Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: secur...@debian.org, Piotr Ożarowski <pi...@debian.org>
Control: block -1 by 1070712
* CVE-2024-22195: HTML attribute injection (Closes: #1060748)
* CVE-2024-34064: HTML attribute injection (Closes: #1070712)
Tagged moreinfo, waiting for the #1070712 to enter upstable
(NMU uploaded to DELAYED/7).
diffstat for jinja2-3.1.2 jinja2-3.1.2
changelog | 8
+
patches/0001-xmlattr-filter-disallows-keys-with-spaces.patch | 78
++++++++++
patches/0002-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch | 78
++++++++++
patches/series | 2
4 files changed, 166 insertions(+)
diff -Nru jinja2-3.1.2/debian/changelog jinja2-3.1.2/debian/changelog
--- jinja2-3.1.2/debian/changelog 2023-02-24 17:15:45.000000000 +0200
+++ jinja2-3.1.2/debian/changelog 2024-12-07 19:15:36.000000000 +0200
@@ -1,3 +1,11 @@
+jinja2 (3.1.2-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2024-22195: HTML attribute injection (Closes: #1060748)
+ * CVE-2024-34064: HTML attribute injection (Closes: #1070712)
+
+ -- Adrian Bunk <b...@debian.org> Sat, 07 Dec 2024 19:15:36 +0200
+
jinja2 (3.1.2-1) unstable; urgency=medium
[ Thomas Goirand ]
diff -Nru
jinja2-3.1.2/debian/patches/0001-xmlattr-filter-disallows-keys-with-spaces.patch
jinja2-3.1.2/debian/patches/0001-xmlattr-filter-disallows-keys-with-spaces.patch
---
jinja2-3.1.2/debian/patches/0001-xmlattr-filter-disallows-keys-with-spaces.patch
1970-01-01 02:00:00.000000000 +0200
+++
jinja2-3.1.2/debian/patches/0001-xmlattr-filter-disallows-keys-with-spaces.patch
2024-12-07 19:15:36.000000000 +0200
@@ -0,0 +1,78 @@
+From 77f43366d3a7e0e3b998e3edee6718af544b5487 Mon Sep 17 00:00:00 2001
+From: Calum Hutton <calum.hut...@snyk.io>
+Date: Thu, 26 Oct 2023 12:08:53 +0100
+Subject: xmlattr filter disallows keys with spaces
+
+---
+ src/jinja2/filters.py | 25 ++++++++++++++++++-------
+ tests/test_filters.py | 6 ++++++
+ 2 files changed, 24 insertions(+), 7 deletions(-)
+
+diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py
+index ed07c4c..3e07526 100644
+--- a/src/jinja2/filters.py
++++ b/src/jinja2/filters.py
+@@ -248,13 +248,17 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined])
-> t.Iterator[t.Tuple[K
+ yield from value.items()
+
+
++_space_re = re.compile(r"\s", flags=re.ASCII)
++
++
+ @pass_eval_context
+ def do_xmlattr(
+ eval_ctx: "EvalContext", d: t.Mapping[str, t.Any], autospace: bool = True
+ ) -> str:
+ """Create an SGML/XML attribute string based on the items in a dict.
+- All values that are neither `none` nor `undefined` are automatically
+- escaped:
++
++ If any key contains a space, this fails with a ``ValueError``. Values that
++ are neither ``none`` nor ``undefined`` are automatically escaped.
+
+ .. sourcecode:: html+jinja
+
+@@ -274,11 +278,18 @@ def do_xmlattr(
+ As you can see it automatically prepends a space in front of the item
+ if the filter returned something unless the second parameter is false.
