Summary: | dev-python/jinja: server side injection in 'from_string' function | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/JameelNabbo/Jinja2-Code-execution | ||
Whiteboard: | B2 [upstream] | ||
Package list: | Runtime testing required: | --- |
Description
D'juan McDonald (domhnall)
2019-02-18 03:58:55 UTC
Disputed: https://github.com/pallets/jinja/issues/549#issuecomment-187625168 >You should not execute untrusted templates in a non-sandboxed environment. That's exactly why the sandbox exists (and to be honest, even with a sandbox I would not let users provide arbitrary Jinja templates) Upstream say INVALID. |