|
| 1 | +From fd536e6a9b6653b3a0989732b1c827b14b6de60b Mon Sep 17 00:00:00 2001 |
| 2 | +From: Kevin Lockwood <v-klockwood@microsoft.com> |
| 3 | +Date: Thu, 6 Feb 2025 17:00:17 -0800 |
| 4 | +Subject: [PATCH] Patch nodejs for CVE-2024-34064 |
| 5 | + |
| 6 | +Link: https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb.patch |
| 7 | +--- |
| 8 | + deps/v8/third_party/jinja2/filters.py | 24 +++++++++++++++++++----- |
| 9 | + 1 file changed, 19 insertions(+), 5 deletions(-) |
| 10 | + |
| 11 | +diff --git a/deps/v8/third_party/jinja2/filters.py b/deps/v8/third_party/jinja2/filters.py |
| 12 | +index 46347251..1daf42bc 100644 |
| 13 | +--- a/deps/v8/third_party/jinja2/filters.py |
| 14 | ++++ b/deps/v8/third_party/jinja2/filters.py |
| 15 | +@@ -204,15 +204,23 @@ def do_lower(s): |
| 16 | + """Convert a value to lowercase.""" |
| 17 | + return soft_unicode(s).lower() |
| 18 | + |
| 19 | +-_space_re = re.compile(r"\s", flags=re.ASCII) |
| 20 | ++# Check for characters that would move the parser state from key to value. |
| 21 | ++# https://html.spec.whatwg.org/#attribute-name-state |
| 22 | ++_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII) |
| 23 | + |
| 24 | + |
| 25 | + @evalcontextfilter |
| 26 | + def do_xmlattr(_eval_ctx, d, autospace=True): |
| 27 | + """Create an SGML/XML attribute string based on the items in a dict. |
| 28 | + |
| 29 | +- If any key contains a space, this fails with a ``ValueError``. Values that |
| 30 | +- are neither ``none`` nor ``undefined`` are automatically escaped. |
| 31 | ++ **Values** that are neither ``none`` nor ``undefined`` are automatically |
| 32 | ++ escaped, safely allowing untrusted user input. |
| 33 | ++ |
| 34 | ++ User input should not be used as **keys** to this filter. If any key |
| 35 | ++ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals |
| 36 | ++ sign, this fails with a ``ValueError``. Regardless of this, user input |
| 37 | ++ should never be used as keys to this filter, or must be separately validated |
| 38 | ++ first. |
| 39 | + |
| 40 | + .. sourcecode:: html+jinja |
| 41 | + |
| 42 | +@@ -232,6 +240,10 @@ def do_xmlattr(_eval_ctx, d, autospace=True): |
| 43 | + As you can see it automatically prepends a space in front of the item |
| 44 | + if the filter returned something unless the second parameter is false. |
| 45 | + |
| 46 | ++ .. versionchanged:: 3.1.4 |
| 47 | ++ Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign |
| 48 | ++ are not allowed. |
| 49 | ++ |
| 50 | + .. versionchanged:: 3.1.3 |
| 51 | + Keys with spaces are not allowed. |
| 52 | + """ |
| 53 | +@@ -239,8 +251,10 @@ def do_xmlattr(_eval_ctx, d, autospace=True): |
| 54 | + for key, value in d.items(): |
| 55 | + if value is None or isinstance(value, Undefined): |
| 56 | + continue |
| 57 | +- if _space_re.search(key) is not None: |
| 58 | +- raise ValueError(f"Spaces are not allowed in attributes: '{key}'") |
| 59 | ++ |
| 60 | ++ if _attr_key_re.search(key) is not None: |
| 61 | ++ raise ValueError(f"Invalid character in attribute name: {key!r}") |
| 62 | ++ |
| 63 | + items.append(f'{escape(key)}="{escape(value)}"') |
| 64 | + rv = " ".join(items) |
| 65 | + |
| 66 | +-- |
| 67 | +2.34.1 |
| 68 | + |
0 commit comments