Sync from SUSE:ALP:Source:Standard:1.0 python-Jinja2 revision 1c38a1df7fac177a9a09d229df058bea

This commit is contained in:
Adrian Schröter 2024-09-06 10:31:59 +02:00
commit 0d2f1aeffa
5 changed files with 829 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

104
CVE-2024-34064.patch Normal file
View File

@ -0,0 +1,104 @@
From d655030770081e2dfe46f90e27620472a502289d Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Thu, 2 May 2024 09:14:00 -0700
Subject: [PATCH] disallow invalid characters in keys to xmlattr filter
---
CHANGES.rst | 6 ++++++
src/jinja2/filters.py | 22 +++++++++++++++++-----
tests/test_filters.py | 11 ++++++-----
3 files changed, 29 insertions(+), 10 deletions(-)
Index: Jinja2-3.1.2/CHANGES.rst
===================================================================
--- Jinja2-3.1.2.orig/CHANGES.rst
+++ Jinja2-3.1.2/CHANGES.rst
@@ -9,6 +9,12 @@ Released 2022-04-28
:issue:`1645`
- Handle race condition in ``FileSystemBytecodeCache``. :issue:`1654`
+- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>``
+ greater-than sign, or ``=`` equals sign, in addition to disallowing spaces.
+ Regardless of any validation done by Jinja, user input should never be used
+ as keys to this filter, or must be separately validated first.
+ GHSA-h75v-3vvj-5mfj
+
Version 3.1.1
-------------
Index: Jinja2-3.1.2/src/jinja2/filters.py
===================================================================
--- Jinja2-3.1.2.orig/src/jinja2/filters.py
+++ Jinja2-3.1.2/src/jinja2/filters.py
@@ -248,13 +248,25 @@ def do_items(value: t.Union[t.Mapping[K,
yield from value.items()
+# Check for characters that would move the parser state from key to value.
+# https://html.spec.whatwg.org/#attribute-name-state
+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
+
+
@pass_eval_context
def do_xmlattr(
eval_ctx: "EvalContext", d: t.Mapping[str, t.Any], autospace: bool = True
) -> str:
"""Create an SGML/XML attribute string based on the items in a dict.
- All values that are neither `none` nor `undefined` are automatically
- escaped:
+
+ **Values** that are neither ``none`` nor ``undefined`` are automatically
+ escaped, safely allowing untrusted user input.
+
+ User input should not be used as **keys** to this filter. If any key
+ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
+ sign, this fails with a ``ValueError``. Regardless of this, user input
+ should never be used as keys to this filter, or must be separately validated
+ first.
.. sourcecode:: html+jinja
@@ -273,12 +285,23 @@ def do_xmlattr(
As you can see it automatically prepends a space in front of the item
if the filter returned something unless the second parameter is false.
+
+ Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign
+ are not allowed.
+
+ Keys with spaces are not allowed.
"""
- rv = " ".join(
- f'{escape(key)}="{escape(value)}"'
- for key, value in d.items()
- if value is not None and not isinstance(value, Undefined)
- )
+ items = []
+ for key, value in d.items():
+ if value is None or isinstance(value, Undefined):
+ continue
+
+ if _attr_key_re.search(key) is not None:
+ raise ValueError("Invalid character in attribute name: {key!r}")
+
+ items.append(f'{escape(key)}="{escape(value)}"')
+
+ rv = " ".join(items)
if autospace and rv:
rv = " " + rv
Index: Jinja2-3.1.2/tests/test_filters.py
===================================================================
--- Jinja2-3.1.2.orig/tests/test_filters.py
+++ Jinja2-3.1.2/tests/test_filters.py
@@ -871,3 +871,10 @@ class TestFilter:
with pytest.raises(TemplateRuntimeError, match="No filter named 'f'"):
t1.render(x=42)
t2.render(x=42)
+
+ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "="))
+ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None:
+ with pytest.raises(ValueError, match="Invalid character"):
+ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render(
+ key=f"class{sep}onclick=alert(1)"
+ )

BIN
Jinja2-3.1.2.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

622
python-Jinja2.changes Normal file
View File

@ -0,0 +1,622 @@
-------------------------------------------------------------------
Mon Jun 3 07:16:34 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Add CVE-2024-34064.patch upstream patch
(CVE-2024-34064, bsc#1223980, gh#pallets/jinja@0668239dc6b4)
Also fixes (CVE-2024-22195, bsc#1218722)
-------------------------------------------------------------------
Fri Apr 21 12:20:44 UTC 2023 - Dirk Müller <dmueller@suse.com>
- add sle15_python_module_pythons (jsc#PED-68)
-------------------------------------------------------------------
Thu Apr 13 22:42:17 UTC 2023 - Matej Cepl <mcepl@suse.com>
- Make calling of %{sle15modernpython} optional.
