SECURITY UPDATE

2024-11-04 16:45:25 +08:00 · 2024-11-04 16:45:25 +08:00 · deaad03a73
parent 705b44318b
commit deaad03a73
4 changed files with 37 additions and 10 deletions
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -9,6 +9,12 @@ Released 2022-04-28
    :issue:`1645`
 -   Handle race condition in ``FileSystemBytecodeCache``. :issue:`1654`
 -   The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
    greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
    Regardless of any validation done by Jinja, user input should never be used
    as keys to this filter, or must be separately validated first.
    GHSA-h75v-3vvj-5mfj
 Version 3.1.1
 -------------
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,11 @@
 jinja2 (3.1.2-ok2) nile; urgency=medium
  * SECURITY UPDATE: Cross-Site scripting in xmlattr filter     -
    debian/patches/CVE-2024-34064.patch: disallow invalid characters
    in keys to xmlattr filter     - CVE-2024-34064
 -- liubo01 <liubo01@kylinos.cn>  Mon, 04 Nov 2024 16:45:25 +0800
 jinja2 (3.1.2-ok1) nile; urgency=medium
  * Build for openKylin.
--- a/src/jinja2/filters.py
+++ b/src/jinja2/filters.py
@ -248,7 +248,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K
    yield from value.items()
-_space_re = re.compile(r"\s", flags=re.ASCII)
+# Check for characters that would move the parser state from key to value.
 # https://html.spec.whatwg.org/#attribute-name-state
 _attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
@pass_eval_context
@ -257,8 +259,14 @@ def do_xmlattr(
 ) -> str:
    """Create an SGML/XML attribute string based on the items in a dict.
-    If any key contains a space, this fails with a ``ValueError``. Values that
+    **Values** that are neither ``none`` nor ``undefined`` are automatically
-    are neither ``none`` nor ``undefined`` are automatically escaped.
+    escaped, safely allowing untrusted user input.
    User input should not be used as **keys** to this filter. If any key
    contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
    sign, this fails with a ``ValueError``. Regardless of this, user input
    should never be used as keys to this filter, or must be separately validated
    first.
    .. sourcecode:: html+jinja
@ -278,6 +286,10 @@ def do_xmlattr(
    As you can see it automatically prepends a space in front of the item
    if the filter returned something unless the second parameter is false.
    .. versionchanged:: 3.1.4
        Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign
        are not allowed.
    .. versionchanged:: 3.1.3
        Keys with spaces are not allowed.
    """
@ -287,8 +299,8 @@ def do_xmlattr(
        if value is None or isinstance(value, Undefined):
            continue
-        if _space_re.search(key) is not None:
+        if _attr_key_re.search(key) is not None:
-            raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
+            raise ValueError(f"Invalid character in attribute name: {key!r}")
        items.append(f'{escape(key)}="{escape(value)}"')
--- a/tests/test_filters.py
+++ b/tests/test_filters.py
@ -474,11 +474,12 @@ class TestFilter:
        assert 'bar="23"' in out
        assert 'blub:blub="&lt;?&gt;"' in out
-    def test_xmlattr_key_with_spaces(self, env):
+    @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "="))
-        with pytest.raises(ValueError, match="Spaces are not allowed"):
+    def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None:
-            env.from_string(
+        with pytest.raises(ValueError, match="Invalid character"):
-                "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}"
+            env.from_string("{{ {key: 'my_class'}|xmlattr }}").render(
-            ).render()
+                key=f"class{sep}onclick=alert(1)"
            )
    def test_sort1(self, env):
        tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}")