backport-CVE-2024-22195.patch

@@ -1,82 +0,0 @@
-From f560975d61cfe4de1111c05cfd6b8c2210845148 Mon Sep 17 00:00:00 2001
-From: Calum Hutton <calum.hutton@snyk.io>
-Date: Thu, 26 Oct 2023 12:08:53 +0100
-Subject: [PATCH] xmlattr filter disallows keys with spaces
-
-Reference:https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23
-Conflict:remove CHANGES.rst
----
- Jinja2-3.0.3/src/jinja2/filters.py | 24 ++++++++++++++++++------
- Jinja2-3.0.3/tests/test_filters.py |  6 ++++++
- 2 files changed, 24 insertions(+), 6 deletions(-)
-
-diff --git a/Jinja2-3.0.3/src/jinja2/filters.py b/Jinja2-3.0.3/src/jinja2/filters.py
-index ffb98bf..002e129 100644
---- a/Jinja2-3.0.3/src/jinja2/filters.py
-+++ b/Jinja2-3.0.3/src/jinja2/filters.py
-@@ -270,6 +270,7 @@ def do_lower(s: str) -> str:
-     """Convert a value to lowercase."""
-     return soft_str(s).lower()
- 
-+_space_re = re.compile(r"\s", flags=re.ASCII)
- 
- @pass_eval_context
- def do_xmlattr(
-@@ -278,7 +279,8 @@ def do_xmlattr(
-     """Create an SGML/XML attribute string based on the items in a dict.
-     All values that are neither `none` nor `undefined` are automatically
-     escaped:
--
-+    If any key contains a space, this fails with a ``ValueError``. Values that
-+    are neither ``none`` nor ``undefined`` are automatically escaped.
-     .. sourcecode:: html+jinja
- 
-         <ul{{ {'class': 'my_list', 'missing': none,
-@@ -296,12 +298,22 @@ def do_xmlattr(
- 
-     As you can see it automatically prepends a space in front of the item
-     if the filter returned something unless the second parameter is false.
-+
-+    .. versionchanged:: 3.1.3
-+        Keys with spaces are not allowed.
-     """
--    rv = " ".join(
--        f'{escape(key)}="{escape(value)}"'
--        for key, value in d.items()
--        if value is not None and not isinstance(value, Undefined)
--    )
-+    items = []
-+
-+    for key, value in d.items():
-+        if value is None or isinstance(value, Undefined):
-+            continue
-+
-+        if _space_re.search(key) is not None:
-+            raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
-+
-+        items.append(f'{escape(key)}="{escape(value)}"')
-+
-+    rv = " ".join(items)
- 
-     if autospace and rv:
-         rv = " " + rv
-diff --git a/Jinja2-3.0.3/tests/test_filters.py b/Jinja2-3.0.3/tests/test_filters.py
-index 2195157..45843fd 100644
---- a/Jinja2-3.0.3/tests/test_filters.py
-+++ b/Jinja2-3.0.3/tests/test_filters.py
-@@ -463,6 +463,12 @@ class TestFilter:
-         assert 'bar="23"' in out
-         assert 'blub:blub="&lt;?&gt;"' in out
- 
-+    def test_xmlattr_key_with_spaces(self, env):
-+        with pytest.raises(ValueError, match="Spaces are not allowed"):
-+            env.from_string(
-+                "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}"
-+            ).render()
-+
-     def test_sort1(self, env):
-         tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}")
-         assert tmpl.render() == "[1, 2, 3]|[3, 2, 1]"
--- 
-2.33.0
-