-------------------------------------------------------------------
Fri Dec 2 07:35:08 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
- ignore 'pytest.PytestRemovedIn8Warning: Support for nose tests is
deprecated and will be removed in a future release.' error from
pytest 7.2
-------------------------------------------------------------------
Sat Jun 4 11:35:44 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to 3.1.2:
* Add parameters to ``Environment.overlay`` to match ``__init__``.
* Handle race condition in ``FileSystemBytecodeCache``. :issue:`1654`
-------------------------------------------------------------------
Sun Mar 27 18:03:52 UTC 2022 - Arun Persaud <arun@gmx.de>
- specfile:
* update copyright year
* require python-base >= 3.7
- update to version 3.1.1:
* The template filename on Windows uses the primary path separator.
:issue:`1637`
- changes from version 3.1.0:
* Drop support for Python 3.6. :pr:`1534`
* Remove previously deprecated code. :pr:`1544`
+ "WithExtension" and "AutoEscapeExtension" are built-in now.
+ "contextfilter" and "contextfunction" are replaced by
"pass_context". "evalcontextfilter" and "evalcontextfunction"
are replaced by "pass_eval_context". "environmentfilter" and
"environmentfunction" are replaced by "pass_environment".
+ "Markup" and "escape" should be imported from MarkupSafe.
+ Compiled templates from very old Jinja versions may need to be
recompiled.
+ Legacy resolve mode for "Context" subclasses is no longer
supported. Override "resolve_or_missing" instead of "resolve".
+ "unicode_urlencode" is renamed to "url_quote".
* Add support for native types in macros. :issue:`1510`
* The "{% trans %}" tag can use "pgettext" and "npgettext" by
passing a context string as the first token in the tag, like "{%
trans "title" %}". :issue:`1430`
* Update valid identifier characters from Python 3.6 to 3.7.
:pr:`1571`
* Filters and tests decorated with "@async_variant" are pickleable.
:pr:`1612`
* Add "items" filter. :issue:`1561`
* Subscriptions ("[0]", etc.) can be used after filters, tests, and
calls when the environment is in async mode. :issue:`1573`
* The "groupby" filter is case-insensitive by default, matching
other comparison filters. Added the "case_sensitive" parameter
to control this. :issue:`1463`
* Windows drive-relative path segments in template names will not
result in "FileSystemLoader" and "PackageLoader" loading from
drive-relative paths. :pr:`1621`
-------------------------------------------------------------------
Sun Nov 14 14:59:31 UTC 2021 - Michael Ströder <michael@stroeder.com>
- update to 3.0.3
* Fix traceback rewriting internals for Python 3.10 and 3.11. (#1535)
* Fix how the native environment treats leading and trailing spaces
when parsing values on Python 3.10. (PR#1537)
* Improve async performance by avoiding checks for common types. (#1514)
* Revert change to ``hash(Node)`` behavior. Nodes are hashed by id again (#1521)
* ``PackageLoader`` works when the package is a single module file. (#1512)
-------------------------------------------------------------------
Sun Oct 10 00:16:28 UTC 2021 - Michael Ströder <michael@stroeder.com>
- dropped obsolete no-warnings-as-errors.patch
- update to 3.0.2
* Fix a loop scoping bug that caused assignments in nested loops to still
be referenced outside of it. #1427
* Make compile_templates deterministic for filter and import names. #1452, #1453
* Revert an unintended change that caused Undefined to act like
StrictUndefined for the in operator. #1448
* Imported macros have access to the current template globals in async
environments. #1494
* PackageLoader will not include a current directory (.) path segment.
