Mailinglist Archive: opensuse-commit (1903 mails)

< Previous Next >
commit python-Jinja2 for openSUSE:Factory
Hello community,

here is the log from the commit of package python-Jinja2 for openSUSE:Factory
checked in at 2019-04-19 18:36:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-Jinja2 (Old)
and /work/SRC/openSUSE:Factory/.python-Jinja2.new.5536 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "python-Jinja2"

Fri Apr 19 18:36:56 2019 rev:34 rq:694206 version:2.10.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/python-Jinja2/python-Jinja2.changes
2019-02-24 20:46:46.607875353 +0100
+++ /work/SRC/openSUSE:Factory/.python-Jinja2.new.5536/python-Jinja2.changes
2019-04-19 18:36:58.195077021 +0200
@@ -1,0 +2,13 @@
+Sat Apr 13 16:46:23 UTC 2019 - Jan Engelhardt <jengelh@xxxxxxx>
+
+- Trim bias from descriptions. Make sure % is escaped.
+
+-------------------------------------------------------------------
+Sat Apr 13 03:06:31 UTC 2019 - Arun Persaud <arun@xxxxxx>
+
+- update to version 2.10.1 (bsc#1132323, CVE-2019-10906):
+ * "SandboxedEnvironment" securely handles "str.format_map" in order
+ to prevent code execution through untrusted format strings. The
+ sandbox already handled "str.format".
+
+-------------------------------------------------------------------

Old:
----
Jinja2-2.10.tar.gz

New:
----
Jinja2-2.10.1.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ python-Jinja2.spec ++++++
--- /var/tmp/diff_new_pack.W9LVDx/_old 2019-04-19 18:36:59.515078698 +0200
+++ /var/tmp/diff_new_pack.W9LVDx/_new 2019-04-19 18:36:59.519078702 +0200
@@ -19,9 +19,9 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define oldpython python
Name: python-Jinja2
-Version: 2.10
+Version: 2.10.1
Release: 0
-Summary: A fast and easy to use template engine written in pure Python
+Summary: A template engine written in pure Python
License: BSD-3-Clause
Group: Development/Languages/Python
URL: http://jinja.pocoo.org/
@@ -45,15 +45,15 @@
inspired non-XML syntax but supports inline expressions and an optional
sandboxed environment. Here a small example of a Jinja template:

- {% extends 'base.html' %}
- {% block title %}Memberlist{% endblock %}
- {% block content %}
+ {%% extends 'base.html' %%}
+ {%% block title %%}Memberlist{%% endblock %%}
+ {%% block content %%}
<ul>
- {% for user in users %}
+ {%% for user in users %%}
<li><a href="{{ user.url }}">{{ user.username }}</a></li>
- {% endfor %}
+ {%% endfor %%}
</ul>
- {% endblock %}
+ {%% endblock %%}

%package -n python-Jinja2-vim
Summary: Jinja2 syntax files for Vim
@@ -95,7 +95,7 @@
%endif

%check
-%python_exec -m pytest
+%pytest

%files %{python_files}
%license LICENSE

++++++ Jinja2-2.10.tar.gz -> Jinja2-2.10.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Jinja2-2.10/CHANGES.rst new/Jinja2-2.10.1/CHANGES.rst
--- old/Jinja2-2.10/CHANGES.rst 2017-11-08 20:47:12.000000000 +0100
+++ new/Jinja2-2.10.1/CHANGES.rst 2019-04-06 19:55:05.000000000 +0200
@@ -2,6 +2,16 @@
===============


+Version 2.10.1
+--------------
+
+Released 2019-04-06
+
+- ``SandboxedEnvironment`` securely handles ``str.format_map`` in
+ order to prevent code execution through untrusted format strings.
+ The sandbox already handled ``str.format``.
+
+
Version 2.10
------------

diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Jinja2-2.10/Jinja2.egg-info/PKG-INFO
new/Jinja2-2.10.1/Jinja2.egg-info/PKG-INFO
--- old/Jinja2-2.10/Jinja2.egg-info/PKG-INFO 2017-11-08 20:58:36.000000000
+0100
+++ new/Jinja2-2.10.1/Jinja2.egg-info/PKG-INFO 2019-04-06 20:59:52.000000000
+0200
@@ -1,12 +1,11 @@
-Metadata-Version: 1.1
+Metadata-Version: 2.1
Name: Jinja2
-Version: 2.10
+Version: 2.10.1
Summary: A small but fast and easy to use stand-alone template engine written
in pure python.
Home-page: http://jinja.pocoo.org/
Author: Armin Ronacher
Author-email: armin.ronacher@xxxxxxxxxxxx
License: BSD
-Description-Content-Type: UNKNOWN
Description:
Jinja2
~~~~~~
@@ -61,3 +60,4 @@
Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: Text Processing :: Markup :: HTML
+Provides-Extra: i18n
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Jinja2-2.10/PKG-INFO new/Jinja2-2.10.1/PKG-INFO
--- old/Jinja2-2.10/PKG-INFO 2017-11-08 20:58:36.000000000 +0100
+++ new/Jinja2-2.10.1/PKG-INFO 2019-04-06 20:59:52.000000000 +0200
@@ -1,12 +1,11 @@
-Metadata-Version: 1.1
+Metadata-Version: 2.1
Name: Jinja2
-Version: 2.10
+Version: 2.10.1
Summary: A small but fast and easy to use stand-alone template engine written
in pure python.
Home-page: http://jinja.pocoo.org/
Author: Armin Ronacher
Author-email: armin.ronacher@xxxxxxxxxxxx
License: BSD
-Description-Content-Type: UNKNOWN
Description:
Jinja2
~~~~~~
@@ -61,3 +60,4 @@
Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: Text Processing :: Markup :: HTML
+Provides-Extra: i18n
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Jinja2-2.10/jinja2/__init__.py
new/Jinja2-2.10.1/jinja2/__init__.py
--- old/Jinja2-2.10/jinja2/__init__.py 2017-11-08 20:58:35.000000000 +0100
+++ new/Jinja2-2.10.1/jinja2/__init__.py 2019-04-06 19:50:57.000000000
+0200
@@ -27,7 +27,7 @@
:license: BSD, see LICENSE for more details.
"""
__docformat__ = 'restructuredtext en'
-__version__ = '2.10'
+__version__ = '2.10.1'

# high level interface
from jinja2.environment import Environment, Template
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Jinja2-2.10/jinja2/sandbox.py
new/Jinja2-2.10.1/jinja2/sandbox.py
--- old/Jinja2-2.10/jinja2/sandbox.py 2017-07-08 18:20:20.000000000 +0200
+++ new/Jinja2-2.10.1/jinja2/sandbox.py 2019-04-06 19:47:03.000000000 +0200
@@ -137,7 +137,7 @@
def inspect_format_method(callable):
if not isinstance(callable, (types.MethodType,
types.BuiltinMethodType)) or \
- callable.__name__ != 'format':
+ callable.__name__ not in ('format', 'format_map'):
return None
obj = callable.__self__
if isinstance(obj, string_types):
@@ -402,7 +402,7 @@
obj.__class__.__name__
), name=attribute, obj=obj, exc=SecurityError)

- def format_string(self, s, args, kwargs):
+ def format_string(self, s, args, kwargs, format_func=None):
"""If a format call is detected, then this is routed through this
method so that our safety sandbox can be used for it.
"""
@@ -410,6 +410,17 @@
formatter = SandboxedEscapeFormatter(self, s.escape)
else:
formatter = SandboxedFormatter(self)
+
+ if format_func is not None and format_func.__name__ == 'format_map':
+ if len(args) != 1 or kwargs:
+ raise TypeError(
+ 'format_map() takes exactly one argument %d given'
+ % (len(args) + (kwargs is not None))
+ )
+
+ kwargs = args[0]
+ args = None
+
kwargs = _MagicFormatMapping(args, kwargs)
rv = formatter.vformat(s, args, kwargs)
return type(s)(rv)
@@ -418,7 +429,7 @@
"""Call an object from sandboxed code."""
fmt = inspect_format_method(__obj)
if fmt is not None:
- return __self.format_string(fmt, args, kwargs)
+ return __self.format_string(fmt, args, kwargs, __obj)

# the double prefixes are to avoid double keyword argument
# errors when proxying the call.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Jinja2-2.10/setup.py new/Jinja2-2.10.1/setup.py
--- old/Jinja2-2.10/setup.py 2017-11-08 20:58:35.000000000 +0100
+++ new/Jinja2-2.10.1/setup.py 2019-04-06 20:00:26.000000000 +0200
@@ -40,7 +40,7 @@

setup(
name='Jinja2',
- version='2.10',
+ version='2.10.1',
url='http://jinja.pocoo.org/',
license='BSD',
author='Armin Ronacher',
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Jinja2-2.10/tests/test_security.py
new/Jinja2-2.10.1/tests/test_security.py
--- old/Jinja2-2.10/tests/test_security.py 2017-07-07 21:41:16.000000000
+0200
+++ new/Jinja2-2.10.1/tests/test_security.py 2019-04-06 19:49:02.000000000
+0200
@@ -187,3 +187,22 @@
env = SandboxedEnvironment()
t = env.from_string('{{ ("a{0.foo}b{1}"|safe).format({"foo": 42},
"<foo>") }}')
assert t.render() == 'a42b&lt;foo&gt;'
+
+
+@pytest.mark.sandbox
+@pytest.mark.skipif(not hasattr(str, 'format_map'), reason='requires
str.format_map method')
+class TestStringFormatMap(object):
+ def test_basic_format_safety(self):
+ env = SandboxedEnvironment()
+ t = env.from_string('{{ "a{x.__class__}b".format_map({"x":42}) }}')
+ assert t.render() == 'ab'
+
+ def test_basic_format_all_okay(self):
+ env = SandboxedEnvironment()
+ t = env.from_string('{{ "a{x.foo}b".format_map({"x":{"foo": 42}}) }}')
+ assert t.render() == 'a42b'
+
+ def test_safe_format_all_okay(self):
+ env = SandboxedEnvironment()
+ t = env.from_string('{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo":
42}, "y":"<foo>"}) }}')
+ assert t.render() == 'a42b&lt;foo&gt;'


< Previous Next >
This Thread
  • No further messages