|
 |
7e9da6 |
From 2b76a5a3aa898fd1621c72c6da935cddfb484424 Mon Sep 17 00:00:00 2001
|
|
|
7e9da6 |
From: Lumir Balhar <lbalhar@redhat.com>
|
|
|
7e9da6 |
Date: Fri, 12 Mar 2021 14:34:06 +0100
|
|
|
7e9da6 |
Subject: [PATCH] CVE-2020-28493
|
|
|
7e9da6 |
|
|
|
7e9da6 |
---
|
|
|
7e9da6 |
Jinja2-2.10.1/jinja2/utils.py | 94 +++++++++++++++++++++--------------
|
|
|
7e9da6 |
1 file changed, 56 insertions(+), 38 deletions(-)
|
|
|
7e9da6 |
|
|
|
7e9da6 |
diff --git a/Jinja2-2.10.1/jinja2/utils.py b/Jinja2-2.10.1/jinja2/utils.py
|
|
|
7e9da6 |
index 502a311..25dd78f 100644
|
|
|
7e9da6 |
--- a/Jinja2-2.10/jinja2/utils.py
|
|
|
7e9da6 |
+++ b/Jinja2-2.10/jinja2/utils.py
|
|
|
7e9da6 |
@@ -12,24 +12,12 @@ import re
|
|
|
7e9da6 |
import json
|
|
|
7e9da6 |
import errno
|
|
|
7e9da6 |
from collections import deque
|
|
|
7e9da6 |
+from string import ascii_letters as _letters
|
|
|
7e9da6 |
+from string import digits as _digits
|
|
|
7e9da6 |
from threading import Lock
|
|
|
7e9da6 |
from jinja2._compat import text_type, string_types, implements_iterator, \
|
|
|
7e9da6 |
url_quote
|
|
|
7e9da6 |
|
|
|
7e9da6 |
-
|
|
|
7e9da6 |
-_word_split_re = re.compile(r'(\s+)')
|
|
|
7e9da6 |
-_punctuation_re = re.compile(
|
|
|
7e9da6 |
- '^(?P<lead>(?:%s)*)(?P<middle>.*?)(?P<trail>(?:%s)*)$' % (
|
|
|
7e9da6 |
- '|'.join(map(re.escape, ('(', '<', '<'))),
|
|
|
7e9da6 |
- '|'.join(map(re.escape, ('.', ',', ')', '>', '\n', '>')))
|
|
|
7e9da6 |
- )
|
|
|
7e9da6 |
-)
|
|
|
7e9da6 |
-_simple_email_re = re.compile(r'^\S+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9._-]+$')
|
|
|
7e9da6 |
-_striptags_re = re.compile(r'(|<[^>]*>)')
|
|
|
7e9da6 |
-_entity_re = re.compile(r'&([^;]+);')
|
|
|
7e9da6 |
-_letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
|
|
|
7e9da6 |
-_digits = '0123456789'
|
|
|
7e9da6 |
-
|
|
|
7e9da6 |
# special singleton representing missing values for the runtime
|
|
|
7e9da6 |
missing = type('MissingType', (), {'__repr__': lambda x: 'missing'})()
|
|
|
7e9da6 |
|
|
|
7e9da6 |
@@ -203,35 +191,65 @@ def urlize(text, trim_url_limit=None, rel=None, target=None):
|
|
|
7e9da6 |
trim_url = lambda x, limit=trim_url_limit: limit is not None \
|
|
|
7e9da6 |
and (x[:limit] + (len(x) >=limit and '...'