This allows loading templates from the root of a zip import. #1467
-------------------------------------------------------------------
Fri Sep 10 08:07:58 UTC 2021 - Steve Kowalik <steven.kowalik@suse.com>
- Add no-warnings-as-errors.patch:
* Do not treat warnings as errors until upstream fix using async loops.
-------------------------------------------------------------------
Fri Aug 6 07:34:44 UTC 2021 - Markéta Machová <mmachova@suse.com>
- Babel is not required
-------------------------------------------------------------------
Fri Jul 9 11:03:56 UTC 2021 - Ben Greiner <code@bnavigator.de>
- clean up single-spec: Remove python2 remnants
-------------------------------------------------------------------
Sat Jun 19 12:42:15 UTC 2021 - Michael Ströder <michael@stroeder.com>
- updated upstream project URL
-------------------------------------------------------------------
Sun Jun 13 13:55:29 UTC 2021 - Michael Ströder <michael@stroeder.com>
- skip building for Python 2.x
-------------------------------------------------------------------
Mon May 31 06:38:35 UTC 2021 - Adrian Schröter <adrian@suse.de>
- update to 3.0.1
Read the announcement:
https://palletsprojects.com/blog/flask-2-0-released/
Read the full list of changes:
https://jinja.palletsprojects.com/changes/#version-3-0-0
- python-Jinja2-vim subpackage dropped
vim highlight rule files do not exist anymore
-------------------------------------------------------------------
Tue Feb 9 15:42:40 UTC 2021 - Alexandros Toptsoglou <atoptsoglou@suse.com>
- update to 2.11.3
* Improve the speed of the urlize filter by reducing regex backtracking.
Email matching requires a word character at the start of the domain part
and only word characters in the TLD (CVE-2020-28493 bsc#1181944).
-------------------------------------------------------------------
Mon May 4 09:35:51 UTC 2020 - Johannes Grassler <johannes.grassler@suse.com>
- update to 2.11.2
* Fix a bug that caused callable objects with __getattr__, like
:class:~unittest.mock.Mock to be treated as a
:func:contextfunction. :issue:1145
* Update wordcount filter to trigger :class:Undefined methods
by wrapping the input in :func:soft_unicode. :pr:1160
* Fix a hang when displaying tracebacks on Python 32-bit.
:issue:1162
* Showing an undefined error for an object that raises
AttributeError on access doesn't cause a recursion error.
:issue:1177
* Revert changes to :class:~loaders.PackageLoader from 2.10 which
removed the dependency on setuptools and pkg_resources, and added
limited support for namespace packages. The changes caused issues
when using Pytest. Due to the difficulty in supporting Python 2 and
:pep:451 simultaneously, the changes are reverted until 3.0.
:pr:1182
* Fix line numbers in error messages when newlines are stripped.
:pr:1178
* The special namespace() assignment object in templates works in
async environments. :issue:1180
* Fix whitespace being removed before tags in the middle of lines when
lstrip_blocks is enabled. :issue:1138
* :class:~nativetypes.NativeEnvironment doesn't evaluate
intermediate strings during rendering. This prevents early
evaluation which could change the value of an expression.
