fix CVE-2024-56201
This commit is contained in:
JackWei
parent
310f6aa82b
commit
dcf676cbef
81
backport-CVE-2024-56201.patch
Normal file
81
backport-CVE-2024-56201.patch
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
From 56a724644b1ad9cb03745c10cca732715cdc79e9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sigurd Spieckermann <sigurd.spieckermann@gmail.com>
|
||||||
|
Date: Fri, 26 May 2023 14:32:36 +0200
|
||||||
|
Subject: [PATCH] fix f-string syntax error in code generation
|
||||||
|
|
||||||
|
Reference:https://github.com/pallets/jinja/commit/56a724644b1ad9cb03745c10cca732715cdc79e9
|
||||||
|
|
||||||
|
---
|
||||||
|
Jinja2-2.11.2/CHANGES.rst | 3 +++
|
||||||
|
Jinja2-2.11.2/src/jinja2/compiler.py | 7 ++++++-
|
||||||
|
Jinja2-2.11.2/tests/test_compile.py | 20 ++++++++++++++++++++
|
||||||
|
3 files changed, 29 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 Jinja2-2.11.2/tests/test_compile.py
|
||||||
|
|
||||||
|
diff --git a/Jinja2-2.11.2/CHANGES.rst b/Jinja2-2.11.2/CHANGES.rst
|
||||||
|
index 2c7614b..6ef2d3d 100644
|
||||||
|
--- a/Jinja2-2.11.2/CHANGES.rst
|
||||||
|
+++ b/Jinja2-2.11.2/CHANGES.rst
|
||||||
|
@@ -1,5 +1,8 @@
|
||||||
|
.. currentmodule:: jinja2
|
||||||
|
|
||||||
|
+- Escape template name before formatting it into error messages, to avoid
|
||||||
|
+ issues with names that contain f-string syntax.
|
||||||
|
+ :issue:`1792`, :ghsa:`gmj6-6f8f-6699`
|
||||||
|
- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
|
||||||
|
greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
|
||||||
|
Regardless of any validation done by Jinja, user input should never be used
|
||||||
|
diff --git a/Jinja2-2.11.2/src/jinja2/compiler.py b/Jinja2-2.11.2/src/jinja2/compiler.py
|
||||||
|
index 63297b4..3d6e3d7 100644
|
||||||
|
--- a/Jinja2-2.11.2/src/jinja2/compiler.py
|
||||||
|
+++ b/Jinja2-2.11.2/src/jinja2/compiler.py
|
||||||
|
@@ -1034,6 +1034,11 @@ class CodeGenerator(NodeVisitor):
|
||||||
|
)
|
||||||
|
self.writeline("if %s is missing:" % frame.symbols.ref(alias))
|
||||||
|
self.indent()
|
||||||
|
+ # The position will contain the template name, and will be formatted
|
||||||
|
+ # into a string that will be compiled into an f-string. Curly braces
|
||||||
|
+ # in the name must be replaced with escapes so that they will not be
|
||||||
|
+ # executed as part of the f-string.
|
||||||
|
+ position = self.position(node).replace("{", "{{").replace("}", "}}")
|
||||||
|
self.writeline(
|
||||||
|
"%s = undefined(%r %% "
|
||||||
|
"included_template.__name__, "
|
||||||
|
@@ -1042,7 +1047,7 @@ class CodeGenerator(NodeVisitor):
|
||||||
|
frame.symbols.ref(alias),
|
||||||
|
"the template %%r (imported on %s) does "
|
||||||
|
"not export the requested name %s"
|
||||||
|
- % (self.position(node), repr(name)),
|
||||||
|
+ % (position, repr(name)),
|
||||||
|
name,
|
||||||
|
)
|
||||||
|
)
|
||||||
|
diff --git a/Jinja2-2.11.2/tests/test_compile.py b/Jinja2-2.11.2/tests/test_compile.py
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..12ce0e7
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Jinja2-2.11.2/tests/test_compile.py
|
||||||
|
@@ -0,0 +1,20 @@
|
||||||
|
+import pytest
|
||||||
|
+
|
||||||
|
+from jinja2 import UndefinedError
|
||||||
|
+from jinja2.environment import Environment
|
||||||
|
+from jinja2.loaders import DictLoader
|
||||||
|
+
|
||||||
|
+def test_undefined_import_curly_name():
|
||||||
|
+ env = Environment(
|
||||||
|
+ loader=DictLoader(
|
||||||
|
+ {
|
||||||
|
+ "{bad}": "{% from 'macro' import m %}{{ m() }}",
|
||||||
|
+ "macro": "",
|
||||||
|
+ }
|
||||||
|
+ )
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # Must not raise `NameError: 'bad' is not defined`, as that would indicate
|
||||||
|
+ # that `{bad}` is being interpreted as an f-string. It must be escaped.
|
||||||
|
+ with pytest.raises(UndefinedError):
|
||||||
|
+ env.get_template("{bad}").render()
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
||||||
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Name: python-jinja2
|
Name: python-jinja2
|
||||||
Version: 2.11.2
|
Version: 2.11.2
|
||||||
Release: 8
|
Release: 9
|
||||||
Summary: A full-featured template engine for Python
|
Summary: A full-featured template engine for Python
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: http://jinja.pocoo.org/
|
URL: http://jinja.pocoo.org/
|
||||||
@ -16,6 +16,7 @@ Patch9000: huawei-replace-instances-of-the-older-style-tmpdir-fixture.patch
|
|||||||
Patch9001: backport-CVE-2024-56326.patch
|
Patch9001: backport-CVE-2024-56326.patch
|
||||||
Patch9002: backport-CVE-2024-56326-2.patch
|
Patch9002: backport-CVE-2024-56326-2.patch
|
||||||
Patch9003: backport-CVE-2024-56326-3.patch
|
Patch9003: backport-CVE-2024-56326-3.patch
|
||||||
|
Patch9004: backport-CVE-2024-56201.patch
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
@ -113,6 +114,12 @@ popd
|
|||||||
%doc Jinja2-%{version}/ext Jinja2-%{version}/examples
|
%doc Jinja2-%{version}/ext Jinja2-%{version}/examples
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Dec 26 2024 weihaohao <weihaohao2@huawei.com> - 2.11.2-9
|
||||||
|
Type:CVE
|
||||||
|
CVE:CVE-2024-56201
|
||||||
|
SUG:NA
|
||||||
|
DESC:fix CVE-2024-56201
|
||||||
|
|
||||||
* Wed Dec 25 2024 changtao <changtao@kylinos.cn> - 2.11.2-8
|
* Wed Dec 25 2024 changtao <changtao@kylinos.cn> - 2.11.2-8
|
||||||
Type:CVE
|
Type:CVE
|
||||||
CVE:CVE-2024-56326
|
CVE:CVE-2024-56326
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user