From 0d2f1aeffa67bdb27ae41edea156ea3ddb84cb51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 6 Sep 2024 10:31:59 +0200 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 python-Jinja2 revision 1c38a1df7fac177a9a09d229df058bea --- .gitattributes | 23 ++ CVE-2024-34064.patch | 104 +++++++ Jinja2-3.1.2.tar.gz | 3 + python-Jinja2.changes | 622 ++++++++++++++++++++++++++++++++++++++++++ python-Jinja2.spec | 77 ++++++ 5 files changed, 829 insertions(+) create mode 100644 .gitattributes create mode 100644 CVE-2024-34064.patch create mode 100644 Jinja2-3.1.2.tar.gz create mode 100644 python-Jinja2.changes create mode 100644 python-Jinja2.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/CVE-2024-34064.patch b/CVE-2024-34064.patch new file mode 100644 index 0000000..b32789d --- /dev/null +++ b/CVE-2024-34064.patch @@ -0,0 +1,104 @@ +From d655030770081e2dfe46f90e27620472a502289d Mon Sep 17 00:00:00 2001 +From: David Lord +Date: Thu, 2 May 2024 09:14:00 -0700 +Subject: [PATCH] disallow invalid characters in keys to xmlattr filter + +--- + CHANGES.rst | 6 ++++++ + src/jinja2/filters.py | 22 +++++++++++++++++----- + tests/test_filters.py | 11 ++++++----- + 3 files changed, 29 insertions(+), 10 deletions(-) + +Index: Jinja2-3.1.2/CHANGES.rst +=================================================================== +--- Jinja2-3.1.2.orig/CHANGES.rst ++++ Jinja2-3.1.2/CHANGES.rst +@@ -9,6 +9,12 @@ Released 2022-04-28 + :issue:`1645` + - Handle race condition in ``FileSystemBytecodeCache``. :issue:`1654` + ++- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>`` ++ greater-than sign, or ``=`` equals sign, in addition to disallowing spaces. ++ Regardless of any validation done by Jinja, user input should never be used ++ as keys to this filter, or must be separately validated first. ++ GHSA-h75v-3vvj-5mfj ++ + + Version 3.1.1 + ------------- +Index: Jinja2-3.1.2/src/jinja2/filters.py +=================================================================== +--- Jinja2-3.1.2.orig/src/jinja2/filters.py ++++ Jinja2-3.1.2/src/jinja2/filters.py +@@ -248,13 +248,25 @@ def do_items(value: t.Union[t.Mapping[K, + yield from value.items() + + ++# Check for characters that would move the parser state from key to value. ++# https://html.spec.whatwg.org/#attribute-name-state ++_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII) ++ ++ + @pass_eval_context + def do_xmlattr( + eval_ctx: "EvalContext", d: t.Mapping[str, t.Any], autospace: bool = True + ) -> str: + """Create an SGML/XML attribute string based on the items in a dict. +- All values that are neither `none` nor `undefined` are automatically +- escaped: ++ ++ **Values** that are neither ``none`` nor ``undefined`` are automatically ++ escaped, safely allowing untrusted user input. ++ ++ User input should not be used as **keys** to this filter. If any key ++ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals ++ sign, this fails with a ``ValueError``. Regardless of this, user input ++ should never be used as keys to this filter, or must be separately validated ++ first. + + .. sourcecode:: html+jinja + +@@ -273,12 +285,23 @@ def do_xmlattr( + + As you can see it automatically prepends a space in front of the item + if the filter returned something unless the second parameter is false. ++ ++ Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign ++ are not allowed. ++ ++ Keys with spaces are not allowed. + """ +- rv = " ".join( +- f'{escape(key)}="{escape(value)}"' +- for key, value in d.items() +- if value is not None and not isinstance(value, Undefined) +- ) ++ items = [] ++ for key, value in d.items(): ++ if value is None or isinstance(value, Undefined): ++ continue ++ ++ if _attr_key_re.search(key) is not None: ++ raise ValueError("Invalid character in attribute name: {key!r}") ++ ++ items.append(f'{escape(key)}="{escape(value)}"') ++ ++ rv = " ".join(items) + + if autospace and rv: + rv = " " + rv +Index: Jinja2-3.1.2/tests/test_filters.py +=================================================================== +--- Jinja2-3.1.2.orig/tests/test_filters.py ++++ Jinja2-3.1.2/tests/test_filters.py +@@ -871,3 +871,10 @@ class TestFilter: + with pytest.raises(TemplateRuntimeError, match="No filter named 'f'"): + t1.render(x=42) + t2.render(x=42) ++ ++ @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "=")) ++ def test_xmlattr_key_invalid(self, env: Environment, sep: str) -> None: ++ with pytest.raises(ValueError, match="Invalid character"): ++ env.from_string("{{ {key: 'my_class'}|xmlattr }}").render( ++ key=f"class{sep}onclick=alert(1)" ++ ) diff --git a/Jinja2-3.1.2.tar.gz b/Jinja2-3.1.2.tar.gz new file mode 100644 index 0000000..3c926f5 --- /dev/null +++ b/Jinja2-3.1.