:issue:1186
-------------------------------------------------------------------
Wed Apr 8 11:59:35 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
- Enable testing on other archs again
- Do not pull in py2 package on vim syntax
-------------------------------------------------------------------
Fri Feb 21 18:56:05 UTC 2020 - Ondřej Súkup <mimi.vx@gmail.com>
- disable tests on 32bit archs
-------------------------------------------------------------------
Tue Feb 18 17:26:13 UTC 2020 - Ondřej Súkup <mimi.vx@gmail.com>
- update to 2.11.1
* Fix a bug that prevented looking up a key after an attribute
({{ data.items[1:] }}) in an async template
* Drop support for Python 2.6, 3.3, and 3.4. This will be the last version
to support Python 2.7 and 3.5.
* Added a new ChainableUndefined class to support getitem and getattr
on an undefined object.
* Allow {%+ syntax (with NOP behavior) when lstrip_blocks is disabled.
* Added a default parameter for the map filter.
* Exclude environment globals from meta.find_undeclared_variables().
* Float literals can be written with scientific notation, like 2.56e-3.
* Int and float literals can be written with the _ separator
for legibility, like 12_345.
* Fix a bug causing deadlocks in LRUCache.setdefault
* The trim filter takes an optional string of characters to trim.
* A new jinja2.ext.debug extension adds a {% debug %} tag to quickly dump
the current context and available filters and tests.
* Lexing templates with large amounts of whitespace is much faster.
* Parentheses around comparisons are preserved, so {{ 2 * (3 < 5) }} outputs
“2” instead of “False”.
* Add new boolean, false, true, integer and float tests.
* The environments finalize function is only applied to the output of expressions
(constant or not), not static template data.
* When providing multiple paths to FileSystemLoader, a template can have
the same name as a directory.
* Always return Undefined when omitting the else clause in a {{ 'foo' if bar }}
expression, regardless of the environments undefined class. Omitting
the else clause is a valid shortcut and should not raise an error when using
StrictUndefined.
* Fix behavior of loop control variables such as length and revindex0 when
looping over a generator.
* Async support is only loaded the first time an environment enables it,
in order to avoid a slow initial import.
* In async environments, the |map filter will await the filter call if needed.
* In for loops that access loop attributes, the iterator is not advanced ahead
of the current iteration unless length, revindex, nextitem, or last are accessed.
This makes it less likely to break groupby results.
* In async environments, the loop attributes length and revindex work for async iterators.
* In async environments, values from attribute/property access will be awaited if needed.
* PackageLoader doesnt depend on setuptools or pkg_resources.
* PackageLoader has limited support for PEP 420 namespace packages.
* Support os.PathLike objects in FileSystemLoader and ModuleLoader
* NativeTemplate correctly handles quotes between expressions. "'{{ a }}', '{{ b }}'"
renders as the tuple ('1', '2') rather than the string '1, 2'.
* Creating a NativeTemplate directly creates a NativeEnvironment instead
of a default Environment.
* After calling LRUCache.copy(), the copys queue methods point to the correct queue.
* Compiling templates always writes UTF-8 instead of defaulting to the system encoding.
* |wordwrap filter treats existing newlines as separate paragraphs to be wrapped
individually, rather than creating short intermediate lines.
* Add break_on_hyphens parameter to |wordwrap filter.
* Cython compiled functions decorated as context functions will be passed the context.
* When chained comparisons of constants are evaluated at compile time,
the result follows Pythons behavior of returning False if any comparison
returns False, rather than only the last one
* Tracebacks for exceptions in templates show the correct line numbers
and source for Python >= 3.7.
* Tracebacks for template syntax errors in Python 3 no longer show
internal compiler frames
* Add a DerivedContextReference node that can be used by extensions to get
the current context and local variables such as loop
* Constant folding during compilation is applied to some node types
that were previously overlooked
* TemplateSyntaxError.source is not empty when raised from an included template.
* Passing an Undefined value to get_template (such as through extends, import,
or include), raises an UndefinedError consistently. select_template will show
the undefined message in the list of attempts rather than the empty string.
* TemplateSyntaxError can be pickled.
-------------------------------------------------------------------
Mon Oct 7 13:37:05 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
- Update to 2.10.3:
* Fix Python 3.7 deprecation warnings.
* Using range in the sandboxed environment uses xrange on Python 2 to avoid memory use. :issue:`933`
* Use Python 3.7's better traceback support to avoid a core dump when using debug builds of Python 3.7. :issue:`1050`
* Fix a typo in Babel entry point in setup.py that was preventing installation.
- Remove merged python38.patch
-------------------------------------------------------------------
Tue Sep 24 11:06:41 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
- Add patch to work with python 3.8:
* python38.patch
-------------------------------------------------------------------
Sat Apr 13 16:46:23 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Trim bias from descriptions. Make sure % is escaped.
-------------------------------------------------------------------
Sat Apr 13 03:06:31 UTC 2019 - Arun Persaud <arun@gmx.de>
- update to version 2.10.1 (bsc#1132323, CVE-2019-10906, bsc#1125815, CVE-2019-8341):
* "SandboxedEnvironment" securely handles "str.format_map" in order
to prevent code execution through untrusted format strings. The
sandbox already handled "str.format".
-------------------------------------------------------------------
Tue Feb 19 03:45:55 UTC 2019 - John Vandenberg <jayvdb@gmail.com>
- Activate test suite
- Add minimum build dependency to match runtime dependency
-------------------------------------------------------------------
Mon Dec 10 12:43:01 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Fix fdupes call
-------------------------------------------------------------------
Tue Dec 4 12:49:28 UTC 2018 - Matej Cepl <mcepl@suse.com>
- Remove superfluous devel dependency for noarch package
-------------------------------------------------------------------
Tue Mar 6 15:52:17 UTC 2018 - aplanas@suse.com
- Allows Recommends and Suggest in Fedora
-------------------------------------------------------------------
Tue Feb 27 17:41:33 UTC 2018 - aplanas@suse.com
- Recommends only for SUSE
-------------------------------------------------------------------
Thu Nov 9 06:26:51 UTC 2017 - arun@gmx.de
- specfile:
* CHANGES -> CHANGES.rst
* added README.rst to %doc section
- update to version 2.10:
* Added a new extension node called "OverlayScope" which can be used
to create an unoptimized scope that will look up all variables
from a derived context.
* Added an "in" test that works like the in operator. This can be
used in combination with "reject" and "select".
* Added "previtem" and "nextitem" to loop contexts, providing access
to the previous/next item in the loop. If such an item does not
exist, the value is undefined.
* Added "changed(*values)" to loop contexts, providing an easy way
of checking whether a value has changed since the last iteration
(or rather since the last call of the method)
* Added a "namespace" function that creates a special object which
allows attribute assignment using the "set" tag. This can be used
to carry data across scopes, e.g. from a loop body to code that
comes after the loop.
* Added a "trimmed" modifier to "{% trans %}" to strip linebreaks
and surrounding whitespace. Also added a new policy to enable this
for all "trans" blocks.
* The "random" filter is no longer incorrectly constant folded and
will produce a new random choice each time the template is
rendered. (`#478`_)
* Added a "unique" filter. (`#469`_)
* Added "min" and "max" filters. (`#475`_)
* Added tests for all comparison operators: "eq", "ne", "lt", "le",
"gt", "ge". (`#665`_)
* "import" statement cannot end with a trailing comma. (`#617`_,
`#618`_)
* "indent" filter will not indent blank lines by default. (`#685`_)
* Add "reverse" argument for "dictsort" filter. (`#692`_)
* Add a "NativeEnvironment" that renders templates to native Python
types instead of strings. (`#708`_)
* Added filter support to the block "set" tag. (`#489`_)
* "tojson" filter marks output as safe to match documented behavior.
(`#718`_)
* Resolved a bug where getting debug locals for tracebacks could
modify template context.
