Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-Jinja2 for openSUSE:Factory
checked in at 2025-03-11 20:44:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-Jinja2 (Old)
and /work/SRC/openSUSE:Factory/.python-Jinja2.new.19136 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-Jinja2"
Tue Mar 11 20:44:00 2025 rev:57 rq:1251789 version:3.1.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-Jinja2/python-Jinja2.changes
2024-12-30 12:50:48.773859978 +0100
+++ /work/SRC/openSUSE:Factory/.python-Jinja2.new.19136/python-Jinja2.changes
2025-03-11 20:44:26.063980628 +0100
@@ -1,0 +2,7 @@
+Mon Mar 10 08:46:26 UTC 2025 - John Paul Adrian Glaubitz
<adrian.glaub...@suse.com>
+
+- Update to 3.1.6
+ * The ``|attr`` filter does not bypass the environment's attribute lookup,
+ allowing the sandbox to apply its checks.
+
+-------------------------------------------------------------------
Old:
----
jinja2-3.1.5.tar.gz
New:
----
jinja2-3.1.6.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-Jinja2.spec ++++++
--- /var/tmp/diff_new_pack.Mm1h9p/_old 2025-03-11 20:44:27.028020885 +0100
+++ /var/tmp/diff_new_pack.Mm1h9p/_new 2025-03-11 20:44:27.032021051 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-Jinja2
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -23,7 +23,7 @@
%endif
%{?sle15_python_module_pythons}
Name: python-Jinja2
-Version: 3.1.5
+Version: 3.1.6
Release: 0
Summary: A template engine written in pure Python
License: BSD-3-Clause
++++++ jinja2-3.1.5.tar.gz -> jinja2-3.1.6.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jinja2-3.1.5/PKG-INFO new/jinja2-3.1.6/PKG-INFO
--- old/jinja2-3.1.5/PKG-INFO 1970-01-01 01:00:00.000000000 +0100
+++ new/jinja2-3.1.6/PKG-INFO 1970-01-01 01:00:00.000000000 +0100
@@ -1,6 +1,6 @@
-Metadata-Version: 2.3
+Metadata-Version: 2.4
Name: Jinja2
-Version: 3.1.5
+Version: 3.1.6
Summary: A very fast and expressive template engine.
Maintainer-email: Pallets <cont...@palletsprojects.com>
Requires-Python: >=3.7
@@ -14,6 +14,7 @@
Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
Classifier: Topic :: Text Processing :: Markup :: HTML
Classifier: Typing :: Typed
+License-File: LICENSE.txt
Requires-Dist: MarkupSafe>=2.0
Requires-Dist: Babel>=2.7 ; extra == "i18n"
Project-URL: Changes, https://jinja.palletsprojects.com/changes/
@@ -73,3 +74,11 @@
[please donate today]: https://palletsprojects.com/donate
+## Contributing
+
+See our [detailed contributing documentation][contrib] for many ways to
+contribute, including reporting issues, requesting features, asking or
answering
+questions, and making PRs.
+
+[contrib]: https://palletsprojects.com/contributing/
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jinja2-3.1.5/README.md new/jinja2-3.1.6/README.md
--- old/jinja2-3.1.5/README.md 2024-12-21 19:16:13.000000000 +0100
+++ new/jinja2-3.1.6/README.md 2025-03-05 20:51:17.000000000 +0100
@@ -47,3 +47,11 @@
donate today][].
[please donate today]: https://palletsprojects.com/donate
+
+## Contributing
+
+See our [detailed contributing documentation][contrib] for many ways to
+contribute, including reporting issues, requesting features, asking or
answering
+questions, and making PRs.
