Opened 8 months ago
Closed 7 months ago
#5485 closed enhancement (fixed)
Jinja-3.1.4 (Python module)
Reported by: | Bruce Dubbs | Owned by: | lfs-book |
---|---|---|---|
Priority: | high | Milestone: | 12.2 |
Component: | Book | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
New point version.
Change History (5)
comment:1 by , 8 months ago
comment:2 by , 8 months ago
Priority: | normal → high |
---|
The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj (CVE-2024-34064)
follow-up: 4 comment:3 by , 7 months ago
The tarball is not available with a sane url at pypi. We need to use github:
https://github.com/pallets/jinja/releases/download/3.1.4/jinja2-3.1.4.tar.gz
Released 2024-05-05
The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first.
comment:4 by , 7 months ago
Replying to Bruce Dubbs:
The tarball is not available with a sane url at pypi. We need to use github:
https://pypi.org/packages/source/J/Jinja2/jinja2-3.1.4.tar.gz
Note a lowercase j.
It looks like the tarball is named jinja2-3.1.4.tar.gz (lowercase j).