+ """
+- rv = " ".join(
+- f'{escape(key)}="{escape(value)}"'
+- for key, value in d.items()
+- if value is not None and not isinstance(value, Undefined)
+- )
++ items = []
++
++ for key, value in d.items():
++ if value is None or isinstance(value, Undefined):
++ continue
++
++ if _space_re.search(key) is not None:
++ raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
++
++ items.append(f'{escape(key)}="{escape(value)}"')
++
++ rv = " ".join(items)
+
+ if autospace and rv:
+ rv = " " + rv
+diff --git a/tests/test_filters.py b/tests/test_filters.py
+index 73f0f0b..a184649 100644
+--- a/tests/test_filters.py
++++ b/tests/test_filters.py
+@@ -474,6 +474,12 @@ class TestFilter:
+ assert 'bar="23"' in out
+ assert 'blub:blub="<?>"' in out
+
++ def test_xmlattr_key_with_spaces(self, env):
++ with pytest.raises(ValueError, match="Spaces are not allowed"):
++ env.from_string(
++ "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}"
++ ).render()
++
+ def test_sort1(self, env):
+ tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true)
}}")
+ assert tmpl.render() == "[1, 2, 3]|[3, 2, 1]"
+--
+2.30.2
+
diff -Nru
jinja2-3.1.2/debian/patches/0002-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch
jinja2-3.1.2/debian/patches/0002-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch
---
jinja2-3.1.2/debian/patches/0002-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch
1970-01-01 02:00:00.000000000 +0200
+++
jinja2-3.1.2/debian/patches/0002-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch
2024-12-07 19:15:36.000000000 +0200
@@ -0,0 +1,78 @@
+From 7be792b4f0d424a8b0458e8bc4acd0fa2a7d8221 Mon Sep 17 00:00:00 2001
+From: David Lord <david...@gmail.com>
+Date: Thu, 2 May 2024 09:14:00 -0700
+Subject: disallow invalid characters in keys to xmlattr filter
+
+---
+ src/jinja2/filters.py | 18 +++++++++++++-----
+ tests/test_filters.py | 11 ++++++-----
+ 2 files changed, 19 insertions(+), 10 deletions(-)
+
+diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py
+index 3e07526..ea5678a 100644
+--- a/src/jinja2/filters.py
++++ b/src/jinja2/filters.py
+@@ -248,7 +248,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined])
-> t.Iterator[t.Tuple[K
+ yield from value.items()
+
+
+-_space_re = re.compile(r"\s", flags=re.ASCII)
++# Check for characters that would move the parser state from key to value.
++# https://html.spec.whatwg.org/#attribute-name-state
++_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
+
+
+ @pass_eval_context
+@@ -257,8 +259,14 @@ def do_xmlattr(
+ ) -> str:
+ """Create an SGML/XML attribute string based on the items in a dict.
+
+- If any key contains a space, this fails with a ``ValueError``. Values that
+- are neither ``none`` nor ``undefined`` are automatically escaped.
++ **Values** that are neither ``none`` nor ``undefined`` are automatically
++ escaped, safely allowing untrusted user input.
++
++ User input should not be used as **keys** to this filter. If any key
++ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
++ sign, this fails with a ``ValueError``. Regardless of this, user input
++ should never be used as keys to this filter, or must be separately
validated
++ first.
+
+ .. sourcecode:: html+jinja
+
+@@ -284,8 +292,8 @@ def do_xmlattr(
+ if value is None or isinstance(value, Undefined):
+ continue
+
+- if _space_re.search(key) is not None:
+- raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
++ if _attr_key_re.search(key) is not None:
++ raise ValueError(f"Invalid character in attribute name: {key!r}")
+
+ items.append(f'{escape(key)}="{escape(value)}"')
+
+diff --git a/tests/test_filters.py b/tests/test_filters.py
+index a184649..c9ec7da 100644
+--- a/tests/test_filters.py
++++ b/tests/test_filters.py
+@@ -474,11 +474,12 @@ class TestFilter:
+ assert 'bar="23"' in out
+ assert 'blub:blub="<?>"' in out
+
+- def test_xmlattr_key_with_spaces(self, env):
+- with pytest.raises(ValueError, match="Spaces are not allowed"):
+- env.from_string(
+- "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}"
+- ).render()
++ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "="))
++ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None:
++ with pytest.raises(ValueError, match="Invalid character"):
++ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render(
++ key=f"class{sep}onclick=alert(1)"
++ )
+
+ def test_sort1(self, env):
+ tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true)
}}")
+--
+2.30.2
+
diff -Nru jinja2-3.1.2/debian/patches/series jinja2-3.1.2/debian/patches/series
--- jinja2-3.1.2/debian/patches/series 2023-02-24 17:09:22.000000000 +0200
+++ jinja2-3.1.2/debian/patches/series 2024-12-07 19:15:36.000000000 +0200
@@ -1,3 +1,5 @@
py3.9-fix-collections-import.patch
0002-docs-disable-sphinxcontrib.log_cabinet.patch
0003-fix-nose-leftovers.patch
+0001-xmlattr-filter-disallows-keys-with-spaces.patch
+0002-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch
