diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e502645 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/Jinja2-2.7.2.tar.gz diff --git a/.python-jinja2.metadata b/.python-jinja2.metadata new file mode 100644 index 0000000..7b5ebf1 --- /dev/null +++ b/.python-jinja2.metadata @@ -0,0 +1 @@ +1ce4c8bc722444ec3e77ef9db76faebbd17a40d8 SOURCES/Jinja2-2.7.2.tar.gz diff --git a/SOURCES/python-jinja2-align-jinjaext-with-compatibility-cleanups.patch b/SOURCES/python-jinja2-align-jinjaext-with-compatibility-cleanups.patch new file mode 100644 index 0000000..e95d938 --- /dev/null +++ b/SOURCES/python-jinja2-align-jinjaext-with-compatibility-cleanups.patch @@ -0,0 +1,25 @@ +From 99d0f3165ace0befd9eafd661be6e0c23d5f9ba5 Mon Sep 17 00:00:00 2001 +From: Gabi Davar +Date: Fri, 16 Aug 2013 16:18:35 +0300 +Subject: [PATCH] align jinjaext with the rest of the computability cleanups + +--- + docs/jinjaext.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs/jinjaext.py b/docs/jinjaext.py +index 8395a55..3c217f8 100644 +--- a/docs/jinjaext.py ++++ b/docs/jinjaext.py +@@ -23,7 +23,7 @@ + from pygments.token import Keyword, Name, Comment, String, Error, \ + Number, Operator, Generic + from jinja2 import Environment, FileSystemLoader +-from jinja2.utils import next ++from jinja2._compat import next + + + def parse_rst(state, content_offset, doc): +-- +1.8.1.6 + diff --git a/SOURCES/python-jinja2-fix-CVE-2014-0012.patch b/SOURCES/python-jinja2-fix-CVE-2014-0012.patch new file mode 100644 index 0000000..7ba16db --- /dev/null +++ b/SOURCES/python-jinja2-fix-CVE-2014-0012.patch @@ -0,0 +1,27 @@ +diff --git a/jinja2/bccache.py b/jinja2/bccache.py +index 09ff845..c31a905 100644 +--- a/jinja2/bccache.py ++++ b/jinja2/bccache.py +@@ -16,6 +16,7 @@ + """ + from os import path, listdir + import os ++import stat + import sys + import errno + import marshal +@@ -230,6 +231,14 @@ class FileSystemBytecodeCache(BytecodeCache): + if e.errno != errno.EEXIST: + raise + ++ if os.lstat(actual_dir).st_uid != os.getuid(): ++ raise RuntimeError('Someone else owns temp directory with your ' ++ 'uid. You need to explicitly provide another.') ++ ++ if stat.S_IMODE(os.lstat(actual_dir).st_mode) != 448: ++ raise RuntimeError('Bad permission flags on temp directory, ' ++ 'shoud be 0700. You need to fix this.') ++ + return actual_dir + + def _get_cache_filename(self, bucket): diff --git a/SOURCES/python-jinja2-fix-CVE-2016-10745.patch b/SOURCES/python-jinja2-fix-CVE-2016-10745.patch new file mode 100644 index 0000000..143b67e --- /dev/null +++ b/SOURCES/python-jinja2-fix-CVE-2016-10745.patch @@ -0,0 +1,218 @@ +diff --git a/jinja2/nodes.py b/jinja2/nodes.py +index c5697e6..9465943 100644 +--- a/jinja2/nodes.py ++++ b/jinja2/nodes.py +@@ -599,7 +599,7 @@ class Call(Expr): + + def as_const(self, eval_ctx=None): + eval_ctx = get_eval_context(self, eval_ctx) +- if eval_ctx.volatile: ++ if eval_ctx.volatile or eval_ctx.environment.sandboxed: + raise Impossible() + obj = self.node.as_const(eval_ctx) + +diff --git a/jinja2/sandbox.py b/jinja2/sandbox.py +index da479c1..7e31a7a 100644 +--- a/jinja2/sandbox.py ++++ b/jinja2/sandbox.py +@@ -12,12 +12,19 @@ + :copyright: (c) 2010 by the Jinja Team. + :license: BSD. + """ ++import types + import operator ++from collections import Mapping + from jinja2.environment import Environment + from jinja2.exceptions import SecurityError + from jinja2._compat import string_types, function_type, method_type, \ +- traceback_type, code_type, frame_type, generator_type, PY2 ++ traceback_type, code_type, frame_type, generator_type, text_type, PY2 ++from jinja2.utils import Markup + ++has_format = False ++if hasattr(text_type, 'format'): ++ from string import Formatter ++ has_format = True + + #: maximum number of items a range may produce + MAX_RANGE = 100000 +@@ -32,6 +39,12 @@ UNSAFE_METHOD_ATTRIBUTES = set(['im_class', 'im_func', 'im_self']) + #: unsafe