Opened 2 years ago
Closed 2 years ago
#5485 closed enhancement (fixed)
Jinja-3.1.4 (Python module)
| Reported by: | Bruce Dubbs | Owned by: | lfs-book |
|---|---|---|---|
| Priority: | high | Milestone: | 12.2 |
| Component: | Book | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version.
Change History (5)
comment:1 by , 2 years ago
comment:2 by , 2 years ago
| Priority: | normal → high |
|---|
The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj (CVE-2024-34064)
follow-up: 4 comment:3 by , 2 years ago
The tarball is not available with a sane url at pypi. We need to use github:
https://github.com/pallets/jinja/releases/download/3.1.4/jinja2-3.1.4.tar.gz
Released 2024-05-05
The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first.
comment:4 by , 2 years ago
Replying to Bruce Dubbs:
The tarball is not available with a sane url at pypi. We need to use github:
https://pypi.org/packages/source/J/Jinja2/jinja2-3.1.4.tar.gz
Note a lowercase j.
It looks like the tarball is named jinja2-3.1.4.tar.gz (lowercase j).