Opened 13 days ago
Closed 8 days ago
#5485 closed enhancement (fixed)
Jinja-3.1.4 (Python module)
Reported by: | Bruce Dubbs | Owned by: | lfs-book |
---|---|---|---|
Priority: | high | Milestone: | 12.2 |
Component: | Book | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
New point version.
Change History (5)
comment:1 by , 13 days ago
comment:2 by , 13 days ago
Priority: | normal → high |
---|
The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj (CVE-2024-34064)
follow-up: 4 comment:3 by , 8 days ago
The tarball is not available with a sane url at pypi. We need to use github:
https://github.com/pallets/jinja/releases/download/3.1.4/jinja2-3.1.4.tar.gz
Released 2024-05-05
The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first.
comment:4 by , 8 days ago
Replying to Bruce Dubbs:
The tarball is not available with a sane url at pypi. We need to use github:
https://pypi.org/packages/source/J/Jinja2/jinja2-3.1.4.tar.gz
Note a lowercase j.
It looks like the tarball is named jinja2-3.1.4.tar.gz (lowercase j).