mirror of https://gitee.com/openkylin/jinja2.git
SECURITY UPDATE
This commit is contained in:
liubo0711
openkylin-cibot
parent
19410516e7
commit
33d81ad2d4
|
|
@ -1,3 +1,11 @@
|
|||
jinja2 (3.1.2-ok2) nile; urgency=medium
|
||||
|
||||
* SECURITY UPDATE: Cross-Site scripting in xmlattr filter -
|
||||
debian/patches/CVE-2024-34064.patch: disallow invalid characters
|
||||
in keys to xmlattr filter - CVE-2024-34064
|
||||
|
||||
-- liubo01 <liubo01@kylinos.cn> Mon, 04 Nov 2024 16:45:25 +0800
|
||||
|
||||
jinja2 (3.1.2-ok1) nile; urgency=medium
|
||||
|
||||
* Build for openKylin.
|
||||
|
|
|
|||
|
|
@ -0,0 +1,103 @@
|
|||
From: liubo0711 <1191322237@qq.com>
|
||||
Date: Mon, 4 Nov 2024 16:45:25 +0800
|
||||
Subject: SECURITY UPDATE
|
||||
|
||||
---
|
||||
CHANGES.rst | 6 ++++++
|
||||
src/jinja2/filters.py | 22 +++++++++++++++++-----
|
||||
tests/test_filters.py | 11 ++++++-----
|
||||
3 files changed, 29 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/CHANGES.rst b/CHANGES.rst
|
||||
index fede06e..6fd1262 100644
|
||||
--- a/CHANGES.rst
|
||||
+++ b/CHANGES.rst
|
||||
@@ -9,6 +9,12 @@ Released 2022-04-28
|
||||
:issue:`1645`
|
||||
- Handle race condition in ``FileSystemBytecodeCache``. :issue:`1654`
|
||||
|
||||
+- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
|
||||
+ greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
|
||||
+ Regardless of any validation done by Jinja, user input should never be used
|
||||
+ as keys to this filter, or must be separately validated first.
|
||||
+ GHSA-h75v-3vvj-5mfj
|
||||
+
|
||||
|
||||
Version 3.1.1
|
||||
-------------
|
||||
diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py
|
||||
index c7ecc9b..bdf6f22 100644
|
||||
--- a/src/jinja2/filters.py
|
||||
+++ b/src/jinja2/filters.py
|
||||
@@ -248,7 +248,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K
|
||||
yield from value.items()
|
||||
|
||||
|
||||
-_space_re = re.compile(r"\s", flags=re.ASCII)
|
||||
+# Check for characters that would move the parser state from key to value.
|
||||
+# https://html.spec.whatwg.org/#attribute-name-state
|
||||
+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
|
||||
|
||||
|
||||
@pass_eval_context
|
||||
@@ -257,8 +259,14 @@ def do_xmlattr(
|
||||
) -> str:
|
||||
"""Create an SGML/XML attribute string based on the items in a dict.
|
||||
|
||||
- If any key contains a space, this fails with a ``ValueError``. Values that
|
||||
- are neither ``none`` nor ``undefined`` are automatically escaped.
|
||||
+ **Values** that are neither ``none`` nor ``undefined`` are automatically
|
||||
+ escaped, safely allowing untrusted user input.
|
||||
+
|
||||
+ User input should not be used as **keys** to this filter. If any key
|
||||
+ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
|
||||
+ sign, this fails with a ``ValueError``. Regardless of this, user input
|
||||
+ should never be used as keys to this filter, or must be separately validated
|
||||
+ first.
|
||||
|
||||
.. sourcecode:: html+jinja
|
||||
|
||||
@@ -278,6 +286,10 @@ def do_xmlattr(
|
||||
As you can see it automatically prepends a space in front of the item
|
||||
if the filter returned something unless the second parameter is false.
|
||||
|
||||
+ .. versionchanged:: 3.1.4
|
||||
+ Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign
|
||||
+ are not allowed.
|
||||
+
|
||||
.. versionchanged:: 3.1.3
|
||||
Keys with spaces are not allowed.
|
||||
"""
|
||||
@@ -287,8 +299,8 @@ def do_xmlattr(
|
||||
if value is None or isinstance(value, Undefined):
|
||||
continue
|
||||
|
||||
- if _space_re.search(key) is not None:
|
||||
- raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
|
||||
+ if _attr_key_re.search(key) is not None:
|
||||
+ raise ValueError(f"Invalid character in attribute name: {key!r}")
|
||||
|
||||
items.append(f'{escape(key)}="{escape(value)}"')
|
||||
|
||||
diff --git a/tests/test_filters.py b/tests/test_filters.py
|
||||
index a184649..c9ec7da 100644
|
||||
--- a/tests/test_filters.py
|
||||
+++ b/tests/test_filters.py
|
||||
@@ -474,11 +474,12 @@ class TestFilter:
|
||||
assert 'bar="23"' in out
|
||||
assert 'blub:blub="<?>"' in out
|
||||
|
||||
- def test_xmlattr_key_with_spaces(self, env):
|
||||
- with pytest.raises(ValueError, match="Spaces are not allowed"):
|
||||
- env.from_string(
|
||||
- "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}"
|
||||
- ).render()
|
||||
+ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "="))
|
||||
+ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None:
|
||||
+ with pytest.raises(ValueError, match="Invalid character"):
|
||||
+ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render(
|
||||
+ key=f"class{sep}onclick=alert(1)"
|
||||
+ )
|
||||
|
||||
def test_sort1(self, env):
|
||||
tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}")
|
||||
|
|
@ -2,3 +2,4 @@ py3.9-fix-collections-import.patch
|
|||
0002-docs-disable-sphinxcontrib.log_cabinet.patch
|
||||
0003-fix-nose-leftovers.patch
|
||||
CVE-2024-22195.patch
|
||||
0005-SECURITY-UPDATE.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue