|
 |
02ff0a |
From 4ed366f2ac66abced51ce98eff8a0d57f23cdfe2 Mon Sep 17 00:00:00 2001
|
|
|
02ff0a |
From: Tomas Orsava <torsava@redhat.com>
|
|
|
02ff0a |
Date: Tue, 14 May 2019 18:48:39 -0400
|
|
|
02ff0a |
Subject: [PATCH] Fix for CVE-2019-10906 python-jinja2: str.format_map allows
|
|
|
02ff0a |
sandbox escape
|
|
|
02ff0a |
|
|
|
02ff0a |
More information: https://palletsprojects.com/blog/jinja-2-10-1-released/
|
|
|
02ff0a |
Upstream commit: https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26
|
|
|
02ff0a |
---
|
|
|
02ff0a |
jinja2/sandbox.py | 17 ++++++++++++++---
|
|
|
02ff0a |
1 file changed, 14 insertions(+), 3 deletions(-)
|
|
|
02ff0a |
|
|
|
02ff0a |
diff --git a/jinja2/sandbox.py b/jinja2/sandbox.py
|
|
|
02ff0a |
index 32e2435..8d822cb 100644
|
|
|
02ff0a |
--- a/jinja2/sandbox.py
|
|
|
02ff0a |
+++ b/jinja2/sandbox.py
|
|
|
02ff0a |
@@ -137,7 +137,7 @@ class _MagicFormatMapping(Mapping):
|
|
|
02ff0a |
def inspect_format_method(callable):
|
|
|
02ff0a |
if not isinstance(callable, (types.MethodType,
|
|
|
02ff0a |
types.BuiltinMethodType)) or \
|
|
|
02ff0a |
- callable.__name__ != 'format':
|
|
|
02ff0a |
+ callable.__name__ not in ('format', 'format_map'):
|
|
|
02ff0a |
return None
|
|
|
02ff0a |
obj = callable.__self__
|
|
|
02ff0a |
if isinstance(obj, string_types):
|
|
|
02ff0a |
@@ -402,7 +402,7 @@ class SandboxedEnvironment(Environment):
|
|
|
02ff0a |
obj.__class__.__name__
|
|
|
02ff0a |
), name=attribute, obj=obj, exc=SecurityError)
|
|
|
02ff0a |
|
|
|
02ff0a |
- def format_string(self, s, args, kwargs):
|
|
|
02ff0a |
+ def format_string(self, s, args, kwargs, format_func=None):
|
|
|
02ff0a |
"""If a format call is detected, then this is routed through this
|
|
|
02ff0a |
method so that our safety sandbox can be used for it.
|
|
|
02ff0a |
"""
|
|
|
02ff0a |
@@ -410,6 +410,17 @@ class SandboxedEnvironment(Environment):
|
|
|
02ff0a |
formatter = SandboxedEscapeFormatter(self, s.escape)
|
|
|
02ff0a |
else:
|
|
|
02ff0a |
formatter = SandboxedFormatter(self)
|
|
|
02ff0a |
+
|
|
|
02ff0a |
+ if format_func is not None and format_func.__name__ == 'format_map':
|
|
|
02ff0a |
+ if len(args) != 1 or kwargs:
|
|
|
02ff0a |
+ raise TypeError(
|
|
|
02ff0a |
+ 'format_map() takes exactly one argument %d given'
|
|
|
02ff0a |
+ % (len(args) + (kwargs is not None))
|
|
|
02ff0a |
+ )
|
|
|
02ff0a |
+
|
|
|
02ff0a |
+ kwargs = args[0]
|
|
|
02ff0a |
+ args = None
|
|
|
02ff0a |
+
|
|
|
02ff0a |
kwargs = _MagicFormatMapping(args, kwargs)
|
|
|
02ff0a |
rv = formatter.vformat(s, args, kwargs)
|
|
|
02ff0a |
return type(s)(rv)
|
|
|
02ff0a |
@@ -418,7 +429,7 @@ class SandboxedEnvironment(Environment):
|
|
|
02ff0a |
"""Call an object from sandboxed code."""
|
|
|
02ff0a |
fmt = inspect_format_method(__obj)
|
|
|
02ff0a |
if fmt is not None:
|
|
|
02ff0a |
- return __self.format_string(fmt, args, kwargs)
|
|
|
02ff0a |
+ return __self.format_string(fmt, args, kwargs, __obj)
|
|
|
02ff0a |
|
|
|
02ff0a |
# the double prefixes are to avoid double keyword argument
|
|
|
02ff0a |
# errors when proxying the call.
|
|
|
02ff0a |
--
|
|
|
02ff0a |
2.20.1
|
|
|
02ff0a |
|