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:31351a702a408a9e7595a8fc6150fc3f43bb6bf7e319770cbc0db9df9437e852 +size 268239 diff --git a/python-Jinja2.changes b/python-Jinja2.changes new file mode 100644 index 0000000..1f2dc0c --- /dev/null +++ b/python-Jinja2.changes @@ -0,0 +1,622 @@ +------------------------------------------------------------------- +Mon Jun 3 07:16:34 UTC 2024 - Daniel Garcia + +- Add CVE-2024-34064.patch upstream patch + (CVE-2024-34064, bsc#1223980, gh#pallets/jinja@0668239dc6b4) + Also fixes (CVE-2024-22195, bsc#1218722) + +------------------------------------------------------------------- +Fri Apr 21 12:20:44 UTC 2023 - Dirk Müller + +- add sle15_python_module_pythons (jsc#PED-68) + +------------------------------------------------------------------- +Thu Apr 13 22:42:17 UTC 2023 - Matej Cepl + +- Make calling of %{sle15modernpython} optional. + +------------------------------------------------------------------- +Fri Dec 2 07:35:08 UTC 2022 - Johannes Kastl + +- ignore 'pytest.PytestRemovedIn8Warning: Support for nose tests is + deprecated and will be removed in a future release.' error from + pytest 7.2 + +------------------------------------------------------------------- +Sat Jun 4 11:35:44 UTC 2022 - Dirk Müller + +- update to 3.1.2: + * Add parameters to ``Environment.overlay`` to match ``__init__``. + * Handle race condition in ``FileSystemBytecodeCache``. :issue:`1654` + +------------------------------------------------------------------- +Sun Mar 27 18:03:52 UTC 2022 - Arun Persaud + +- specfile: + * update copyright year + * require python-base >= 3.7 + +- update to version 3.1.1: + * The template filename on Windows uses the primary path separator. + :issue:`1637` + +- changes from version 3.1.0: + * Drop support for Python 3.6. :pr:`1534` + * Remove previously deprecated code. :pr:`1544` + + "WithExtension" and "AutoEscapeExtension" are built-in now. + + "contextfilter" and "contextfunction" are replaced by + "pass_context". "evalcontextfilter" and "evalcontextfunction" + are replaced by "pass_eval_context". "environmentfilter" and + "environmentfunction" are replaced by "pass_environment". + + "Markup" and "escape" should be imported from MarkupSafe. + + Compiled templates from very old Jinja versions may need to be + recompiled. + + Legacy resolve mode for "Context" subclasses is no longer + supported. Override "resolve_or_missing" instead of "resolve". + + "unicode_urlencode" is renamed to "url_quote". + * Add support for native types in macros. :issue:`1510` + * The "{% trans %}" tag can use "pgettext" and "npgettext" by + passing a context string as the first token in the tag, like "{% + trans "title" %}". :issue:`1430` + * Update valid identifier characters from Python 3.6 to 3.7. + :pr:`1571` + * Filters and tests decorated with "@async_variant" are pickleable. + :pr:`1612` + * Add "items" filter. :issue:`1561` + * Subscriptions ("[0]", etc.) can be used after filters, tests, and + calls when the environment is in async mode. :issue:`1573` + * The "groupby" filter is case-insensitive by default, matching + other comparison filters. Added the "case_sensitive" parameter + to control this. :issue:`1463` + * Windows drive-relative path segments in template names will not + result in "FileSystemLoader" and "PackageLoader" loading from + drive-relative paths. :pr:`1621` + +------------------------------------------------------------------- +Sun Nov 14 14:59:31 UTC 2021 - Michael Ströder + +- update to 3.0.3 + * Fix traceback rewriting internals for Python 3.10 and 3.11. (#1535) + * Fix how the native environment treats leading and trailing spaces + when parsing values on Python 3.10. (PR#1537) + * Improve async performance by avoiding checks for common types. (#1514) + * Revert change to ``hash(Node)`` behavior. Nodes are hashed by id again (#1521) + * ``PackageLoader`` works when the package is a single module