commit python-Jinja2 for openSUSE:Factory

root Fri, 19 Apr 2019 09:37:45 -0700

Hello community,

here is the log from the commit of package python-Jinja2 for openSUSE:Factory 
checked in at 2019-04-19 18:36:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-Jinja2 (Old)
 and      /work/SRC/openSUSE:Factory/.python-Jinja2.new.5536 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "python-Jinja2"

Fri Apr 19 18:36:56 2019 rev:34 rq:694206 version:2.10.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/python-Jinja2/python-Jinja2.changes      
2019-02-24 20:46:46.607875353 +0100
+++ /work/SRC/openSUSE:Factory/.python-Jinja2.new.5536/python-Jinja2.changes    
2019-04-19 18:36:58.195077021 +0200
@@ -1,0 +2,13 @@
+Sat Apr 13 16:46:23 UTC 2019 - Jan Engelhardt <[email protected]>
+
+- Trim bias from descriptions. Make sure % is escaped.
+
+-------------------------------------------------------------------
+Sat Apr 13 03:06:31 UTC 2019 - Arun Persaud <[email protected]>
+
+- update to version 2.10.1 (bsc#1132323, CVE-2019-10906):
+  * "SandboxedEnvironment" securely handles "str.format_map" in order
+    to prevent code execution through untrusted format strings.  The
+    sandbox already handled "str.format".
+
+-------------------------------------------------------------------

Old:
----
  Jinja2-2.10.tar.gz

New:
----
  Jinja2-2.10.1.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ python-Jinja2.spec ++++++
--- /var/tmp/diff_new_pack.W9LVDx/_old  2019-04-19 18:36:59.515078698 +0200
+++ /var/tmp/diff_new_pack.W9LVDx/_new  2019-04-19 18:36:59.519078702 +0200
@@ -19,9 +19,9 @@
 %{?!python_module:%define python_module() python-%{**} python3-%{**}}
 %define oldpython python
 Name:           python-Jinja2
-Version:        2.10
+Version:        2.10.1
 Release:        0
-Summary:        A fast and easy to use template engine written in pure Python
+Summary:        A template engine written in pure Python
 License:        BSD-3-Clause
 Group:          Development/Languages/Python
 URL:            http://jinja.pocoo.org/
@@ -45,15 +45,15 @@
 inspired non-XML syntax but supports inline expressions and an optional
 sandboxed environment.  Here a small example of a Jinja template:
 
-    {% extends 'base.html' %}
-    {% block title %}Memberlist{% endblock %}
-    {% block content %}
+    {%% extends 'base.html' %%}
+    {%% block title %%}Memberlist{%% endblock %%}
+    {%% block content %%}
       <ul>
-      {% for user in users %}
+      {%% for user in users %%}
         <li><a href="{{ user.url }}">{{ user.username }}</a></li>
-      {% endfor %}
+      {%% endfor %%}
       </ul>
-    {% endblock %}
+    {%% endblock %%}
 
 %package -n python-Jinja2-vim
 Summary:        Jinja2 syntax files for Vim
@@ -95,7 +95,7 @@
 %endif
 
 %check
-%python_exec -m pytest
+%pytest
 
 %files %{python_files}
 %license LICENSE

++++++ Jinja2-2.10.tar.gz -> Jinja2-2.10.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Jinja2-2.10/CHANGES.rst new/Jinja2-2.10.1/CHANGES.rst
--- old/Jinja2-2.10/CHANGES.rst 2017-11-08 20:47:12.000000000 +0100
+++ new/Jinja2-2.10.1/CHANGES.rst       2019-04-06 19:55:05.000000000 +0200
@@ -2,6 +2,16 @@
 ===============
 
 
+Version 2.10.1
+--------------
+
+Released 2019-04-06
+
+-   ``SandboxedEnvironment`` securely handles ``str.format_map`` in
+    order to prevent code execution through untrusted format strings.
+    The sandbox already handled ``str.format``.
+
+
 Version 2.10
 ------------
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Jinja2-2.10/Jinja2.egg-info/PKG-INFO 
new/Jinja2-2.10.1/Jinja2.egg-info/PKG-INFO
--- old/Jinja2-2.10/Jinja2.egg-info/PKG-INFO    2017-11-08 20:58:36.000000000 
+0100
+++ new/Jinja2-2.10.1/Jinja2.egg-info/PKG-INFO  2019-04-06 20:59:52.000000000 
+0200
@@ -1,12 +1,11 @@
-Metadata-Version: 1.1
+Metadata-Version: 2.1
 Name: Jinja2
-Version: 2.10
+Version: 2.10.1
 Summary: A small but fast and easy to use stand-alone template engine written 
in pure python.
 Home-page: http://jinja.pocoo.org/
 Author: Armin Ronacher
 Author-email: [email protected]
 License: BSD
-Description-Content-Type: UNKNOWN
 Description: 
         Jinja2
         ~~~~~~
@@ -61,3 +60,4 @@
 Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
 Classifier: Topic :: Text Processing :: Markup :: HTML
+Provides-Extra: i18n
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Jinja2-2.10/PKG-INFO new/Jinja2-2.10.1/PKG-INFO
--- old/Jinja2-2.10/PKG-INFO    2017-11-08 20:58:36.000000000 +0100
+++ new/Jinja2-2.10.1/PKG-INFO  2019-04-06 20:59:52.000000000 +0200
@@ -1,12 +1,11 @@
-Metadata-Version: 1.1
+Metadata-Version: 2.1
 Name: Jinja2
-Version: 2.10
+Version: 2.10.1
 Summary: A small but fast and easy to use stand-alone template engine written 
in pure python.
 Home-page: http://jinja.pocoo.org/
 Author: Armin Ronacher
 Author-email: [email protected]
 License: BSD
-Description-Content-Type: UNKNOWN
 Description: 
         Jinja2
         ~~~~~~
@@ -61,3 +60,4 @@
 Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
 Classifier: Topic :: Text Processing :: Markup :: HTML
+Provides-Extra: i18n
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Jinja2-2.10/jinja2/__init__.py 
new/Jinja2-2.10.1/jinja2/__init__.py
--- old/Jinja2-2.10/jinja2/__init__.py  2017-11-08 20:58:35.000000000 +0100
+++ new/Jinja2-2.10.1/jinja2/__init__.py        2019-04-06 19:50:57.000000000 
+0200
@@ -27,7 +27,7 @@
     :license: BSD, see LICENSE for more details.
 """
 __docformat__ = 'restructuredtext en'
-__version__ = '2.10'
+__version__ = '2.10.1'
 
