Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
systemsmanagement:Ardana:8:CentOS:7.5
python-Jinja2
0001-sandbox-str.format_map.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-sandbox-str.format_map.patch of Package python-Jinja2
From a2a6c930bcca591a25d2b316fcfd2d6793897b26 Mon Sep 17 00:00:00 2001 From: Armin Ronacher <armin.ronacher@active-4.com> Date: Sat, 6 Apr 2019 10:50:47 -0700 Subject: [PATCH] sandbox str.format_map --- jinja2/sandbox.py | 17 ++++++++++++++--- jinja2/tests.py | 17 +++++++++++++++++ 2 files changed, 31 insertions(+), 3 deletions(-) Index: Jinja2-2.9.6/jinja2/sandbox.py =================================================================== --- Jinja2-2.9.6.orig/jinja2/sandbox.py +++ Jinja2-2.9.6/jinja2/sandbox.py @@ -193,7 +193,7 @@ def inspect_format_method(callable): return None if not isinstance(callable, (types.MethodType, types.BuiltinMethodType)) or \ - callable.__name__ != 'format': + callable.__name__ not in ('format', 'format_map'): return None obj = callable.__self__ if isinstance(obj, string_types): @@ -464,7 +464,7 @@ class SandboxedEnvironment(Environment): obj.__class__.__name__ ), name=attribute, obj=obj, exc=SecurityError) - def format_string(self, s, args, kwargs): + def format_string(self, s, args, kwargs, format_func=None): """If a format call is detected, then this is routed through this method so that our safety sandbox can be used for it. """ @@ -472,6 +472,17 @@ class SandboxedEnvironment(Environment): formatter = SandboxedEscapeFormatter(self, s.escape) else: formatter = SandboxedFormatter(self) + + if format_func is not None and format_func.__name__ == 'format_map': + if len(args) != 1 or kwargs: + raise TypeError( + 'format_map() takes exactly one argument %d given' + % (len(args) + (kwargs is not None)) + ) + + kwargs = args[0] + args = None + kwargs = _MagicFormatMapping(args, kwargs) rv = formatter.vformat(s, args, kwargs) return type(s)(rv) @@ -480,7 +491,7 @@ class SandboxedEnvironment(Environment): """Call an object from sandboxed code.""" fmt = inspect_format_method(__obj) if fmt is not None: - return __self.format_string(fmt, args, kwargs) + return __self.format_string(fmt, args, kwargs, __obj) # the double prefixes are to avoid double keyword argument # errors when proxying the call. Index: Jinja2-2.9.6/jinja2/tests.py =================================================================== --- Jinja2-2.9.6.orig/jinja2/tests.py +++ Jinja2-2.9.6/jinja2/tests.py @@ -151,6 +151,20 @@ def test_escaped(value): """Check if the value is escaped.""" return hasattr(value, '__html__') +def test_basic_format_safety(self): + env = SandboxedEnvironment() + t = env.from_string('{{ "a{x.__class__}b".format_map({"x":42}) }}') + assert t.render() == 'ab' + +def test_basic_format_all_okay(self): + env = SandboxedEnvironment() + t = env.from_string('{{ "a{x.foo}b".format_map({"x":{"foo": 42}}) }}') + assert t.render() == 'a42b' + +def test_safe_format_all_okay(self): + env = SandboxedEnvironment() + t = env.from_string('{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":"<foo>"}) }}') + assert t.render() == 'a42b<foo>' def test_greaterthan(value, other): """Check if value is greater than other.""" @@ -181,5 +195,8 @@ TESTS = { 'equalto': test_equalto, 'escaped': test_escaped, 'greaterthan': test_greaterthan, - 'lessthan': test_lessthan + 'lessthan': test_lessthan, + 'basic_format_safety': test_basic_format_safety, + 'basic_format_all_okay': test_basic_format_all_okay, + 'safe_format_all_okay': test_safe_format_all_okay, }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor