File 0001-SECURITY-support-sandboxing-in-format-expr... of Package python-Jinja2

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-SECURITY-support-sandboxing-in-format-expressions.patch of Package python-Jinja2

From 9b53045c34e61013dc8f09b7e52a555fa16bed16 Mon Sep 17 00:00:00 2001
From: Armin Ronacher <armin.ronacher@active-4.com>
Date: Thu, 29 Dec 2016 14:13:38 +0100
Subject: [PATCH] SECURITY: support sandboxing in format expressions

---
 jinja2/nodes.py        |   2 +-
 jinja2/sandbox.py      | 119 +++++++++++++++++++++++++++++++++++++++--
 tests/test_security.py |  27 +++++++++-
 3 files changed, 143 insertions(+), 5 deletions(-)

Index: Jinja2-2.9.6/jinja2/nodes.py
===================================================================
--- Jinja2-2.9.6.orig/jinja2/nodes.py
+++ Jinja2-2.9.6/jinja2/nodes.py
@@ -506,7 +506,7 @@ class TemplateData(Literal):
 
     def as_const(self, eval_ctx=None):
         eval_ctx = get_eval_context(self, eval_ctx)
-        if eval_ctx.volatile:
+        if eval_ctx.volatile or eval_ctx.environment.sandboxed:
             raise Impossible()
         if eval_ctx.autoescape:
             return Markup(self.data)
Index: Jinja2-2.9.6/jinja2/sandbox.py
===================================================================
--- Jinja2-2.9.6.orig/jinja2/sandbox.py
+++ Jinja2-2.9.6/jinja2/sandbox.py
@@ -17,9 +17,16 @@ import operator
 from collections import Mapping
 from jinja2.environment import Environment
 from jinja2.exceptions import SecurityError
-from jinja2._compat import string_types, PY2
+from jinja2._compat import string_types, text_type, PY2
 from jinja2.utils import Markup
 
+has_format = False
+if hasattr(text_type, 'format'):
+    from markupsafe import EscapeFormatter
+    from string import Formatter
+    has_format = True
+
+
 from markupsafe import EscapeFormatter
 from string import Formatter
 
@@ -49,6 +56,12 @@ UNSAFE_COROUTINE_ATTRIBUTES = set(['cr_f
 #: unsafe attributes on async generators
 UNSAFE_ASYNC_GENERATOR_ATTRIBUTES = set(['ag_code', 'ag_frame'])
 
+#: unsafe attributes on coroutines
+UNSAFE_COROUTINE_ATTRIBUTES = set(['cr_frame', 'cr_code'])
+
+#: unsafe attributes on async generators
+UNSAFE_ASYNC_GENERATOR_ATTRIBUTES = set(['ag_code', 'ag_frame'])
+
 import warnings
 
 # make sure we don't warn in python 2.6 about stuff we don't care about
@@ -144,6 +157,49 @@ def inspect_format_method(callable):
         return obj
 
 
+class _MagicFormatMapping(Mapping):
+    """This class implements a dummy wrapper to fix a bug in the Python
+    standard library for string formatting.
+
+    See http://bugs.python.org/issue13598 for information about why
+    this is necessary.
+    """
+
+    def __init__(self, args, kwargs):
+        self._args = args
+        self._kwargs = kwargs
+        self._last_index = 0
+
+    def __getitem__(self, key):
+        if key == '':
+            idx = self._last_index
+            self._last_index += 1
+            try:
+                return self._args[idx]
+            except LookupError:
+                pass
+            key = str(idx)
+        return self._kwargs[key]
+
+    def __iter__(self):
+        return iter(self._kwargs)
+
+    def __len__(self):
+        return len(self._kwargs)
+
+
+def inspect_format_method(callable):
+    if not has_format:
+        return None
+    if not isinstance(callable, (types.MethodType,
+                                 types.BuiltinMethodType)) or \
+       callable.__name__ != 'format':
+        return None
+    obj = callable.__self__
+    if isinstance(obj, string_types):
+        return obj
+
+
 def safe_range(*args):
     """A range that can't generate ranges with a length of more than
     MAX_RANGE items.
@@ -201,6 +257,12 @@ def is_internal_attribute(obj, attr):
     elif hasattr(types, 'AsyncGeneratorType') and isinstance(obj, types.AsyncGeneratorType):
         if attr in UNSAFE_ASYNC_GENERATOR_ATTRIBUTES:
             return True
+    elif hasattr(types, 'CoroutineType') and isinstance(obj, types.CoroutineType):
+        if attr in UNSAFE_COROUTINE_ATTRIBUTES:
+            return True
+    elif hasattr(types, 'AsyncGeneratorType') and isinstance(obj, types.AsyncGeneratorType):
+        if attri in UNSAFE_ASYNC_GENERATOR_ATTRIBUTES:
+            return True
     return attr.startswith('__')

Places

File 0001-SECURITY-support-sandboxing-in-format-expressions.patch of Package python-Jinja2

Places