Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:GA
python-Jinja2
CVE-2024-34064.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2024-34064.patch of Package python-Jinja2
Index: Jinja2-2.10.1/jinja2/filters.py =================================================================== --- Jinja2-2.10.1.orig/jinja2/filters.py +++ Jinja2-2.10.1/jinja2/filters.py @@ -8,6 +8,7 @@ :copyright: (c) 2017 by the Jinja Team. :license: BSD, see LICENSE for more details. """ +import sys import re import math import random @@ -24,6 +25,13 @@ from jinja2._compat import imap, string_ _word_re = re.compile(r'\w+', re.UNICODE) _word_beginning_split_re = re.compile(r'([-\s\(\{\[\<]+)', re.UNICODE) +if sys.version_info[0] < 3: + flags=0 +else: + flags=re.ASCII +# Check for characters that would move the parser state from key to value. +# https://html.spec.whatwg.org/#attribute-name-state +_attr_key_re = re.compile(r"[\s/>=]", flags=flags) def contextfilter(f): @@ -153,8 +161,15 @@ def do_lower(s): @evalcontextfilter def do_xmlattr(_eval_ctx, d, autospace=True): """Create an SGML/XML attribute string based on the items in a dict. - All values that are neither `none` nor `undefined` are automatically - escaped: + + **Values** that are neither ``none`` nor ``undefined`` are automatically + escaped, safely allowing untrusted user input. + + User input should not be used as **keys** to this filter. If any key + contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals + sign, this fails with a ``ValueError``. Regardless of this, user input + should never be used as keys to this filter, or must be separately validated + first. .. sourcecode:: html+jinja @@ -174,11 +189,19 @@ def do_xmlattr(_eval_ctx, d, autospace=T As you can see it automatically prepends a space in front of the item if the filter returned something unless the second parameter is false. """ - rv = u' '.join( - u'%s="%s"' % (escape(key), escape(value)) - for key, value in iteritems(d) - if value is not None and not isinstance(value, Undefined) - ) + + items = [] + for key, value in iteritems(d): + if value is None or isinstance(value, Undefined): + continue + + if _attr_key_re.search(key) is not None: + raise ValueError("Invalid character in attribute name: %s" % repr(key)) + + items.append(u'%s="%s"' % (escape(key), escape(value))) + + rv = u' '.join(items) + if autospace and rv: rv = u' ' + rv if _eval_ctx.autoescape:
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor