packages/python-jinja2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-56201

Browse Source
This commit is contained in:
JackWei 2024-12-26 16:01:49 +08:00
parent 310f6aa82b
commit dcf676cbef
2 changed files with 89 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
backport-CVE-2024-56201.patch Normal file
View File

@ -0,0 +1,81 @@
From 56a724644b1ad9cb03745c10cca732715cdc79e9 Mon Sep 17 00:00:00 2001
From: Sigurd Spieckermann <sigurd.spieckermann@gmail.com>
Date: Fri, 26 May 2023 14:32:36 +0200
Subject: [PATCH] fix f-string syntax error in code generation
Reference:https://github.com/pallets/jinja/commit/56a724644b1ad9cb03745c10cca732715cdc79e9
---
Jinja2-2.11.2/CHANGES.rst | 3 +++
Jinja2-2.11.2/src/jinja2/compiler.py | 7 ++++++-
Jinja2-2.11.2/tests/test_compile.py | 20 ++++++++++++++++++++
3 files changed, 29 insertions(+), 1 deletion(-)
create mode 100644 Jinja2-2.11.2/tests/test_compile.py
diff --git a/Jinja2-2.11.2/CHANGES.rst b/Jinja2-2.11.2/CHANGES.rst
index 2c7614b..6ef2d3d 100644
--- a/Jinja2-2.11.2/CHANGES.rst
+++ b/Jinja2-2.11.2/CHANGES.rst
@@ -1,5 +1,8 @@
.. currentmodule:: jinja2
+- Escape template name before formatting it into error messages, to avoid
+ issues with names that contain f-string syntax.
+ :issue:`1792`, :ghsa:`gmj6-6f8f-6699`
- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
Regardless of any validation done by Jinja, user input should never be used
diff --git a/Jinja2-2.11.2/src/jinja2/compiler.py b/Jinja2-2.11.2/src/jinja2/compiler.py
index 63297b4..3d6e3d7 100644
--- a/Jinja2-2.11.2/src/jinja2/compiler.py
+++ b/Jinja2-2.11.2/src/jinja2/compiler.py
@@ -1034,6 +1034,11 @@ class CodeGenerator(NodeVisitor):
)
self.writeline("if %s is missing:" % frame.symbols.ref(alias))
self.indent()
+ # The position will contain the template name, and will be formatted
+ # into a string that will be compiled into an f-string. Curly braces
+ # in the name must be replaced with escapes so that they will not be
+ # executed as part of the f-string.
+ position = self.position(node).replace("{", "{{").replace("}", "}}")
self.writeline(
"%s = undefined(%r %% "
"included_template.__name__, "
@@ -1042,7 +1047,7 @@ class CodeGenerator(NodeVisitor):
frame.symbols.ref(alias),
"the template %%r (imported on %s) does "
"not export the requested name %s"
- % (self.position(node), repr(name)),
+ % (position, repr(name)),
name,
)
)
diff --git a/Jinja2-2.11.2/tests/test_compile.py b/Jinja2-2.11.2/tests/test_compile.py
new file mode 100644
index 0000000..12ce0e7
--- /dev/null
+++ b/Jinja2-2.11.2/tests/test_compile.py
@@ -0,0 +1,20 @@
+import pytest
+
+from jinja2 import UndefinedError
+from jinja2.environment import Environment
+from jinja2.loaders import DictLoader
+
+def test_undefined_import_curly_name():
+ env = Environment(
+ loader=DictLoader(
+ {
+ "{bad}": "{% from 'macro' import m %}{{ m() }}",
+ "macro": "",
+ }
+ )
+ )
+
+ # Must not raise `NameError: 'bad' is not defined`, as that would indicate
+ # that `{bad}` is being interpreted as an f-string. It must be escaped.
+ with pytest.raises(UndefinedError):
+ env.get_template("{bad}").render()
--
2.33.0

9
python-jinja2.spec
View File

@ -2,7 +2,7 @@
Name: python-jinja2
Version: 2.11.2
Release: 8
Release: 9
Summary: A full-featured template engine for Python
License: BSD
URL: http://jinja.pocoo.org/
@ -16,6 +16,7 @@ Patch9000: huawei-replace-instances-of-the-older-style-tmpdir-fixture.patch
Patch9001: backport-CVE-2024-56326.patch
Patch9002: backport-CVE-2024-56326-2.patch
Patch9003: backport-CVE-2024-56326-3.patch
Patch9004: backport-CVE-2024-56201.patch
BuildArch: noarch
@ -113,6 +114,12 @@ popd
%doc Jinja2-%{version}/ext Jinja2-%{version}/examples
%changelog
* Thu Dec 26 2024 weihaohao <weihaohao2@huawei.com> - 2.11.2-9
Type:CVE
CVE:CVE-2024-56201
SUG:NA
DESC:fix CVE-2024-56201
* Wed Dec 25 2024 changtao <changtao@kylinos.cn> - 2.11.2-8
Type:CVE
CVE:CVE-2024-56326