+
+[contrib]: https://palletsprojects.com/contributing/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jinja2-3.1.5/docs/conf.py
new/jinja2-3.1.6/docs/conf.py
--- old/jinja2-3.1.5/docs/conf.py 2024-12-21 19:16:13.000000000 +0100
+++ new/jinja2-3.1.6/docs/conf.py 2025-03-05 20:51:17.000000000 +0100
@@ -24,7 +24,7 @@
extlinks = {
"issue": ("https://github.com/pallets/jinja/issues/%s";, "#%s"),
"pr": ("https://github.com/pallets/jinja/pull/%s";, "#%s"),
- "ghsa": ("https://github.com/advisories/GHSA-%s";, "GHSA-%s"),
+ "ghsa": ("https://github.com/pallets/jinja/security/advisories/GHSA-%s";,
"GHSA-%s"),
}
intersphinx_mapping = {
"python": ("https://docs.python.org/3/";, None),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jinja2-3.1.5/src/jinja2/__init__.py
new/jinja2-3.1.6/src/jinja2/__init__.py
--- old/jinja2-3.1.5/src/jinja2/__init__.py 2024-12-21 19:16:13.000000000
+0100
+++ new/jinja2-3.1.6/src/jinja2/__init__.py 2025-03-05 20:51:17.000000000
+0100
@@ -35,4 +35,4 @@
from .utils import pass_eval_context as pass_eval_context
from .utils import select_autoescape as select_autoescape
-__version__ = "3.1.5"
+__version__ = "3.1.6"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jinja2-3.1.5/src/jinja2/filters.py
new/jinja2-3.1.6/src/jinja2/filters.py
--- old/jinja2-3.1.5/src/jinja2/filters.py 2024-12-21 19:16:13.000000000
+0100
+++ new/jinja2-3.1.6/src/jinja2/filters.py 2025-03-05 20:51:17.000000000
+0100
@@ -6,6 +6,7 @@
import typing
import typing as t
from collections import abc
+from inspect import getattr_static
from itertools import chain
from itertools import groupby
@@ -1411,31 +1412,25 @@
def do_attr(
environment: "Environment", obj: t.Any, name: str
) -> t.Union[Undefined, t.Any]:
- """Get an attribute of an object. ``foo|attr("bar")`` works like
- ``foo.bar`` just that always an attribute is returned and items are not
- looked up.
+ """Get an attribute of an object. ``foo|attr("bar")`` works like
+ ``foo.bar``, but returns undefined instead of falling back to
``foo["bar"]``
+ if the attribute doesn't exist.
See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more
details.
"""
+ # Environment.getattr will fall back to obj[name] if obj.name doesn't
exist.
+ # But we want to call env.getattr to get behavior such as sandboxing.
+ # Determine if the attr exists first, so we know the fallback won't
trigger.
try:
- name = str(name)
- except UnicodeError:
- pass
- else:
- try:
- value = getattr(obj, name)
- except AttributeError:
- pass
- else:
- if environment.sandboxed:
- environment = t.cast("SandboxedEnvironment", environment)
-
- if not environment.is_safe_attribute(obj, name, value):
- return environment.unsafe_undefined(obj, name)
-
- return value
+ # This avoids executing properties/descriptors, but misses __getattr__
+ # and __getattribute__ dynamic attrs.
+ getattr_static(obj, name)
+ except AttributeError:
+ # This finds dynamic attrs, and we know it's not a descriptor at this
point.
+ if not hasattr(obj, name):
+ return environment.undefined(obj=obj, name=name)
- return environment.undefined(obj=obj, name=name)
+ return environment.getattr(obj, name)
@typing.overload
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/jinja2-3.1.5/tests/test_security.py
new/jinja2-3.1.6/tests/test_security.py
--- old/jinja2-3.1.5/tests/test_security.py 2024-12-21 19:16:13.000000000
+0100
+++ new/jinja2-3.1.6/tests/test_security.py 2025-03-05 20:51:17.000000000
+0100
@@ -190,3 +190,13 @@
with pytest.raises(SecurityError):
t.render()
+
+ def test_attr_filter(self) -> None:
+ env = SandboxedEnvironment()
+ t = env.from_string(
+ """{{ "{0.__call__.__builtins__[__import__]}"
+ | attr("format")(not_here) }}"""
+ )
+
+ with pytest.raises(SecurityError):
+ t.render()
