lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87v87yk3xg.fsf@meer.lwn.net>
Date: Fri, 12 Jan 2024 07:43:39 -0700
From: Jonathan Corbet <corbet@....net>
To: Linus Torvalds <torvalds@...uxfoundation.org>
Cc: linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, Akira Yokosawa
 <akiyks@...il.com>
Subject: Re: [GIT PULL] Documentation for 6.8

[Adding Akira]

Linus Torvalds <torvalds@...uxfoundation.org> writes:

> On Mon, 8 Jan 2024 at 10:59, Jonathan Corbet <corbet@....net> wrote:
>>
>> - The minimum Sphinx requirement has been raised to 2.4.4, following a
>>   warning that was added in 6.2.
>
> Well, speaking of warnings, github now has this "dependabot" thing
> that warns about bad minimum requirements due to tooling that has
> security issues.
>
> And it warns about our "jinja2 < 3.1" requirement, because apparently
> that can cause issues:
>
>   "The xmlattr filter in affected versions of Jinja accepts keys
> containing spaces. XML/HTML attributes cannot contain spaces, as each
> would then be interpreted as a separate attribute. If an application
> accepts keys (as opposed to only values) as user input, and renders
> these in pages that other users see as well, an attacker could use
> this to inject other attributes and perform XSS. Note that accepting
> keys as user input is not common or a particularly intended use case
> of the xmlattr filter, and an application doing so should already be
> verifying what keys are provided regardless of this fix"
>
> with affected versions being marked as < 3.1.3 and fixed in Jinja2 3.1.3
>
> I'm ignoring this github dependabit warning since the issue seems to
> be rather irrelevant for our doc use, but I thought I'd mention it.

I suppose it is worth looking into this, just in case a hostile docs
patch that nobody catches might somehow cause an exploit to show up on
docs.kernel.org.  Seems unlikely but it would be good to be sure.

Akira (CC'd) noted, in adding that requirement, that newer jinja2 breaks
Sphinx prior to 4.8.  I've been thinking that supporting 2.x is going to
prove increasingly unsustainable, but raising our minimum to 4.8 would
surely make some people unhappy.

I like the Python ecosystem for a lot of things, but its approach to API
compatibility is ... not great.

jon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