Fix CVE-2024-4340

2024-05-06 10:33:44 +08:00 · 2024-05-06 10:33:44 +08:00 · 4ae2a68930
commit 4ae2a68930
parent d993816638
2 changed files with 82 additions and 1 deletions
--- a/CVE-2024-4340.patch
+++ b/CVE-2024-4340.patch
@ -0,0 +1,77 @@
+From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001
+From: Andi Albrecht <albrecht.andi@gmail.com>
+Date: Sat, 13 Apr 2024 13:59:00 +0200
+Subject: [PATCH] Raise SQLParseError instead of RecursionError.
+
+Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03
+
+---
+ sqlparse/sql.py           | 14 +++++++++-----
+ tests/test_regressions.py | 14 ++++++++++++++
+ 2 files changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/sqlparse/sql.py b/sqlparse/sql.py
+index 1ccfbdb..2090621 100644
+--- a/sqlparse/sql.py
+++ b/sqlparse/sql.py
+@@ -10,6 +10,7 @@
+ import re
+ 
+ from sqlparse import tokens as T
+from sqlparse.exceptions import SQLParseError
+ from sqlparse.utils import imt, remove_quotes
+ 
+ 
+@@ -209,11 +210,14 @@ class TokenList(Token):
+ 
+         This method is recursively called for all child tokens.
+         """
+-        for token in self.tokens:
+-            if token.is_group:
+-                yield from token.flatten()
+-            else:
+-                yield token
+        try:
+            for token in self.tokens:
+                if token.is_group:
+                    yield from token.flatten()
+                else:
+                    yield token
+        except RecursionError as err:
+            raise SQLParseError('Maximum recursion depth exceeded') from err
+ 
+     def get_sublists(self):
+         for token in self.tokens:
+diff --git a/tests/test_regressions.py b/tests/test_regressions.py
+index bc8b7dd..33162f1 100644
+--- a/tests/test_regressions.py
+++ b/tests/test_regressions.py
+@@ -1,7 +1,9 @@
+ import pytest
+import sys
+ 
+ import sqlparse
+ from sqlparse import sql, tokens as T
+from sqlparse.exceptions import SQLParseError
+ 
+ 
+ def test_issue9():
+@@ -436,3 +438,15 @@ def test_splitting_at_and_backticks_issue588():
+         'grant foo to user1@`myhost`; grant bar to user1@`myhost`;')
+     assert len(splitted) == 2
+     assert splitted[-1] == 'grant bar to user1@`myhost`;'
+
+@pytest.fixture
+def limit_recursion():
+    curr_limit = sys.getrecursionlimit()
+    sys.setrecursionlimit(80)
+    yield
+    sys.setrecursionlimit(curr_limit)
+
+
+def test_max_recursion(limit_recursion):
+    with pytest.raises(SQLParseError):
+        sqlparse.parse('[' * 100 + ']' * 100)
+-- 
+2.33.0
+
--- a/python-sqlparse.spec
+++ b/python-sqlparse.spec
@ -1,12 +1,13 @@
 %global _empty_manifest_terminate_build 0
 Name:           python-sqlparse
 Version:        0.4.2
-Release:        2
+Release:        3
 Summary:        A non-validating SQL parser.
 License:        BSD-3-Clause
 URL:            https://github.com/andialbrecht/sqlparse
 Source0:        https://files.pythonhosted.org/packages/32/fe/8a8575debfd924c8160295686a7ea661107fc34d831429cce212b6442edb/sqlparse-0.4.2.tar.gz
 Patch001:       CVE-2023-30608.patch
+Patch002:       CVE-2024-4340.patch
 BuildArch:      noarch

 %description
@ -78,6 +79,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Mon May 06 2024 wangkai <13474090681@163.com> - 0.4.2-3
+- Fix CVE-2024-4340
+
 * Thu May 04 2023 wangkai <13474090681@163.com> - 0.4.2-2
 - Fix CVE-2023-30608