File 0001-sandbox-str.format_map.patch of Package python-Jinja2
From a2a6c930bcca591a25d2b316fcfd2d6793897b26 Mon Sep 17 00:00:00 2001
From: Armin Ronacher <armin.ronacher@active-4.com>
Date: Sat, 6 Apr 2019 10:50:47 -0700
Subject: [PATCH] sandbox str.format_map
---
jinja2/sandbox.py | 17 ++++++++++++++---
jinja2/tests.py | 17 +++++++++++++++++
2 files changed, 31 insertions(+), 3 deletions(-)
Index: Jinja2-2.9.6/jinja2/sandbox.py
===================================================================
--- Jinja2-2.9.6.orig/jinja2/sandbox.py
+++ Jinja2-2.9.6/jinja2/sandbox.py
@@ -193,7 +193,7 @@ def inspect_format_method(callable):
return None
if not isinstance(callable, (types.MethodType,
types.BuiltinMethodType)) or \
- callable.__name__ != 'format':
+ callable.__name__ not in ('format', 'format_map'):
return None
obj = callable.__self__
if isinstance(obj, string_types):
@@ -464,7 +464,7 @@ class SandboxedEnvironment(Environment):
obj.__class__.__name__
), name=attribute, obj=obj, exc=SecurityError)
- def format_string(self, s, args, kwargs):
+ def format_string(self, s, args, kwargs, format_func=None):
"""If a format call is detected, then this is routed through this
method so that our safety sandbox can be used for it.
"""
@@ -472,6 +472,17 @@ class SandboxedEnvironment(Environment):
formatter = SandboxedEscapeFormatter(self, s.escape)
else:
formatter = SandboxedFormatter(self)
+
+ if format_func is not None and format_func.__name__ == 'format_map':
+ if len(args) != 1 or kwargs:
+ raise TypeError(
+ 'format_map() takes exactly one argument %d given'
+ % (len(args) + (kwargs is not None))
+ )
+
+ kwargs = args[0]
+ args = None
+
kwargs = _MagicFormatMapping(args, kwargs)
rv = formatter.vformat(s, args, kwargs)
return type(s)(rv)
@@ -480,7 +491,7 @@ class SandboxedEnvironment(Environment):
"""Call an object from sandboxed code."""
fmt = inspect_format_method(__obj)
if fmt is not None:
- return __self.format_string(fmt, args, kwargs)
+ return __self.format_string(fmt, args, kwargs, __obj)
# the double prefixes are to avoid double keyword argument
# errors when proxying the call.
Index: Jinja2-2.9.6/jinja2/tests.py
===================================================================
--- Jinja2-2.9.6.orig/jinja2/tests.py
+++ Jinja2-2.9.6/jinja2/tests.py
@@ -151,6 +151,20 @@ def test_escaped(value):
"""Check if the value is escaped."""
return hasattr(value, '__html__')
+def test_basic_format_safety(self):
+ env = SandboxedEnvironment()
+ t = env.from_string('{{ "a{x.__class__}b".format_map({"x":42}) }}')
+ assert t.render() == 'ab'
+
+def test_basic_format_all_okay(self):
+ env = SandboxedEnvironment()
+ t = env.from_string('{{ "a{x.foo}b".format_map({"x":{"foo": 42}}) }}')
+ assert t.render() == 'a42b'
+
+def test_safe_format_all_okay(self):
+ env = SandboxedEnvironment()
+ t = env.from_string('{{ ("a{x.foo}b{y}"|safe).format_map({"x":{"foo": 42}, "y":"<foo>"}) }}')
+ assert t.render() == 'a42b<foo>'
def test_greaterthan(value, other):
"""Check if value is greater than other."""
@@ -181,5 +195,8 @@ TESTS = {
'equalto': test_equalto,
'escaped': test_escaped,
'greaterthan': test_greaterthan,
- 'lessthan': test_lessthan
+ 'lessthan': test_lessthan,
+ 'basic_format_safety': test_basic_format_safety,
+ 'basic_format_all_okay': test_basic_format_all_okay,
+ 'safe_format_all_okay': test_safe_format_all_okay,
}