 # high level interface
 from jinja2.environment import Environment, Template
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Jinja2-2.10/jinja2/sandbox.py 
new/Jinja2-2.10.1/jinja2/sandbox.py
--- old/Jinja2-2.10/jinja2/sandbox.py   2017-07-08 18:20:20.000000000 +0200
+++ new/Jinja2-2.10.1/jinja2/sandbox.py 2019-04-06 19:47:03.000000000 +0200
@@ -137,7 +137,7 @@
 def inspect_format_method(callable):
     if not isinstance(callable, (types.MethodType,
                                  types.BuiltinMethodType)) or \
-       callable.__name__ != 'format':
+       callable.__name__ not in ('format', 'format_map'):
         return None
     obj = callable.__self__
     if isinstance(obj, string_types):
@@ -402,7 +402,7 @@
             obj.__class__.__name__
         ), name=attribute, obj=obj, exc=SecurityError)
 
-    def format_string(self, s, args, kwargs):
+    def format_string(self, s, args, kwargs, format_func=None):
         """If a format call is detected, then this is routed through this
         method so that our safety sandbox can be used for it.
         """
@@ -410,6 +410,17 @@
             formatter = SandboxedEscapeFormatter(self, s.escape)
         else:
             formatter = SandboxedFormatter(self)
+
+        if format_func is not None and format_func.__name__ == 'format_map':
+            if len(args) != 1 or kwargs:
+                raise TypeError(
+                    'format_map() takes exactly one argument %d given'
+                    % (len(args) + (kwargs is not None))
+                )
+
+            kwargs = args[0]
+            args = None
+
         kwargs = _MagicFormatMapping(args, kwargs)
         rv = formatter.vformat(s, args, kwargs)
         return type(s)(rv)
@@ -418,7 +429,7 @@
         """Call an object from sandboxed code."""
         fmt = inspect_format_method(__obj)
         if fmt is not None:
-            return __self.format_string(fmt, args, kwargs)
+            return __self.format_string(fmt, args, kwargs, __obj)
 
         # the double prefixes are to avoid double keyword argument
         # errors when proxying the call.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Jinja2-2.10/setup.py new/Jinja2-2.10.1/setup.py
--- old/Jinja2-2.10/setup.py    2017-11-08 20:58:35.000000000 +0100
+++ new/Jinja2-2.10.1/setup.py  2019-04-06 20:00:26.000000000 +0200
@@ -40,7 +40,7 @@
 
 setup(
     name='Jinja2',
-    version='2.10',
+    version='2.10.1',
     url='http://jinja.pocoo.org/',
     license='BSD',
     author='Armin Ronacher',
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Jinja2-2.10/tests/test_security.py 
new/Jinja2-2.10.1/tests/test_security.py
--- old/Jinja2-2.10/tests/test_security.py      2017-07-07 21:41:16.000000000 
+0200
+++ new/Jinja2-2.10.1/tests/test_security.py    2019-04-06 19:49:02.000000000 
+0200
@@ -187,3 +187,22 @@
         env = SandboxedEnvironment()
         t = env.from_string('{{ ("a{0.foo}b{1}"|safe).format({"foo": 42}, 
"<foo>") }}')
         assert t.render() == 'a42b&lt;foo&gt;'
+
+
[email protected]
[email protected](not hasattr(str, 'format_map'), reason='requires 
str.format_map method')
+class TestStringFormatMap(object):
+    def test_basic_format_safety(self):
+        env = SandboxedEnvironment()
+        t = env.from_string('{{ "a{x.__class__}b".format_map({"x":42}) }}')
+        assert t.render() == 'ab'
+
+    def test_basic_format_all_okay(self):
+        env = SandboxedEnvironment()
+        t = env.from_string('{{ "a{x.foo}b".format_map({"x":{"foo": 42}}) }}')
+        assert t.render() == 'a42b'
+
+    def test_safe_format_all_okay(self):
+        env = SandboxedEnvironment()
+        t = env.from_string('{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 
42}, "y":"<foo>"}) }}')
+        assert t.render() == 'a42b&lt;foo&gt;'

commit python-Jinja2 for openSUSE:Factory

Reply via email to