diff --git a/CHANGES.rst b/CHANGES.rst index fede06e..6fd1262 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -9,6 +9,12 @@ Released 2022-04-28 :issue:`1645` - Handle race condition in ``FileSystemBytecodeCache``. :issue:`1654` +- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>`` + greater-than sign, or ``=`` equals sign, in addition to disallowing spaces. + Regardless of any validation done by Jinja, user input should never be used + as keys to this filter, or must be separately validated first. + GHSA-h75v-3vvj-5mfj + Version 3.1.1 ------------- diff --git a/debian/changelog b/debian/changelog index 366216a..8ea7c23 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +jinja2 (3.1.2-ok2) nile; urgency=medium + + * SECURITY UPDATE: Cross-Site scripting in xmlattr filter - + debian/patches/CVE-2024-34064.patch: disallow invalid characters + in keys to xmlattr filter - CVE-2024-34064 + + -- liubo01 Mon, 04 Nov 2024 16:45:25 +0800 + jinja2 (3.1.2-ok1) nile; urgency=medium * Build for openKylin. diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py index c7ecc9b..bdf6f22 100644 --- a/src/jinja2/filters.py +++ b/src/jinja2/filters.py @@ -248,7 +248,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K yield from value.items() -_space_re = re.compile(r"\s", flags=re.ASCII) +# Check for characters that would move the parser state from key to value. +# https://html.spec.whatwg.org/#attribute-name-state +_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII) @pass_eval_context @@ -257,8 +259,14 @@ def do_xmlattr( ) -> str: """Create an SGML/XML attribute string based on the items in a dict. - If any key contains a space, this fails with a ``ValueError``. Values that - are neither ``none`` nor ``undefined`` are automatically escaped. + **Values** that are neither ``none`` nor ``undefined`` are automatically + escaped, safely allowing untrusted user input. + + User input should not be used as **keys** to this filter. If any key + contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals + sign, this fails with a ``ValueError``. Regardless of this, user input + should never be used as keys to this filter, or must be separately validated + first. .. sourcecode:: html+jinja @@ -278,6 +286,10 @@ def do_xmlattr( As you can see it automatically prepends a space in front of the item if the filter returned something unless the second parameter is false. + .. versionchanged:: 3.1.4 + Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign + are not allowed. + .. versionchanged:: 3.1.3 Keys with spaces are not allowed. """ @@ -287,8 +299,8 @@ def do_xmlattr( if value is None or isinstance(value, Undefined): continue - if _space_re.search(key) is not None: - raise ValueError(f"Spaces are not allowed in attributes: '{key}'") + if _attr_key_re.search(key) is not None: + raise ValueError(f"Invalid character in attribute name: {key!r}") items.append(f'{escape(key)}="{escape(value)}"') diff --git a/tests/test_filters.py b/tests/test_filters.py index a184649..c9ec7da 100644 --- a/tests/test_filters.py +++ b/tests/test_filters.py @@ -474,11 +474,12 @@ class TestFilter: assert 'bar="23"' in out assert 'blub:blub="<?>"' in out - def test_xmlattr_key_with_spaces(self, env): - with pytest.raises(ValueError, match="Spaces are not allowed"): - env.from_string( - "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}" - ).render() + @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "=")) + def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None: + with pytest.raises(ValueError, match="Invalid character"): + env.from_string("{{ {key: 'my_class'}|xmlattr }}").render( + key=f"class{sep}onclick=alert(1)" + ) def test_sort1(self, env): tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}")