Version in base suite: 3.1.2-1 Base version: jinja2_3.1.2-1 Target version: jinja2_3.1.2-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/j/jinja2/jinja2_3.1.2-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/j/jinja2/jinja2_3.1.2-1+deb12u1.dsc changelog | 8 + patches/0001-xmlattr-filter-disallows-keys-with-spaces.patch | 78 ++++++++++ patches/0002-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch | 78 ++++++++++ patches/series | 2 4 files changed, 166 insertions(+) diff -Nru jinja2-3.1.2/debian/changelog jinja2-3.1.2/debian/changelog --- jinja2-3.1.2/debian/changelog 2023-02-24 15:15:45.000000000 +0000 +++ jinja2-3.1.2/debian/changelog 2024-12-07 17:15:36.000000000 +0000 @@ -1,3 +1,11 @@ +jinja2 (3.1.2-1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * CVE-2024-22195: HTML attribute injection (Closes: #1060748) + * CVE-2024-34064: HTML attribute injection (Closes: #1070712) + + -- Adrian Bunk Sat, 07 Dec 2024 19:15:36 +0200 + jinja2 (3.1.2-1) unstable; urgency=medium [ Thomas Goirand ] diff -Nru jinja2-3.1.2/debian/patches/0001-xmlattr-filter-disallows-keys-with-spaces.patch jinja2-3.1.2/debian/patches/0001-xmlattr-filter-disallows-keys-with-spaces.patch --- jinja2-3.1.2/debian/patches/0001-xmlattr-filter-disallows-keys-with-spaces.patch 1970-01-01 00:00:00.000000000 +0000 +++ jinja2-3.1.2/debian/patches/0001-xmlattr-filter-disallows-keys-with-spaces.patch 2024-12-07 17:15:36.000000000 +0000 @@ -0,0 +1,78 @@ +From 77f43366d3a7e0e3b998e3edee6718af544b5487 Mon Sep 17 00:00:00 2001 +From: Calum Hutton +Date: Thu, 26 Oct 2023 12:08:53 +0100 +Subject: xmlattr filter disallows keys with spaces + +--- + src/jinja2/filters.py | 25 ++++++++++++++++++------- + tests/test_filters.py | 6 ++++++ + 2 files changed, 24 insertions(+), 7 deletions(-) + +diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py +index ed07c4c..3e07526 100644 +--- a/src/jinja2/filters.py ++++ b/src/jinja2/filters.py +@@ -248,13 +248,17 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K + yield from value.items() + + ++_space_re = re.compile(r"\s", flags=re.ASCII) ++ ++ + @pass_eval_context + def do_xmlattr( + eval_ctx: "EvalContext", d: t.Mapping[str, t.Any], autospace: bool = True + ) -> str: + """Create an SGML/XML attribute string based on the items in a dict. +- All values that are neither `none` nor `undefined` are automatically +- escaped: ++ ++ If any key contains a space, this fails with a ``ValueError``. Values that ++ are neither ``none`` nor ``undefined`` are automatically escaped. + + .. sourcecode:: html+jinja + +@@ -274,11 +278,18 @@ def do_xmlattr( + As you can see it automatically prepends a space in front of the item + if the filter returned something unless the second parameter is false. + """ +- rv = " ".join( +- f'{escape(key)}="{escape(value)}"' +- for key, value in d.items() +- if value is not None and not isinstance(value, Undefined) +- ) ++ items = [] ++ ++ for key, value in d.items(): ++ if value is None or isinstance(value, Undefined): ++ continue ++ ++ if _space_re.search(key) is not None: ++ raise ValueError(f"Spaces are not allowed in attributes: '{key}'") ++ ++ items.append(f'{escape(key)}="{escape(value)}"') ++ ++ rv = " ".join(items) + + if autospace and rv: + rv = " " + rv +diff --git a/tests/test_filters.py b/tests/test_filters.py +index 73f0f0b..a184649 100644 +--- a/tests/test_filters.py ++++ b/tests/test_filters.py +@@ -474,6 +474,12 @@ class TestFilter: + assert 'bar="23"' in out + assert 'blub:blub="<?