backport-CVE-2024-34064.patch

@@ -1,109 +0,0 @@
-From 0668239dc6b44ef38e7a6c9f91f312fd4ca581cb Mon Sep 17 00:00:00 2001
-From: David Lord <davidism@gmail.com>
-Date: Thu, 2 May 2024 09:14:00 -0700
-Subject: [PATCH] disallow invalid characters in keys to xmlattr filter
-
-Reference:https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb
-Conflict:NA
-
----
- Jinja2-3.0.3/CHANGES.rst           |  6 ++++++
- Jinja2-3.0.3/src/jinja2/filters.py | 22 +++++++++++++++++-----
- Jinja2-3.0.3/tests/test_filters.py | 11 ++++++-----
- 3 files changed, 29 insertions(+), 10 deletions(-)
-
-diff --git a/Jinja2-3.0.3/CHANGES.rst b/Jinja2-3.0.3/CHANGES.rst
-index 9c58019..a62255b 100644
---- a/Jinja2-3.0.3/CHANGES.rst
-+++ b/Jinja2-3.0.3/CHANGES.rst
-@@ -1,5 +1,11 @@
- .. currentmodule:: jinja2
- 
-+-   The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
-+    greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
-+    Regardless of any validation done by Jinja, user input should never be used
-+    as keys to this filter, or must be separately validated first.
-+    GHSA-h75v-3vvj-5mfj
-+
- Version 3.0.3
- -------------
- 
-diff --git a/Jinja2-3.0.3/src/jinja2/filters.py b/Jinja2-3.0.3/src/jinja2/filters.py
-index 002e129..f3d4fca 100644
---- a/Jinja2-3.0.3/src/jinja2/filters.py
-+++ b/Jinja2-3.0.3/src/jinja2/filters.py
-@@ -270,7 +270,9 @@ def do_lower(s: str) -> str:
-     """Convert a value to lowercase."""
-     return soft_str(s).lower()
- 
--_space_re = re.compile(r"\s", flags=re.ASCII)
-+# Check for characters that would move the parser state from key to value.
-+# https://html.spec.whatwg.org/#attribute-name-state
-+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
- 
- @pass_eval_context
- def do_xmlattr(
-@@ -279,8 +281,14 @@ def do_xmlattr(
-     """Create an SGML/XML attribute string based on the items in a dict.
-     All values that are neither `none` nor `undefined` are automatically
-     escaped:
--    If any key contains a space, this fails with a ``ValueError``. Values that
--    are neither ``none`` nor ``undefined`` are automatically escaped.
-+    **Values** that are neither ``none`` nor ``undefined`` are automatically
-+    escaped, safely allowing untrusted user input.
-+
-+    User input should not be used as **keys** to this filter. If any key
-+    contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
-+    sign, this fails with a ``ValueError``. Regardless of this, user input
-+    should never be used as keys to this filter, or must be separately validated
-+    first.
-     .. sourcecode:: html+jinja
- 
-         <ul{{ {'class': 'my_list', 'missing': none,
-@@ -299,6 +307,10 @@ def do_xmlattr(
-     As you can see it automatically prepends a space in front of the item
-     if the filter returned something unless the second parameter is false.
- 
-+    .. versionchanged:: 3.1.4
-+        Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign
-+        are not allowed.
-+
-     .. versionchanged:: 3.1.3
-         Keys with spaces are not allowed.
-     """
-@@ -308,8 +320,8 @@ def do_xmlattr(
-         if value is None or isinstance(value, Undefined):
-             continue
- 
--        if _space_re.search(key) is not None:
--            raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
-+        if _attr_key_re.search(key) is not None:
-+            raise ValueError(f"Invalid character in attribute name: {key!r}")
- 
-         items.append(f'{escape(key)}="{escape(value)}"')
- 
-diff --git a/Jinja2-3.0.3/tests/test_filters.py b/Jinja2-3.0.3/tests/test_filters.py
-index 45843fd..6533370 100644
---- a/Jinja2-3.0.3/tests/test_filters.py
-+++ b/Jinja2-3.0.3/tests/test_filters.py
-@@ -463,11 +463,12 @@ class TestFilter:
-         assert 'bar="23"' in out
-         assert 'blub:blub="&lt;?&gt;"' in out
- 
--    def test_xmlattr_key_with_spaces(self, env):
--        with pytest.raises(ValueError, match="Spaces are not allowed"):
--            env.from_string(
--                "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}"
--            ).render()
-+    @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "="))
-+    def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None:
-+        with pytest.raises(ValueError, match="Invalid character"):
-+            env.from_string("{{ {key: 'my_class'}|xmlattr }}").render(
-+                key=f"class{sep}onclick=alert(1)"
-+            )
- 
-     def test_sort1(self, env):
-         tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}")
--- 
-2.33.0
-

python-jinja2.spec

@@ -1,16 +1,13 @@
 %global _name Jinja2
 
 Name:           python-jinja2
-Version:        3.0.3
-Release:        4
+Version:        2.11.3
+Release:        1
 Summary:        A full-featured template engine for Python
 License:        BSD
 URL:            http://jinja.pocoo.org/
 Source0:        https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
 
-Patch6000:      backport-CVE-2024-22195.patch
-Patch6001:      backport-CVE-2024-34064.patch
-
 BuildArch:      noarch
 
 %description
@@ -50,11 +47,6 @@ pushd python3
 %py3_install
 popd
 
-%check
-pushd python3
-PYTHONPATH=$(pwd)/src %{__python3} -m pytest tests
-popd
-
 %files -n python3-jinja2
 %license Jinja2-%{version}/LICENSE.rst
 %{python3_sitelib}/jinja2
@@ -62,27 +54,9 @@ popd
 
 %files help
 %doc Jinja2-%{version}/CHANGES.rst Jinja2-%{version}/PKG-INFO
-%doc Jinja2-%{version}/examples
+%doc Jinja2-%{version}/ext Jinja2-%{version}/examples
 
 %changelog
-* Fri May 10 2024 weihaohao <weihaohao2@huawei.com> - 3.0.3-4
-- Type:CVE
-- CVE:CVE-2024-34064
-- SUG:NA
-- DESC:fix CVE-2024-34064
-
-* Mon Jan 22 2024 weihaohao <weihaohao2@huawei.com> - 3.0.3-3
-- Type:CVE
-- CVE:CVE-2024-22195
-- SUG:NA
-- DESC:fix CVE-2024-22195
-
-* Thu Jun 30 2022 wangjiang <wangjiang37@h-partners.com> - 3.0.3-2
-- enable check test suite
-
-* Sun Dec 25 2021 tianwei <tianwei12@huawei.com> - 3.0.3
-- Upgrade version to 3.0.3
-
 * Mon Jul 12 2021 huangtianhua <huangtianhua@huawei.com> - 2.11.3
 - Upgrade to 2.11.3 to support OpenStack-W