generator attirbutes. + UNSAFE_GENERATOR_ATTRIBUTES = set(['gi_frame', 'gi_code']) + ++#: unsafe attributes on coroutines ++UNSAFE_COROUTINE_ATTRIBUTES = set(['cr_frame', 'cr_code']) ++ ++#: unsafe attributes on async generators ++UNSAFE_ASYNC_GENERATOR_ATTRIBUTES = set(['ag_code', 'ag_frame']) ++ + # On versions > python 2 the special attributes on functions are gone, + # but they remain on methods and generators for whatever reason. + if not PY2: +@@ -92,6 +105,79 @@ _mutable_spec = ( + ])) + ) + ++# Bundled EscapeFormatter class from markupsafe >= 0.21 which is used by ++# jinja2 for fixing CVE-2016-10745 ++# Copyright 2010 Pallets ++# BSD 3-Clause License ++# https://github.com/pallets/markupsafe/blob/79ee6ce0ed93c6da73512f069d7db866d955df04/LICENSE.rst ++if hasattr(text_type, "format"): ++ ++ class EscapeFormatter(Formatter): ++ def __init__(self, escape): ++ self.escape = escape ++ ++ def format_field(self, value, format_spec): ++ if hasattr(value, "__html_format__"): ++ rv = value.__html_format__(format_spec) ++ elif hasattr(value, "__html__"): ++ if format_spec: ++ raise ValueError( ++ "Format specifier {0} given, but {1} does not" ++ " define __html_format__. A class that defines" ++ " __html__ must define __html_format__ to work" ++ " with format specifiers.".format(format_spec, type(value)) ++ ) ++ rv = value.__html__() ++ else: ++ # We need to make sure the format spec is unicode here as ++ # otherwise the wrong callback methods are invoked. For ++ # instance a byte string there would invoke __str__ and ++ # not __unicode__. ++ rv = Formatter.format_field(self, value, text_type(format_spec)) ++ return text_type(self.escape(rv)) ++ ++class _MagicFormatMapping(Mapping): ++ """This class implements a dummy wrapper to fix a bug in the Python ++ standard library for string formatting. ++ ++ See http://bugs.python.org/issue13598 for information about why ++ this is necessary. ++ """ ++ ++ def __init__(self, args, kwargs): ++ self._args = args ++ self._kwargs = kwargs ++ self._last_index = 0 ++ ++ def __getitem__(self, key): ++ if key == '': ++ idx = self._last_index ++ self._last_index += 1 ++ try: ++ return self._args[idx] ++ except LookupError: ++ pass ++ key = str(idx) ++ return self._kwargs[key] ++ ++ def __iter__(self): ++ return iter(self._kwargs) ++ ++ def __len__(self): ++ return len(self._kwargs) ++ ++ ++def inspect_format_method(callable): ++ if not has_format: ++ return None ++ if not isinstance(callable, (types.MethodType, ++ types.BuiltinMethodType)) or \ ++ callable.__name__ != 'format': ++ return None ++ obj = callable.__self__ ++ if isinstance(obj, string_types): ++ return obj ++ + + def safe_range(*args): + """A range that can't generate ranges with a length of more than +@@ -146,6 +232,12 @@ def is_internal_attribute(obj, attr): + elif isinstance(obj, generator_type): + if attr in UNSAFE_GENERATOR_ATTRIBUTES: + return True ++ elif hasattr(types, 'CoroutineType') and isinstance(obj, types.CoroutineType): ++ if attr in UNSAFE_COROUTINE_ATTRIBUTES: ++ return True ++ elif hasattr(types, 'AsyncGeneratorType') and isinstance(obj, types.AsyncGeneratorType): ++ if attri in UNSAFE_ASYNC_GENERATOR_ATTRIBUTES: ++ return True + return attr.startswith('__') + + +@@ -184,8 +276,8 @@ class SandboxedEnvironment(Environment): + attributes or functions are safe to access. + + If the template tries to access insecure code a :exc:`SecurityError` is +- raised. However also other exceptions may occour during the rendering so +- the caller has to ensure that all exceptions are catched. ++ raised. However also other exceptions may occur during the rendering so ++ the caller has to ensure that all exceptions are caught. + """ + sandboxed = True + +@@ -347,8 +439,24 @@ class SandboxedEnvironment(Environment): + obj.__class__.