* Fixed a bug where having many "{% elif ... %}" blocks resulted in
a "too many levels of indentation" error. These blocks now
compile to native "elif ..:" instead of "else: if ..:" (`#759`_)
-------------------------------------------------------------------
Tue Apr 4 14:56:17 UTC 2017 - jmatejek@suse.com
- update for singlespec
- update to 2.9.6
* fixed custom context behavior in fast resolve mode
-------------------------------------------------------------------
Wed Mar 22 04:39:40 UTC 2017 - dmueller@suse.com
- fix requires
-------------------------------------------------------------------
Wed Mar 15 13:55:57 UTC 2017 - michael@stroeder.com
- Update to 2.9.5 (bsc#1132174, CVE-2016-10745)
(see the changes in /usr/share/doc/packages/python-Jinja2/CHANGES)
- updated source URL
-------------------------------------------------------------------
Thu Nov 19 13:18:12 UTC 2015 - aplanas@suse.com
- Update to 2.8
- Added `target` parameter to urlize function.
- Added support for `followsymlinks` to the file system loader.
- The truncate filter now counts the length.
- Added equalto filter that helps with select filters.
- Changed cache keys to use absolute file names if available
instead of load names.
- Fixed loop length calculation for some iterators.
- Changed how Jinja2 enforces strings to be native strings in
Python 2 to work when people break their default encoding.
- Added :func:`make_logging_undefined` which returns an undefined
object that logs failures into a logger.
- If unmarshalling of cached data fails the template will be
reloaded now.
- Implemented a block ``set`` tag.
- Default cache size was incrased to 400 from a low 50.
- Fixed ``is number`` test to accept long integers in all Python versions.
- Changed ``is number`` to accept Decimal as a number.
- Added a check for default arguments followed by non-default arguments. This
change makes ``{% macro m(x, y=1, z) %}...{% endmacro %}`` a syntax error. The
previous behavior for this code was broken anyway (resulting in the default
value being applied to `y`).
- Add ability to use custom subclasses of ``jinja2.compiler.CodeGenerator`` and
``jinja2.runtime.Context`` by adding two new attributes to the environment
(`code_generator_class` and `context_class`) (pull request ``#404``).
- added support for context/environment/evalctx decorator functions on
the finalize callback of the environment.
- escape query strings for urlencode properly. Previously slashes were not
escaped in that place.
- Add 'base' parameter to 'int' filter.
- Tests are removed from the package (not distributed in the tar.gz)
-------------------------------------------------------------------
Wed Jul 22 14:20:45 UTC 2015 - jengelh@inai.de
- Use %python_version over %py_ver: better portability to RHEL
-------------------------------------------------------------------
Fri Aug 15 12:30:58 UTC 2014 - mcihar@suse.cz
- run testsuite during build
-------------------------------------------------------------------
Fri Aug 15 12:29:35 UTC 2014 - mcihar@suse.cz
- adjust dependency to use up to date package name for python-MarkupSafe
-------------------------------------------------------------------
Tue Jul 15 10:41:00 UTC 2014 - toddrme2178@gmail.com
- Update to 2.7.3 (bnc#858239, CVE-2014-0012)
- Security issue: Corrected the security fix for the cache folder.
This fix was provided by RedHat.
-------------------------------------------------------------------
Thu May 8 21:21:45 UTC 2014 - hpj@urpla.net
- fix package build (file selection missing)
-------------------------------------------------------------------
Sat Apr 26 19:38:39 UTC 2014 - dmueller@suse.com
- avoid rebuildcycle with vim
-------------------------------------------------------------------
Mon Jan 13 13:18:53 UTC 2014 - dmueller@suse.com
- update to 2.7.2:
- Prefix loader was not forwarding the locals properly to
inner loaders. This is now fixed.
- Security issue: Changed the default folder for the filesystem cache to be
user specific and read and write protected on UNIX systems. See `Debian bug
734747`_ for more information.
-------------------------------------------------------------------
Thu Oct 24 11:07:20 UTC 2013 - speilicke@suse.com
- Require python-setuptools instead of distribute (upstreams merged)
-------------------------------------------------------------------
Mon Sep 2 15:03:25 UTC 2013 - speilicke@suse.com
- Avoid "Recommends:" on old rpm distros
-------------------------------------------------------------------
Tue Aug 13 09:56:18 UTC 2013 - dmueller@suse.com
- update to 2.7.1:
- Fixed a bug with ``call_filter`` not working properly on environment
and context filters.
- Fixed lack of Python 3 support for bytecode caches.
- Reverted support for defining blocks in included templates as this
broke existing templates for users.
- Fixed some warnings with hashing of undefineds and nodes if Python
is run with warnings for Python 3.
- Added support for properly hashing undefined objects.
- Fixed a bug with the title filter not working on already uppercase
strings.
-------------------------------------------------------------------
Thu Jul 11 14:37:06 UTC 2013 - dmueller@suse.com
- update to 2.7:
- Choice and prefix loaders now dispatch source and template lookup
separately in order to work in combination with module loaders as
advertised.
- Fixed filesizeformat.
- Added a non-silent option for babel extraction.
- Added `urlencode` filter that automatically quotes values for
URL safe usage with utf-8 as only supported encoding. If applications
want to change this encoding they can override the filter.
- Added `keep-trailing-newline` configuration to environments and
templates to optionally preserve the final trailing newline.
- Accessing `last` on the loop context no longer causes the iterator
to be consumed into a list.
- Python requirement changed: 2.6, 2.7 or >= 3.3 are required now,
supported by same source code, using the "six" compatibility library.
- Allow `contextfunction` and other decorators to be applied to `__call__`.
- Added support for changing from newline to different signs in the `wordwrap`
filter.
- Added support for ignoring memcache errors silently.
- Added support for keeping the trailing newline in templates.
- Added finer grained support for stripping whitespace on the left side
of blocks.
- Added `map`, `select`, `reject`, `selectattr` and `rejectattr`
filters.
- Added support for `loop.depth` to figure out how deep inside a recursive
loop the code is.
- Disabled py_compile for pypy and python 3.
-------------------------------------------------------------------
Mon Apr 30 13:06:58 UTC 2012 - toddrme2178@gmail.com
- Fix building python 3 package on openSUSE 11.4 x86_64
-------------------------------------------------------------------
Thu Apr 26 14:08:18 UTC 2012 - toddrme2178@gmail.com
- Add 2to3 buildrequires to allow for proper conversion of python 3
version
-------------------------------------------------------------------
Mon Apr 23 12:00:49 UTC 2012 - toddrme2178@gmail.com
- Add python 3 package
- Simplify vim plugin packaging
- Add suggests for vim and emacs in their respective
packages
- Removed test for obsolete openSUSE version
-------------------------------------------------------------------
Thu Feb 23 13:44:50 UTC 2012 - saschpe@suse.de
- Simplified macro usage
-------------------------------------------------------------------
Thu Sep 22 12:00:51 UTC 2011 - saschpe@suse.de
- Split of 'vim' and 'emacs' sub-packages that contain syntax highlighting
support for both editors
-------------------------------------------------------------------
Thu Sep 22 09:13:19 UTC 2011 - saschpe@suse.de
- Set license to BSD-3-Clause (SPDX style)
- Require python-distribute instead of python-setuptools
-------------------------------------------------------------------
Tue Sep 20 12:57:24 UTC 2011 - saschpe@suse.de
- Update to version 2.6:
* internal attributes now raise an internal attribute error now instead
of returning an undefined. This fixes problems when passing undefined
objects to Python semantics expecting APIs.
* traceback support now works properly for PyPy. (Tested with 1.4)
* implemented operator intercepting for sandboxed environments. This
allows application developers to disable builtin operators for better
security. (For instance limit the mathematical operators to actual
integers instead of longs)
* groupby filter now supports dotted notation for grouping by attributes
of attributes.
* scoped blocks not properly treat toplevel assignments and imports.
Previously an import suddenly "disappeared" in a scoped block.
