Opened 8 months ago

Closed 7 months ago

#5485 closed enhancement (fixed)

Jinja-3.1.4 (Python module)

Reported by: Bruce Dubbs Owned by: lfs-book
Priority: high Milestone: 12.2
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (5)

comment:1 by Xi Ruoyao, 8 months ago

It looks like the tarball is named jinja2-3.1.4.tar.gz (lowercase j).

comment:2 by Xi Ruoyao, 8 months ago

Priority: normalhigh

The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj (CVE-2024-34064)

comment:3 by Bruce Dubbs, 7 months ago

The tarball is not available with a sane url at pypi. We need to use github:

https://github.com/pallets/jinja/releases/download/3.1.4/jinja2-3.1.4.tar.gz

Released 2024-05-05

The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first.

in reply to:  3 comment:4 by Xi Ruoyao, 7 months ago

Replying to Bruce Dubbs:

The tarball is not available with a sane url at pypi. We need to use github:

https://pypi.org/packages/source/J/Jinja2/jinja2-3.1.4.tar.gz

Note a lowercase j.

comment:5 by Bruce Dubbs, 7 months ago

Resolution: fixed
Status: newclosed

Fixed at commit 340e17adc6.

Note: See TracTickets for help on using tickets.