__name__ + ), name=attribute, obj=obj, exc=SecurityError) + ++ def format_string(self, s, args, kwargs): ++ """If a format call is detected, then this is routed through this ++ method so that our safety sandbox can be used for it. ++ """ ++ if isinstance(s, Markup): ++ formatter = SandboxedEscapeFormatter(self, s.escape) ++ else: ++ formatter = SandboxedFormatter(self) ++ kwargs = _MagicFormatMapping(args, kwargs) ++ rv = formatter.vformat(s, args, kwargs) ++ return type(s)(rv) ++ + def call(__self, __context, __obj, *args, **kwargs): + """Call an object from sandboxed code.""" ++ fmt = inspect_format_method(__obj) ++ if fmt is not None: ++ return __self.format_string(fmt, args, kwargs) ++ + # the double prefixes are to avoid double keyword argument + # errors when proxying the call. + if not __self.is_safe_callable(__obj): +@@ -366,3 +474,37 @@ class ImmutableSandboxedEnvironment(SandboxedEnvironment): + if not SandboxedEnvironment.is_safe_attribute(self, obj, attr, value): + return False + return not modifies_known_mutable(obj, attr) ++ ++ ++if has_format: ++ # This really is not a public API apparenlty. ++ try: ++ from _string import formatter_field_name_split ++ except ImportError: ++ def formatter_field_name_split(field_name): ++ return field_name._formatter_field_name_split() ++ ++ class SandboxedFormatterMixin(object): ++ ++ def __init__(self, env): ++ self._env = env ++ ++ def get_field(self, field_name, args, kwargs): ++ first, rest = formatter_field_name_split(field_name) ++ obj = self.get_value(first, args, kwargs) ++ for is_attr, i in rest: ++ if is_attr: ++ obj = self._env.getattr(obj, i) ++ else: ++ obj = self._env.getitem(obj, i) ++ return obj, first ++ ++ class SandboxedFormatter(SandboxedFormatterMixin, Formatter): ++ def __init__(self, env): ++ SandboxedFormatterMixin.__init__(self, env) ++ Formatter.__init__(self) ++ ++ class SandboxedEscapeFormatter(SandboxedFormatterMixin, EscapeFormatter): ++ def __init__(self, env, escape): ++ SandboxedFormatterMixin.__init__(self, env) ++ EscapeFormatter.__init__(self, escape) diff --git a/SOURCES/python-jinja2-lambda-to-dict.patch b/SOURCES/python-jinja2-lambda-to-dict.patch new file mode 100644 index 0000000..9d7723a --- /dev/null +++ b/SOURCES/python-jinja2-lambda-to-dict.patch @@ -0,0 +1,26 @@ +From 6179c02c91800d220de03006117afa5e6d60f0f6 Mon Sep 17 00:00:00 2001 +From: Peter Harris +Date: Fri, 23 Jan 2015 10:12:10 +0000 +Subject: [PATCH] Replace lambda for 'dict' in with dict itself + +lambda **kw: kw is not equivalent to the dict constructor. It is much less useful. +In particular it doesn't accept a sequence of pairs. +Why not put dict itself into the DEFAULT_NAMESPACE? +Principle of least surprise, etc. +--- + jinja2/defaults.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/jinja2/defaults.py b/jinja2/defaults.py +index a27cb80c..3717a722 100644 +--- a/jinja2/defaults.py ++++ b/jinja2/defaults.py +@@ -32,7 +32,7 @@ + from jinja2.tests import TESTS as DEFAULT_TESTS + DEFAULT_NAMESPACE = { + 'range': range_type, +- 'dict': lambda **kw: kw, ++ 'dict': dict, + 'lipsum': generate_lorem_ipsum, + 'cycler': Cycler, + 'joiner': Joiner diff --git a/SPECS/python-jinja2.spec b/SPECS/python-jinja2.spec new file mode 100644 index 0000000..6d12183 --- /dev/null +++ b/SPECS/python-jinja2.spec @@ -0,0 +1,305 @@ +%if 0%{?fedora} > 12 +%global with_python3 1 +%else +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} +%endif + +# Enable building without docs to avoid a circular dependency between this +# and python-sphinx: +%global with_docs 1 + +Name: python-jinja2 +Version: 2.7.2 +Release: 4%{?dist} +Summary: General purpose template engine +Group: Development/Languages +License: BSD +URL: http://jinja.pocoo.org/ +Source0: http://pypi.python.