader(
+            {
+                "{bad}": "{% from 'macro' import m %}{{ m() }}",
+                "macro": "",
+            }
+        )
+    )
+
+    # Must not raise `NameError: 'bad' is not defined`, as that would indicate
+    # that `{bad}` is being interpreted as an f-string. It must be escaped.
+    with pytest.raises(UndefinedError):
+        env.get_template("{bad}").render()
+-- 
+2.33.0
+
--- a/python-jinja2.spec
+++ b/python-jinja2.spec
@ -2,7 +2,7 @@

 Name:           python-jinja2
 Version:        2.11.2
-Release:        8
+Release:        9
 Summary:        A full-featured template engine for Python
 License:        BSD
 URL:            http://jinja.pocoo.org/
@ -16,6 +16,7 @@ Patch9000:      huawei-replace-instances-of-the-older-style-tmpdir-fixture.patch
 Patch9001:      backport-CVE-2024-56326.patch
 Patch9002:      backport-CVE-2024-56326-2.patch
 Patch9003:      backport-CVE-2024-56326-3.patch
+Patch9004:      backport-CVE-2024-56201.patch

 BuildArch:      noarch

@ -113,6 +114,12 @@ popd
 %doc Jinja2-%{version}/ext Jinja2-%{version}/examples

 %changelog
+* Thu Dec 26 2024 weihaohao <weihaohao2@huawei.com> - 2.11.2-9
+ Type:CVE
+ CVE:CVE-2024-56201
+ SUG:NA
+ DESC:fix CVE-2024-56201
+
 * Wed Dec 25 2024 changtao <changtao@kylinos.cn> - 2.11.2-8
  Type:CVE
  CVE:CVE-2024-56326