* automatically detect newer Python interpreter versions before loading code
from bytecode caches to prevent segfaults on invalid opcodes. The segfault
in earlier Jinja2 versions here was not a Jinja2 bug but a limitation in
the underlying Python interpreter. If you notice Jinja2 segfaulting in
earlier versions after an upgrade of the Python interpreter you don't have
to upgrade, it's enough to flush the bytecode cache. This just no longer
makes this necessary, Jinja2 will automatically detect these cases now.
* the sum filter can now sum up values by attribute. This is a backwards
incompatible change. The argument to the filter previously was the
optional starting index which defaultes to zero. This now became the
second argument to the function because it's rarely used.
* like sum, sort now also makes it possible to order items by attribute.
* like sum and sort, join now also is able to join attributes of objects
as string.
* the internal eval context now has a reference to the environment.
* added a mapping test to see if an object is a dict or an object with
a similar interface.
-------------------------------------------------------------------
Wed Jul 20 20:27:08 UTC 2011 - saschpe@gmx.de
- Renamed to python-Jinja2
- Fix wrong EOL encodings
-------------------------------------------------------------------
Thu Apr 7 14:56:33 UTC 2011 - saschpe@suse.de
- Do not require python-setuptools, buildrequires is sufficient
- Removed authors from description
- Changed license to BSD3c
-------------------------------------------------------------------
Sun Dec 12 17:45:39 UTC 2010 - saschpe@gmx.de
- rpmlint issues cleanup
* fdupes, tar.bz2 tarball, ...
- package docs again (lost with last revision)
-------------------------------------------------------------------
Sat Dec 11 23:23:05 UTC 2010 - saschpe@gmx.de
- re-generated spec file with py2pack
* now builds for Fedora and Mandriva
-------------------------------------------------------------------
Thu Sep 17 20:33:11 UTC 2009 - alexandre@exatati.com.br
- Update to 2.2.1;
- Fixed changes file name.
-------------------------------------------------------------------
Mon Jun 8 14:05:51 CEST 2009 - poeml@suse.de
- initial package (2.1.1)

77
python-Jinja2.spec Normal file
View File

@ -0,0 +1,77 @@
#
# spec file for package python-Jinja2
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define skip_python2 1
%ifarch %{ix86} armv7l
%bcond_with test
%else
%bcond_without test
%endif
%{?sle15_python_module_pythons}
Name: python-Jinja2
Version: 3.1.2
Release: 0
Summary: A template engine written in pure Python
License: BSD-3-Clause
URL: https://jinja.palletsprojects.com
Source: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
# PATCH-FIX-UPSTREAM CVE-2024-34064.patch gh#pallets/jinja@0668239dc6b4
Patch0: CVE-2024-34064.patch
BuildRequires: %{python_module MarkupSafe >= 0.23}
BuildRequires: %{python_module base >= 3.7}
BuildRequires: %{python_module pytest}
BuildRequires: %{python_module setuptools}
BuildRequires: dos2unix
BuildRequires: fdupes
BuildRequires: python-rpm-macros
Requires: python-MarkupSafe >= 0.23
Recommends: python-Babel >= 0.8
# Do not declare buildarch as the tests are arch specific
#BuildArch: noarch
Provides: python-jinja2 = %{version}-%{release}
Obsoletes: python-jinja2 < %{version}-%{release}
%python_subpackages
%description
Jinja2 is a template engine written in pure Python. It provides a Django
inspired non-XML syntax but supports inline expressions and an optional
sandboxed environment.
%prep
%autosetup -p1 -n Jinja2-%{version}
dos2unix LICENSE.rst # Fix wrong EOL encoding
%build
%python_build
%install
%python_install
%python_expand %fdupes %{buildroot}%{$python_sitelib}
%check
%if %{with test}
%pytest -W ignore:'Support for nose tests is deprecated'
%endif
%files %{python_files}
%license LICENSE.rst
%doc README.rst CHANGES.rst artwork examples
%{python_sitelib}/jinja2
%{python_sitelib}/Jinja2-%{version}-py%{python_version}.egg-info
%changelog