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz + +Patch1: %{name}-align-jinjaext-with-compatibility-cleanups.patch + +# Patch for CVE-2014-0012, see https://bugzilla.redhat.com/show_bug.cgi?id=1051421 +# for discussion (not yet sent upstream) +Patch2: python-jinja2-fix-CVE-2014-0012.patch + +# Replace lambda for 'dict' with dict itself to support all dict constructors +# Backported from Jinja2 2.8 +# https://github.com/pallets/jinja/commit/6179c02c91800d220de03006117afa5e6d60f0f6 +# https://bugzilla.redhat.com/show_bug.cgi?id=1697237 +Patch3: python-jinja2-lambda-to-dict.patch + +# Fix CVE-2016-10745 +# Also bundling the EscapeFormatter class from markupsafe >= 0.21, as we don't ship +# that version in RHEL7 and it's required for the CVE fix +# https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16 +# https://bugzilla.redhat.com/show_bug.cgi?id=1701309 +Patch4: python-jinja2-fix-CVE-2016-10745.patch + +BuildArch: noarch +BuildRequires: python2-devel +BuildRequires: python2-setuptools +BuildRequires: python-markupsafe +%if 0%{?with_docs} +BuildRequires: python-sphinx +%endif # with_docs +Requires: python-babel >= 0.8 +Requires: python-markupsafe +%if 0%{?with_python3} +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-markupsafe +%endif # with_python3 + +Provides: python2-jinja2 = %{version}-%{release} + +%description +Jinja2 is a template engine written in pure Python. It provides a +Django inspired non-XML syntax but supports inline expressions and an +optional sandboxed environment. + +If you have any exposure to other text-based template languages, such +as Smarty or Django, you should feel right at home with Jinja2. It's +both designer and developer friendly by sticking to Python's +principles and adding functionality useful for templating +environments. + + +%if 0%{?with_python3} +%package -n python3-jinja2 +Summary: General purpose template engine +Group: Development/Languages +Requires: python3-markupsafe +# babel isn't py3k ready yet, and is only a weak dependency +#Requires: python3-babel >= 0.8 + + +%description -n python3-jinja2 +Jinja2 is a template engine written in pure Python. It provides a +Django inspired non-XML syntax but supports inline expressions and an +optional sandboxed environment. + +If you have any exposure to other text-based template languages, such +as Smarty or Django, you should feel right at home with Jinja2. It's +both designer and developer friendly by sticking to Python's +principles and adding functionality useful for templating +environments. +%endif # with_python3 + + +%prep +%setup -q -n Jinja2-%{version} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 + +# cleanup +find . -name '*.pyo' -o -name '*.pyc' -delete + +# fix EOL +sed -i 's|\r$||g' LICENSE + +%if 0%{?with_python3} +cp -a . %{py3dir} +%endif # with_python3 + + +%build +%py2_build + +# for now, we build docs using Python 2.x and use that for both +# packages. +%if 0%{?with_docs} +make -C docs html PYTHONPATH=$(pwd) +%endif # with_docs + +%if 0%{?with_python3} +pushd %{py3dir} +%{__python3} setup.py build +popd +%endif # with_python3 + + +%install +%py2_install + +# remove hidden file +rm -rf docs/_build/html/.buildinfo + +%if 0%{?with_python3} +pushd %{py3dir} +%{__python3} setup.py install -O1 --skip-build \ + --root %{buildroot} +popd +%endif # with_python3 + + +%check +make test + + +%if 0%{?with_python3} +pushd %{py3dir} +make test +popd +%endif # with_python3 + + +%files +%doc AUTHORS CHANGES +%license LICENSE +%if 0%{?with_docs} +%doc docs/_build/html +%endif # with_docs +%doc ext +%doc examples +%{python2_sitelib}/* +%exclude %{python2_sitelib}/jinja2/_debugsupport.c + + +%if 0%{?with_python3} +%files -n python3-jinja2 +%doc AUTHORS CHANGES LICENSE +%if 0%{?with_docs} +%doc docs/_build/html +%endif # with_docs +%doc ext +%doc examples +%{python3_sitelib}/* +%exclude %{python3_sitelib}/jinja2/_debugsupport.c +%endif # with_python3 + + +%changelog +* Thu May 02 2019 Charalampos Stratakis - 2.7.2-4 +- Fix for CVE-2016-10745 +Resolves: rhbz#1701309 + +* Wed Apr 10 2019 Miro Hrončok - 2.7.2-3 +- Replace lambda for 'dict' with dict itself to support all dict