file. (#1512) + +------------------------------------------------------------------- +Sun Oct 10 00:16:28 UTC 2021 - Michael Ströder + +- dropped obsolete no-warnings-as-errors.patch +- update to 3.0.2 + * Fix a loop scoping bug that caused assignments in nested loops to still + be referenced outside of it. #1427 + * Make compile_templates deterministic for filter and import names. #1452, #1453 + * Revert an unintended change that caused Undefined to act like + StrictUndefined for the in operator. #1448 + * Imported macros have access to the current template globals in async + environments. #1494 + * PackageLoader will not include a current directory (.) path segment. + This allows loading templates from the root of a zip import. #1467 + +------------------------------------------------------------------- +Fri Sep 10 08:07:58 UTC 2021 - Steve Kowalik + +- Add no-warnings-as-errors.patch: + * Do not treat warnings as errors until upstream fix using async loops. + +------------------------------------------------------------------- +Fri Aug 6 07:34:44 UTC 2021 - Markéta Machová + +- Babel is not required + +------------------------------------------------------------------- +Fri Jul 9 11:03:56 UTC 2021 - Ben Greiner + +- clean up single-spec: Remove python2 remnants + +------------------------------------------------------------------- +Sat Jun 19 12:42:15 UTC 2021 - Michael Ströder + +- updated upstream project URL + +------------------------------------------------------------------- +Sun Jun 13 13:55:29 UTC 2021 - Michael Ströder + +- skip building for Python 2.x + +------------------------------------------------------------------- +Mon May 31 06:38:35 UTC 2021 - Adrian Schröter + +- update to 3.0.1 + Read the announcement: + https://palletsprojects.com/blog/flask-2-0-released/ + Read the full list of changes: + https://jinja.palletsprojects.com/changes/#version-3-0-0 +- python-Jinja2-vim subpackage dropped + vim highlight rule files do not exist anymore + +------------------------------------------------------------------- +Tue Feb 9 15:42:40 UTC 2021 - Alexandros Toptsoglou + +- update to 2.11.3 + * Improve the speed of the urlize filter by reducing regex backtracking. + Email matching requires a word character at the start of the domain part + and only word characters in the TLD (CVE-2020-28493 bsc#1181944). + +------------------------------------------------------------------- +Mon May 4 09:35:51 UTC 2020 - Johannes Grassler + +- update to 2.11.2 + * Fix a bug that caused callable objects with __getattr__, like + :class:~unittest.mock.Mock to be treated as a + :func:contextfunction. :issue:1145 + * Update wordcount filter to trigger :class:Undefined methods + by wrapping the input in :func:soft_unicode. :pr:1160 + * Fix a hang when displaying tracebacks on Python 32-bit. + :issue:1162 + * Showing an undefined error for an object that raises + AttributeError on access doesn't cause a recursion error. + :issue:1177 + * Revert changes to :class:~loaders.PackageLoader from 2.10 which + removed the dependency on setuptools and pkg_resources, and added + limited support for namespace packages. The changes caused issues + when using Pytest. Due to the difficulty in supporting Python 2 and + :pep:451 simultaneously, the changes are reverted until 3.0. + :pr:1182 + * Fix line numbers in error messages when newlines are stripped. + :pr:1178 + * The special namespace() assignment object in templates works in + async environments. :issue:1180 + * Fix whitespace being removed before tags in the middle of lines when + lstrip_blocks is enabled. :issue:1138 + * :class:~nativetypes.NativeEnvironment doesn't evaluate + intermediate strings during rendering. This prevents early + evaluation which could change the value of an expression. + :issue:1186 + +------------------------------------------------------------------- +Wed Apr 8 11:59:35 UTC 2020 - Tomáš Chvátal + +- Enable testing on other archs again +- Do not pull in py2 package on vim syntax + +------------------------------------------------------------------- +Fri Feb 21 18:56:05 UTC 2020 - Ondřej Súkup + +- disable tests on 32bit archs + +------------------------------------------------------------------- +Tue Feb 18 17:26:13 UTC 2020 - Ondřej Súkup + +- update to 2.11.1 + * Fix a bug that prevented looking up a key after an attribute + ({{ data.items[1:] }}) in an async template + * Drop support for Python 2.6, 3.3, and 3.4. This will be the last version + to support Python 2.7 and 3.5. + * Added a new ChainableUndefined class to support getitem and getattr + on an undefined object. + * Allow {%+ syntax (with NOP behavior) when lstrip_blocks is disabled. + * Added a default parameter for the map filter. + * Exclude environment globals from meta.find_undeclared_variables(). + * Float literals can be written with scientific notation, like 2.56e-3. + * Int and float literals can be written with the ‘_’ separator + for legibility, like 12_345. + * Fix a bug causing deadlocks in LRUCache.setdefault + * The trim filter takes an optional string of characters to trim. + * A new jinja2.ext.debug extension adds a {% debug %} tag to quickly dump + the current context and available filters and tests. + * Lexing templates with large amounts of whitespace is much faster. + * Parentheses around comparisons are preserved, so {{ 2 * (3 < 5) }} outputs + “2” instead of “False”. + * Add new boolean, false, true, integer and float tests. + * The environment’s finalize function is only applied to the output of expressions + (constant or not), not static template data. + * When providing multiple paths to FileSystemLoader, a template can have + the same name as a directory. + * Always return Undefined when omitting the else clause in a {{ 'foo' if bar }} + expression, regardless of the environment’s undefined class. Omitting + the else clause is a valid shortcut and should not raise an error when using + StrictUndefined. + * Fix behavior of loop control variables such as length and revindex0 when + looping over a generator. + * Async support is only loaded the first time an environment enables it, + in order to avoid a slow initial import. + * In async environments, the |map filter will await the filter call if needed. + * In for loops that access loop attributes, the iterator is not advanced ahead + of the current iteration unless length, revindex, nextitem, or last are accessed. + This makes it less likely to break groupby results. + * In async environments, the loop attributes length and revindex work for async iterators. + * In async environments, values from attribute/property access will be awaited if needed. + * PackageLoader doesn’t depend on setuptools or pkg_resources. + * PackageLoader has limited support for PEP 420 namespace packages. + * Support os.PathLike objects in FileSystemLoader and ModuleLoader + * NativeTemplate correctly handles quotes between expressions. "'{{ a }}', '{{ b }}'" + renders as the tuple ('1', '2') rather than the string '1, 2'. + * Creating a NativeTemplate directly creates a NativeEnvironment instead + of a default Environment. + * After calling LRUCache.copy(), the copy’s queue methods point to the correct queue. + * Compiling templates always writes UTF-8 instead of defaulting to the system encoding. + * |wordwrap filter treats existing newlines as separate paragraphs to be wrapped + individually, rather than creating short intermediate lines. + * Add break_on_hyphens parameter to |wordwrap filter. + * Cython compiled functions decorated as context functions will be passed the context. + * When chained comparisons of constants are evaluated at compile time, + the result follows Python’s behavior of returning False if any comparison + returns False, rather than only the last one + * Tracebacks for exceptions in templates show the correct line numbers + and source for Python >= 3.7. + * Tracebacks for template syntax errors in Python 3 no longer show + internal compiler frames + * Add a DerivedContextReference node that can be used by extensions to get + the current context and local variables such as loop + * Constant folding during compilation is applied to some node types + that were previously overlooked + * TemplateSyntaxError.source is not empty when raised from an included template. + * Passing an Undefined value to get_template (such as through extends, import, + or include), raises an UndefinedError consistently. select_template will show + the undefined message in the list of attempts rather than the empty string. + * TemplateSyntaxError can be pickled. + +------------------------------------------------------------------- +Mon Oct 7 13:37:05 UTC 2019 - Tomáš Chvátal + +- Update to 2.10.3: + * Fix Python 3.7 deprecation warnings. + * Using range in the sandboxed environment uses xrange on Python 2 to avoid memory use. :issue:`933` + * Use Python 3.7's better traceback support to avoid a core dump when using debug builds of Python 3.7. :issue:`1050` + * Fix a typo in Babel entry point in setup.py that was preventing installation. +- Remove merged python38.patch + +------------------------------------------------------------------- +Tue Sep 24 11:06:41 UTC 2019 - Tomáš Chvátal + +- Add patch to work with python 3.8: + * python38.patch + +------------------------------------------------------------------- +Sat Apr 13 16:46:23 UTC 2019 - Jan Engelhardt + +- Trim bias from descriptions. Make sure % is escaped. + +------------------------------------------------------------------- +Sat Apr 13 03:06:31 UTC 2019 - Arun Persaud + +- update to version 2.10.1 (bsc#1132323, CVE-2019-10906, bsc#1125815, CVE-2019-8341): + * "SandboxedEnvironment" securely handles "str.format_map" in order + to prevent code execution through untrusted format strings. The + sandbox already handled "str.format". + +------------------------------------------------------------------- +Tue Feb 19 03:45:55 UTC 2019 - John Vandenberg + +- Activate test suite +- Add minimum build dependency to match runtime dependency + +------------------------------------------------------------------- +Mon Dec 10 12:43:01 UTC 2018 - Tomáš Chvátal + +- Fix fdupes call + +------------------------------------------------------------------- +Tue Dec 4 12:49:28 UTC 2018 - Matej Cepl + +- Remove superfluous devel dependency for noarch package + +------------------------------------------------------------------- +Tue Mar 6 15:52:17 UTC 2018 - aplanas@suse.com + +- Allows Recommends and Suggest in Fedora + +------------------------------------------------------------------- +Tue Feb 27 17:41:33 UTC 2018 - aplanas@suse.com + +- Recommends only for SUSE + +------------------------------------------------------------------- +Thu Nov 9 06:26:51 UTC 2017 - arun@gmx.de + +- specfile: + * CHANGES -> CHANGES.rst + * added README.rst to %doc section + +- update to version 2.10: + * Added a new extension node called "OverlayScope" which can be used + to create an unoptimized scope that will look up all variables + from a derived context. + * Added an "in" test that works like the in operator. This can be + used in combination with "reject" and "select". + * Added "previtem" and "nextitem" to loop contexts, providing access + to the previous/next item in the loop. If such an item does not + exist, the value is undefined. + * Added "changed(*values)" to loop contexts, providing an easy way + of checking whether a value has changed since the last iteration + (or rather since the last call of the method) + * Added a "namespace" function that creates a special object which + allows attribute assignment using the "set" tag. This can be used + to carry data across scopes, e.g. from a loop body to code that + comes after the loop. + * Added a "trimmed" modifier to "{% trans %}" to strip linebreaks + and surrounding whitespace. Also added a new policy to enable this + for all "trans" blocks. + * The "random" filter is no longer incorrectly constant folded and + will produce a new random choice each time the template is + rendered. (`#478`_) + * Added a "unique" filter. (`#469`_) + * Added "min" and "max" filters. (`#475`_) + * Added tests for all comparison operators: "eq", "ne", "lt", "le", + "gt", "ge". (`#665`_) + * "import" statement cannot end with a trailing comma. (`#617`_, + `#618`_) + * "indent" filter will not indent blank lines by default. (`#685`_) + * Add "reverse" argument for "dictsort" filter. (`#692`_) + * Add a "NativeEnvironment" that renders templates to native Python + types instead of strings. (`#708`_) + * Added filter support to the block "set" tag. (`#489`_) + * "tojson" filter marks output as safe to match documented behavior. + (`#718`_) + * Resolved a bug where getting debug locals for tracebacks could + modify template context. + * Fixed a bug where having many "{% elif ... %}" blocks resulted in + a "too many levels of indentation" error. These blocks now + compile to native "elif ..:" instead of "else: if ..:" (`#759`_) + +------------------------------------------------------------------- +Tue Apr 4 14:56:17 UTC 2017 - jmatejek@suse.com + +- update for singlespec +- update to 2.9.6 + * fixed custom context behavior in fast resolve mode + +------------------------------------------------------------------- +Wed Mar 22 04:39:40 UTC 2017 - dmueller@suse.com + +- fix requires + +------------------------------------------------------------------- +Wed Mar 15 13:55:57 UTC 2017 - michael@stroeder.com + +- Update to 2.9.5 (bsc#1132174, CVE-2016-10745) + (see the changes in /usr/share/doc/packages/python-Jinja2/CHANGES) +- updated source URL + +------------------------------------------------------------------- +Thu Nov 19 13:18:12 UTC 2015 - aplanas@suse.com + +- Update to 2.8 + - Added `target` parameter to urlize function. + - Added support for `followsymlinks` to the file system loader. + - The truncate filter now counts the length. + - Added equalto filter that helps with select filters. + - Changed cache keys to use absolute file names if available + instead of load names. + - Fixed loop length calculation for some iterators. + - Changed how Jinja2 enforces strings to be native strings in + Python 2 to work when people break their default encoding. + - Added :func:`make_logging_undefined` which returns an undefined + object that logs failures into a logger. + - If unmarshalling of cached data fails the template will be + reloaded now. + - Implemented a block ``set`` tag. + - Default cache size was incrased to 400 from a low 50. + - Fixed ``is number`` test to accept long integers in all Python versions. + - Changed ``is number`` to accept Decimal as a number. + - Added a check for default arguments followed by non-default arguments. This + change makes ``{% macro m(x, y=1, z) %}...{% endmacro %}`` a syntax error. The + previous behavior for this code was broken anyway (resulting in the default + value being applied to `y`). + - Add ability to use custom subclasses of ``jinja2.compiler.CodeGenerator`` and + ``jinja2.runtime.Context`` by adding two new attributes to the environment + (`code_generator_class` and `context_class`) (pull request ``#404``). + - added support for context/environment/evalctx decorator functions on + the finalize callback of the environment. + - escape query strings for urlencode properly. Previously slashes were not + escaped in that place. + - Add 'base' parameter to 'int' filter. +- Tests are removed from the package (not distributed in the tar.gz) + +------------------------------------------------------------------- +Wed Jul 22 14:20:45 UTC 2015 - jengelh@inai.de + +- Use %python_version over %py_ver: better portability to RHEL + +------------------------------------------------------------------- +Fri Aug 15 12:30:58 UTC 2014 - mcihar@suse.cz + +- run testsuite during build + +------------------------------------------------------------------- +Fri Aug 15 12:29:35 UTC 2014 - mcihar@suse.cz + +- adjust dependency to use up to date package name for python-MarkupSafe + +------------------------------------------------------------------- +Tue Jul 15 10:41:00 UTC 2014 - toddrme2178@gmail.com + +- Update to 2.7.3 (bnc#858239, CVE-2014-0012) + - Security issue: Corrected the security fix for the cache folder. + This fix was provided by RedHat. + +------------------------------------------------------------------- +Thu May 8 21:21:45 UTC 2014 - hpj@urpla.net + +- fix package build (file selection missing) + +------------------------------------------------------------------- +Sat Apr 26 19:38:39 UTC 2014 - dmueller@suse.com + +- avoid rebuildcycle with vim + +------------------------------------------------------------------- +Mon Jan 13 13:18:53 UTC 2014 - dmueller@suse.com + +- update to 2.7.2: + - Prefix loader was not forwarding the locals properly to + inner loaders. This is now fixed. + - Security issue: Changed the default folder for the filesystem cache to be + user specific and read and write protected on UNIX systems. See `Debian bug + 734747`_ for more information. + +------------------------------------------------------------------- +Thu Oct 24 11:07:20 UTC 2013 - speilicke@suse.com + +- Require python-setuptools instead of distribute (upstreams merged) + +------------------------------------------------------------------- +Mon Sep 2 15:03:25 UTC 2013 - speilicke@suse.com + +- Avoid "Recommends:" on old rpm distros + +------------------------------------------------------------------- +Tue Aug 13 09:56:18 UTC 2013 - dmueller@suse.com + +- update to 2.7.1: + - Fixed a bug with ``call_filter`` not working properly on environment + and context filters. + - Fixed lack of Python 3 support for bytecode caches. + - Reverted support for defining blocks in included templates as this + broke existing templates for users. + - Fixed some warnings with hashing of undefineds and nodes if Python + is run with warnings for Python 3. + - Added support for properly hashing undefined objects. + - Fixed a bug with the title filter not working on already uppercase + strings. + +------------------------------------------------------------------- +Thu Jul 11 14:37:06 UTC 2013 - dmueller@suse.com + +- update to 2.7: + - Choice and prefix loaders now dispatch source and template lookup + separately in order to work in combination with module loaders as + advertised. + - Fixed filesizeformat. + - Added a non-silent option for babel extraction. + - Added `urlencode` filter that automatically quotes values for + URL safe usage with utf-8 as only supported encoding. If applications + want to change this encoding they can override the filter. + - Added `keep-trailing-newline` configuration to environments and + templates to optionally preserve the final trailing newline. + - Accessing `last` on the loop context no longer causes the iterator + to be consumed into a list. + - Python requirement changed: 2.6, 2.7 or >= 3.3 are required now, + supported by same source code, using the "six" compatibility library. + - Allow `contextfunction` and other decorators to be applied to `__call__`. + - Added support for changing from newline to different signs in the `wordwrap` + filter. + - Added support for ignoring memcache errors silently. + - Added support for keeping the trailing newline in templates. + - Added finer grained support for stripping whitespace on the left side + of blocks. + - Added `map`, `select`, `reject`, `selectattr` and `rejectattr` + filters. + - Added support for `loop.depth` to figure out how deep inside a recursive + loop the code is. + - Disabled py_compile for pypy and python 3. + +------------------------------------------------------------------- +Mon Apr 30 13:06:58 UTC 2012 - toddrme2178@gmail.com + +- Fix building python 3 package on openSUSE 11.4 x86_64 + +------------------------------------------------------------------- +Thu Apr 26 14:08:18 UTC 2012 - toddrme2178@gmail.com + +- Add 2to3 buildrequires to allow for proper conversion of python 3 + version + +------------------------------------------------------------------- +Mon Apr 23 12:00:49 UTC 2012 - toddrme2178@gmail.com + +- Add python 3 package +- Simplify vim plugin packaging +- Add suggests for vim and emacs in their respective + packages +- Removed test for obsolete openSUSE version + +------------------------------------------------------------------- +Thu Feb 23 13:44:50 UTC 2012 - saschpe@suse.de + +- Simplified macro usage + +------------------------------------------------------------------- +Thu Sep 22 12:00:51 UTC 2011 - saschpe@suse.de + +- Split of 'vim' and 'emacs' sub-packages that contain syntax highlighting + support for both editors + +------------------------------------------------------------------- +Thu Sep 22 09:13:19 UTC 2011 - saschpe@suse.de + +- Set license to BSD-3-Clause (SPDX style) +- Require python-distribute instead of python-setuptools + +------------------------------------------------------------------- +Tue Sep 20 12:57:24 UTC 2011 - saschpe@suse.de + +- Update to version 2.6: + * internal attributes now raise an internal attribute error now instead + of returning an undefined. This fixes problems when passing undefined + objects to Python semantics expecting APIs. + * traceback support now works properly for PyPy. (Tested with 1.4) + * implemented operator intercepting for sandboxed environments. This + allows application developers to disable builtin operators for better + security. (For instance limit the mathematical operators to actual + integers instead of longs) + * groupby filter now supports dotted notation for grouping by attributes + of attributes. + * scoped blocks not properly treat toplevel