|
|
|
7e9da6 |
or '')) or x
|
|
|
7e9da6 |
- words = _word_split_re.split(text_type(escape(text)))
|
|
|
7e9da6 |
+ words = re.split(r"(\s+)", text_type(escape(text)))
|
|
|
7e9da6 |
rel_attr = rel and ' rel="%s"' % text_type(escape(rel)) or ''
|
|
|
7e9da6 |
target_attr = target and ' target="%s"' % escape(target) or ''
|
|
|
7e9da6 |
|
|
|
7e9da6 |
for i, word in enumerate(words):
|
|
|
7e9da6 |
- match = _punctuation_re.match(word)
|
|
|
7e9da6 |
+ head, middle, tail = "", word, ""
|
|
|
7e9da6 |
+ match = re.match(r"^([(<]|<)+", middle)
|
|
|
7e9da6 |
+
|
|
|
7e9da6 |
if match:
|
|
|
7e9da6 |
- lead, middle, trail = match.groups()
|
|
|
7e9da6 |
- if middle.startswith('www.') or (
|
|
|
7e9da6 |
- '@' not in middle and
|
|
|
7e9da6 |
- not middle.startswith('http://') and
|
|
|
7e9da6 |
- not middle.startswith('https://') and
|
|
|
7e9da6 |
- len(middle) > 0 and
|
|
|
7e9da6 |
- middle[0] in _letters + _digits and (
|
|
|
7e9da6 |
- middle.endswith('.org') or
|
|
|
7e9da6 |
- middle.endswith('.net') or
|
|
|
7e9da6 |
- middle.endswith('.com')
|
|
|
7e9da6 |
- )):
|
|
|
7e9da6 |
- middle = '%s' % (middle,
|
|
|
7e9da6 |
- rel_attr, target_attr, trim_url(middle))
|
|
|
7e9da6 |
- if middle.startswith('http://') or \
|
|
|
7e9da6 |
- middle.startswith('https://'):
|
|
|
7e9da6 |
- middle = '%s' % (middle,
|
|
|
7e9da6 |
- rel_attr, target_attr, trim_url(middle))
|
|
|
7e9da6 |
- if '@' in middle and not middle.startswith('www.') and \
|
|
|
7e9da6 |
- not ':' in middle and _simple_email_re.match(middle):
|
|
|
7e9da6 |
- middle = '%s' % (middle, middle)
|
|
|
7e9da6 |
- if lead + middle + trail != word:
|
|
|
7e9da6 |
- words[i] = lead + middle + trail
|
|
|
7e9da6 |
+ head = match.group()
|
|
|
7e9da6 |
+ middle = middle[match.end() :]
|
|
|
7e9da6 |
+
|
|
|
7e9da6 |
+ # Unlike lead, which is anchored to the start of the string,
|
|
|
7e9da6 |
+ # need to check that the string ends with any of the characters
|
|
|
7e9da6 |
+ # before trying to match all of them, to avoid backtracking.
|
|
|
7e9da6 |
+ if middle.endswith((")", ">", ".", ",", "\n", ">")):
|
|
|
7e9da6 |
+ match = re.search(r"([)>.,\n]|>)+$", middle)
|
|
|
7e9da6 |
+
|
|
|
7e9da6 |
+ if match:
|
|
|
7e9da6 |
+ tail = match.group()
|
|
|
7e9da6 |
+ middle = middle[: match.start()]
|
|
|
7e9da6 |
+
|
|
|
7e9da6 |
+ if middle.startswith("www.") or (
|
|
|
7e9da6 |
+ "@" not in middle
|
|
|
7e9da6 |
+ and not middle.startswith("http://")
|
|
|
7e9da6 |
+ and not middle.startswith("https://")
|
|
|
7e9da6 |
+ and len(middle) > 0
|
|
|
7e9da6 |
+ and middle[0] in _letters + _digits
|
|
|
7e9da6 |
+ and (
|
|
|
7e9da6 |
+ middle.endswith(".org")
|
|
|
7e9da6 |
+ or middle.endswith(".net")
|
|
|
7e9da6 |
+ or middle.endswith(".com")
|
|
|
7e9da6 |
+ )
|
|
|
7e9da6 |
+ ):
|
|
|
7e9da6 |
+ middle = '%s' % (
|
|
|
7e9da6 |
+ middle,
|
|
|
7e9da6 |
+ rel_attr,
|
|
|
7e9da6 |
+ target_attr,
|
|
|
7e9da6 |
+ trim_url(middle),
|
|
|
7e9da6 |
+ )
|
|
|
7e9da6 |
+
|
|
|
7e9da6 |
+ if middle.startswith("http://") or middle.startswith("https://"):
|
|
|
7e9da6 |
+ middle = '%s' % (
|
|
|
7e9da6 |
+ middle,
|
|
|
7e9da6 |
+ rel_attr,
|
|
|
7e9da6 |
+ target_attr,
|
|
|
7e9da6 |
+ trim_url(middle),
|
|
|
7e9da6 |
+ )
|
|
|
7e9da6 |
+
|
|
|
7e9da6 |
+ if (
|
|
|
7e9da6 |
+ "@" in middle
|
|
|
7e9da6 |
+ and not middle.startswith("www.")
|
|
|
7e9da6 |
+ and ":" not in middle
|
|
|
7e9da6 |
+ and re.match(r"^\S@\w[\w.-]*\.\w$", middle)
|
|
|
7e9da6 |
+ ):
|
|
|
7e9da6 |
+ middle = '%s' % (middle, middle)
|
|
|
7e9da6 |
+
|
|
|
7e9da6 |
+ words[i] = head + middle + tail
|
|
|
7e9da6 |
+
|
|
|
7e9da6 |
return u''.join(words)
|
|
|
7e9da6 |
|
|
|
7e9da6 |
|
|
|
7e9da6 |
--
|
|
|
7e9da6 |
2.29.2
|
|
|
7e9da6 |
|