File CVE-2024-34064.patch of Package python-Jinja2

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2024-34064.patch of Package python-Jinja2

Index: Jinja2-3.1.2/src/jinja2/filters.py
===================================================================
--- Jinja2-3.1.2.orig/src/jinja2/filters.py
+++ Jinja2-3.1.2/src/jinja2/filters.py
@@ -172,6 +172,11 @@ def do_urlencode(
     )
 
 
+# Check for characters that would move the parser state from key to value.
+# https://html.spec.whatwg.org/#attribute-name-state
+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
+
+
 @pass_eval_context
 def do_replace(
     eval_ctx: "EvalContext", s: str, old: str, new: str, count: t.Optional[int] = None
@@ -253,8 +258,15 @@ def do_xmlattr(
     eval_ctx: "EvalContext", d: t.Mapping[str, t.Any], autospace: bool = True
 ) -> str:
     """Create an SGML/XML attribute string based on the items in a dict.
-    All values that are neither `none` nor `undefined` are automatically
-    escaped:
+
+    **Values** that are neither ``none`` nor ``undefined`` are automatically
+    escaped, safely allowing untrusted user input.
+
+    User input should not be used as **keys** to this filter. If any key
+    contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
+    sign, this fails with a ``ValueError``. Regardless of this, user input
+    should never be used as keys to this filter, or must be separately validated
+    first.
 
     .. sourcecode:: html+jinja
 
@@ -274,11 +286,18 @@ def do_xmlattr(
     As you can see it automatically prepends a space in front of the item
     if the filter returned something unless the second parameter is false.
     """
-    rv = " ".join(
-        f'{escape(key)}="{escape(value)}"'
-        for key, value in d.items()
-        if value is not None and not isinstance(value, Undefined)
-    )
+
+    items = []
+    for key, value in d.items():
+        if value is None or isinstance(value, Undefined):
+            continue
+
+        if _attr_key_re.search(key) is not None:
+            raise ValueError("Invalid character in attribute name: %s" % repr(key))
+
+        items.append(f'{escape(key)}="{escape(value)}"')
+
+    rv = " ".join(items)
 
     if autospace and rv:
         rv = " " + rv
Index: Jinja2-3.1.2/tests/test_filters.py
===================================================================
--- Jinja2-3.1.2.orig/tests/test_filters.py
+++ Jinja2-3.1.2/tests/test_filters.py
@@ -871,3 +871,10 @@ class TestFilter:
         with pytest.raises(TemplateRuntimeError, match="No filter named 'f'"):
             t1.render(x=42)
             t2.render(x=42)
+
+    @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "="))
+    def test_xmlattr_key_invalid(self, env, sep):
+        with pytest.raises(ValueError, match="Invalid character"):
+            env.from_string("{{ {key: 'my_class'}|xmlattr }}").render(
+                key=f"class{sep}onclick=alert(1)"
+            )

Places

File CVE-2024-34064.patch of Package python-Jinja2

Places