File 0001-sandbox-str.format_map.patch of Package python-Jinja2.18331

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-sandbox-str.format_map.patch of Package python-Jinja2.18331

From a2a6c930bcca591a25d2b316fcfd2d6793897b26 Mon Sep 17 00:00:00 2001
From: Armin Ronacher <armin.ronacher@active-4.com>
Date: Sat, 6 Apr 2019 10:50:47 -0700
Subject: [PATCH] sandbox str.format_map

---
 jinja2/sandbox.py      | 17 ++++++++++++++---
 tests/test_security.py | 19 +++++++++++++++++++
 2 files changed, 33 insertions(+), 3 deletions(-)

Index: Jinja2-2.8/jinja2/sandbox.py
===================================================================
--- Jinja2-2.8.orig/jinja2/sandbox.py
+++ Jinja2-2.8/jinja2/sandbox.py
@@ -144,7 +144,7 @@ def inspect_format_method(callable):
         return None
     if not isinstance(callable, (types.MethodType,
                                  types.BuiltinMethodType)) or \
-       callable.__name__ != 'format':
+       callable.__name__ not in ('format', 'format_map'):
         return None
     obj = callable.__self__
     if isinstance(obj, string_types):
@@ -409,7 +409,7 @@ class SandboxedEnvironment(Environment):
             obj.__class__.__name__
         ), name=attribute, obj=obj, exc=SecurityError)
 
-    def format_string(self, s, args, kwargs):
+    def format_string(self, s, args, kwargs, format_func=None):
         """If a format call is detected, then this is routed through this
         method so that our safety sandbox can be used for it.
         """
@@ -417,6 +417,17 @@ class SandboxedEnvironment(Environment):
             formatter = SandboxedEscapeFormatter(self, s.escape)
         else:
             formatter = SandboxedFormatter(self)
+
+        if format_func is not None and format_func.__name__ == 'format_map':
+            if len(args) != 1 or kwargs:
+                raise TypeError(
+                    'format_map() takes exactly one argument %d given'
+                    % (len(args) + (kwargs is not None))
+                )
+
+            kwargs = args[0]
+            args = None
+
         kwargs = _MagicFormatMapping(args, kwargs)
         rv = formatter.vformat(s, args, kwargs)
         return type(s)(rv)
@@ -425,7 +436,7 @@ class SandboxedEnvironment(Environment):
         """Call an object from sandboxed code."""
         fmt = inspect_format_method(__obj)
         if fmt is not None:
-            return __self.format_string(fmt, args, kwargs)
+            return __self.format_string(fmt, args, kwargs, __obj)
 
         # the double prefixes are to avoid double keyword argument
         # errors when proxying the call.

Places

File 0001-sandbox-str.format_map.patch of Package python-Jinja2.18331

Places