File CVE-2024-34064.patch of Package python-Jinja2

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2024-34064.patch of Package python-Jinja2

Index: Jinja2-2.10.1/jinja2/filters.py
===================================================================
--- Jinja2-2.10.1.orig/jinja2/filters.py
+++ Jinja2-2.10.1/jinja2/filters.py
@@ -8,6 +8,7 @@
     :copyright: (c) 2017 by the Jinja Team.
     :license: BSD, see LICENSE for more details.
 """
+import sys
 import re
 import math
 import random
@@ -24,6 +25,13 @@ from jinja2._compat import imap, string_
 
 _word_re = re.compile(r'\w+', re.UNICODE)
 _word_beginning_split_re = re.compile(r'([-\s\(\{\[\<]+)', re.UNICODE)
+if sys.version_info[0] < 3:
+    flags=0
+else:
+    flags=re.ASCII
+# Check for characters that would move the parser state from key to value.
+# https://html.spec.whatwg.org/#attribute-name-state
+_attr_key_re = re.compile(r"[\s/>=]", flags=flags)
 
 
 def contextfilter(f):
@@ -153,8 +161,15 @@ def do_lower(s):
 @evalcontextfilter
 def do_xmlattr(_eval_ctx, d, autospace=True):
     """Create an SGML/XML attribute string based on the items in a dict.
-    All values that are neither `none` nor `undefined` are automatically
-    escaped:
+
+    **Values** that are neither ``none`` nor ``undefined`` are automatically
+    escaped, safely allowing untrusted user input.
+
+    User input should not be used as **keys** to this filter. If any key
+    contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
+    sign, this fails with a ``ValueError``. Regardless of this, user input
+    should never be used as keys to this filter, or must be separately validated
+    first.
 
     .. sourcecode:: html+jinja
 
@@ -174,11 +189,19 @@ def do_xmlattr(_eval_ctx, d, autospace=T
     As you can see it automatically prepends a space in front of the item
     if the filter returned something unless the second parameter is false.
     """
-    rv = u' '.join(
-        u'%s="%s"' % (escape(key), escape(value))
-        for key, value in iteritems(d)
-        if value is not None and not isinstance(value, Undefined)
-    )
+
+    items = []
+    for key, value in iteritems(d):
+        if value is None or isinstance(value, Undefined):
+            continue
+
+        if _attr_key_re.search(key) is not None:
+            raise ValueError("Invalid character in attribute name: %s" % repr(key))
+
+        items.append(u'%s="%s"' % (escape(key), escape(value)))
+
+    rv = u' '.join(items)
+
     if autospace and rv:
         rv = u' ' + rv
     if _eval_ctx.autoescape:

Places

File CVE-2024-34064.patch of Package python-Jinja2

Places