assignments and imports. + Previously an import suddenly "disappeared" in a scoped block. + * automatically detect newer Python interpreter versions before loading code + from bytecode caches to prevent segfaults on invalid opcodes. The segfault + in earlier Jinja2 versions here was not a Jinja2 bug but a limitation in + the underlying Python interpreter. If you notice Jinja2 segfaulting in + earlier versions after an upgrade of the Python interpreter you don't have + to upgrade, it's enough to flush the bytecode cache. This just no longer + makes this necessary, Jinja2 will automatically detect these cases now. + * the sum filter can now sum up values by attribute. This is a backwards + incompatible change. The argument to the filter previously was the + optional starting index which defaultes to zero. This now became the + second argument to the function because it's rarely used. + * like sum, sort now also makes it possible to order items by attribute. + * like sum and sort, join now also is able to join attributes of objects + as string. + * the internal eval context now has a reference to the environment. + * added a mapping test to see if an object is a dict or an object with + a similar interface. + +------------------------------------------------------------------- +Wed Jul 20 20:27:08 UTC 2011 - saschpe@gmx.de + +- Renamed to python-Jinja2 +- Fix wrong EOL encodings + +------------------------------------------------------------------- +Thu Apr 7 14:56:33 UTC 2011 - saschpe@suse.de + +- Do not require python-setuptools, buildrequires is sufficient +- Removed authors from description +- Changed license to BSD3c + +------------------------------------------------------------------- +Sun Dec 12 17:45:39 UTC 2010 - saschpe@gmx.de + +- rpmlint issues cleanup + * fdupes, tar.bz2 tarball, ... +- package docs again (lost with last revision) + +------------------------------------------------------------------- +Sat Dec 11 23:23:05 UTC 2010 - saschpe@gmx.de + +- re-generated spec file with py2pack + * now builds for Fedora and Mandriva + +------------------------------------------------------------------- +Thu Sep 17 20:33:11 UTC 2009 - alexandre@exatati.com.br + +- Update to 2.2.1; +- Fixed changes file name. + +------------------------------------------------------------------- +Mon Jun 8 14:05:51 CEST 2009 - poeml@suse.de + +- initial package (2.1.1) + diff --git a/python-Jinja2.spec b/python-Jinja2.spec new file mode 100644 index 0000000..669452f --- /dev/null +++ b/python-Jinja2.spec @@ -0,0 +1,77 @@ +# +# spec file for package python-Jinja2 +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define skip_python2 1 +%ifarch %{ix86} armv7l +%bcond_with test +%else +%bcond_without test +%endif +%{?sle15_python_module_pythons} +Name: python-Jinja2 +Version: 3.1.2 +Release: 0 +Summary: A template engine written in pure Python +License: BSD-3-Clause +URL: https://jinja.palletsprojects.com +Source: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz +# PATCH-FIX-UPSTREAM CVE-2024-34064.patch gh#pallets/jinja@0668239dc6b4 +Patch0: CVE-2024-34064.patch +BuildRequires: %{python_module MarkupSafe >= 0.23} +BuildRequires: %{python_module base >= 3.7} +BuildRequires: %{python_module pytest} +BuildRequires: %{python_module setuptools} +BuildRequires: dos2unix +BuildRequires: fdupes +BuildRequires: python-rpm-macros +Requires: python-MarkupSafe >= 0.23 +Recommends: python-Babel >= 0.8 +# Do not declare buildarch as the tests are arch specific +#BuildArch: noarch +Provides: python-jinja2 = %{version}-%{release} +Obsoletes: python-jinja2 < %{version}-%{release} +%python_subpackages + +%description +Jinja2 is a template engine written in pure Python. It provides a Django +inspired non-XML syntax but supports inline expressions and an optional +sandboxed environment. + +%prep +%autosetup -p1 -n Jinja2-%{version} +dos2unix LICENSE.rst # Fix wrong EOL encoding + +%build +%python_build + +%install +%python_install +%python_expand %fdupes %{buildroot}%{$python_sitelib} + +%check +%if %{with test} +%pytest -W ignore:'Support for nose tests is deprecated' +%endif + +%files %{python_files} +%license LICENSE.rst +%doc README.rst CHANGES.rst artwork examples +%{python_sitelib}/jinja2 +%{python_sitelib}/Jinja2-%{version}-py%{python_version}.egg-info + +%changelog