>"' in out + ++ def test_xmlattr_key_with_spaces(self, env): ++ with pytest.raises(ValueError, match="Spaces are not allowed"): ++ env.from_string( ++ "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}" ++ ).render() ++ + def test_sort1(self, env): + tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}") + assert tmpl.render() == "[1, 2, 3]|[3, 2, 1]" +-- +2.30.2 + diff -Nru jinja2-3.1.2/debian/patches/0002-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch jinja2-3.1.2/debian/patches/0002-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch --- jinja2-3.1.2/debian/patches/0002-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch 1970-01-01 00:00:00.000000000 +0000 +++ jinja2-3.1.2/debian/patches/0002-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch 2024-12-07 17:15:36.000000000 +0000 @@ -0,0 +1,78 @@ +From 7be792b4f0d424a8b0458e8bc4acd0fa2a7d8221 Mon Sep 17 00:00:00 2001 +From: David Lord +Date: Thu, 2 May 2024 09:14:00 -0700 +Subject: disallow invalid characters in keys to xmlattr filter + +--- + src/jinja2/filters.py | 18 +++++++++++++----- + tests/test_filters.py | 11 ++++++----- + 2 files changed, 19 insertions(+), 10 deletions(-) + +diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py +index 3e07526..ea5678a 100644 +--- a/src/jinja2/filters.py ++++ b/src/jinja2/filters.py +@@ -248,7 +248,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K + yield from value.items() + + +-_space_re = re.compile(r"\s", flags=re.ASCII) ++# Check for characters that would move the parser state from key to value. ++# https://html.spec.whatwg.org/#attribute-name-state ++_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII) + + + @pass_eval_context +@@ -257,8 +259,14 @@ def do_xmlattr( + ) -> str: + """Create an SGML/XML attribute string based on the items in a dict. + +- If any key contains a space, this fails with a ``ValueError``. Values that +- are neither ``none`` nor ``undefined`` are automatically escaped. ++ **Values** that are neither ``none`` nor ``undefined`` are automatically ++ escaped, safely allowing untrusted user input. ++ ++ User input should not be used as **keys** to this filter. If any key ++ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals ++ sign, this fails with a ``ValueError``. Regardless of this, user input ++ should never be used as keys to this filter, or must be separately validated ++ first. + + .. sourcecode:: html+jinja + +@@ -284,8 +292,8 @@ def do_xmlattr( + if value is None or isinstance(value, Undefined): + continue + +- if _space_re.search(key) is not None: +- raise ValueError(f"Spaces are not allowed in attributes: '{key}'") ++ if _attr_key_re.search(key) is not None: ++ raise ValueError(f"Invalid character in attribute name: {key!r}") + + items.append(f'{escape(key)}="{escape(value)}"') + +diff --git a/tests/test_filters.py b/tests/test_filters.py +index a184649..c9ec7da 100644 +--- a/tests/test_filters.py ++++ b/tests/test_filters.py +@@ -474,11 +474,12 @@ class TestFilter: + assert 'bar="23"' in out + assert 'blub:blub="<?>"' in out + +- def test_xmlattr_key_with_spaces(self, env): +- with pytest.raises(ValueError, match="Spaces are not allowed"): +- env.from_string( +- "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}" +- ).render() ++ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "=")) ++ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None: ++ with pytest.raises(ValueError, match="Invalid character"): ++ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render( ++ key=f"class{sep}onclick=alert(1)" ++ ) + + def test_sort1(self, env): + tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}") +-- +2.30.2 + diff -Nru jinja2-3.1.2/debian/patches/series jinja2-3.1.2/debian/patches/series --- jinja2-3.1.2/debian/patches/series 2023-02-24 15:09:22.000000000 +0000 +++ jinja2-3.1.2/debian/patches/series 2024-12-07 17:15:36.000000000 +0000 @@ -1,3 +1,5 @@ py3.9-fix-collections-import.patch 0002-docs-disable-sphinxcontrib.log_cabinet.patch 0003-fix-nose-leftovers.patch +0001-xmlattr-filter-disallows-keys-with-spaces.patch +0002-disallow-invalid-characters-in-keys-to-xmlattr-filte.patch