constructors +Resolves: rhbz#1697237 + +* Tue Jan 28 2014 Bohuslav Kabrda - 2.7.2-2 +- Fix CVE-2014-0012. +Resolves: rhbz#1051427 + +* Wed Jan 15 2014 Bohuslav Kabrda - 2.7.2-1 +- Reverted flawed patch for #1051427 (this reintroduces #1052102). +- Spec cleanup (removed rhel < 7 specific stuff). +- Update to 2.7.2. +Resolves: rhbz#1052777 + +* Tue Jan 14 2014 Tomas Radej - 2.6-8 +- Using secure tmp dir +- Replaced tabs with spaces +Resolves: rhbz#1051427 + +* Fri Dec 27 2013 Daniel Mach - 2.6-7 +- Mass rebuild 2013-12-27 + +* Thu Feb 14 2013 Fedora Release Engineering - 2.6-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sat Aug 04 2012 David Malcolm - 2.6-5 +- rebuild for https://fedoraproject.org/wiki/Features/Python_3.3 + +* Fri Aug 3 2012 David Malcolm - 2.6-4 +- remove rhel logic from with_python3 conditional + +* Sat Jul 21 2012 Fedora Release Engineering - 2.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Jan 14 2012 Fedora Release Engineering - 2.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Jul 25 2011 Thomas Moschny - 2.6-1 +- Update to 2.6. + +* Tue Feb 08 2011 Fedora Release Engineering - 2.5.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jan 18 2011 Thomas Moschny - 2.5.5-3 +- Re-enable html doc generation. +- Remove conditional for F-12 and below. +- Do not silently fail the testsuite for with py3k. + +* Mon Nov 1 2010 Michel Salim - 2.5.5-2 +- Move python3 runtime requirements to python3 subpackage + +* Wed Oct 27 2010 Thomas Moschny - 2.5.5-1 +- Update to 2.5.5. + +* Wed Aug 25 2010 Thomas Moschny - 2.5.2-4 +- Revert to previous behavior: fail the build on failed test. +- Rebuild for Python 3.2. + +* Wed Aug 25 2010 Dan Horák - 2.5.2-3 +- %%ifnarch doesn't work on noarch package so don't fail the build on failed tests + +* Wed Aug 25 2010 Dan Horák - 2.5.2-2 +- disable the testsuite on s390(x) + +* Thu Aug 19 2010 Thomas Moschny - 2.5.2-1 +- Update to upstream version 2.5.2. +- Package depends on python-markupsafe and is noarch now. + +* Thu Jul 22 2010 David Malcolm - 2.5-4 +- add explicit build-requirement on python-setuptools +- fix doc disablement for python3 subpackage + +* Thu Jul 22 2010 David Malcolm - 2.5-3 +- support disabling documentation in the build to break a circular build-time +dependency with python-sphinx; disable docs for now + +* Thu Jul 22 2010 David Malcolm - 2.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Tue Jul 13 2010 Thomas Moschny - 2.5-1 +- Update to upstream version 2.5. +- Create python3 subpackage. +- Minor specfile fixes. +- Add examples directory. +- Thanks to Gareth Armstrong for additional hints. + +* Wed Apr 21 2010 Thomas Moschny - 2.4.1-1 +- Update to 2.4.1. + +* Tue Apr 13 2010 Thomas Moschny - 2.4-1 +- Update to 2.4. + +* Tue Feb 23 2010 Thomas Moschny - 2.3.1-1 +- Update to 2.3.1. +- Docs are built using Sphinx now. +- Run the testsuite. + +* Sat Sep 19 2009 Thomas Moschny - 2.2.1-1 +- Update to 2.2.1, mainly a bugfix release. +- Remove patch no longer needed. +- Remove conditional for FC-8. +- Compilation of speedup module has to be explicitly requested now. + +* Sun Jul 26 2009 Fedora Release Engineering - 2.1.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Feb 26 2009 Fedora Release Engineering - 2.1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sat Jan 10 2009 Thomas Moschny - 2.1.1-1 +- Update to 2.1.1 (bugfix release). + +* Thu Dec 18 2008 Thomas Moschny - 2.1-1 +- Update to 2.1, which fixes a number of bugs. + See http://jinja.pocoo.org/2/documentation/changelog#version-2-1. + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 2.0-3 +- Rebuild for Python 2.6 + +* Tue Jul 22 2008 Thomas Moschny - 2.0-2 +- Use rpm buildroot macro instead of RPM_BUILD_ROOT. + +* Sun Jul 20 2008 Thomas Moschny - 2.0-1 +- Upstream released 2.0. + +* Sun Jun 29 2008 Thomas Moschny - 2.0-0.1.rc1 +- Modified specfile from the existing python-jinja package.