packages/python-sqlparse
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!29 Fix CVE-2024-4340

Browse Source 
From: @wk333 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530
This commit is contained in:
openeuler-ci-bot 2024-05-06 07:05:15 +00:00 committed by Gitee
commit 8f734c8a2a
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 82 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
CVE-2024-4340.patch Normal file
View File

@ -0,0 +1,77 @@
From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001
From: Andi Albrecht <albrecht.andi@gmail.com>
Date: Sat, 13 Apr 2024 13:59:00 +0200
Subject: [PATCH] Raise SQLParseError instead of RecursionError.
Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03
---
sqlparse/sql.py | 14 +++++++++-----
tests/test_regressions.py | 14 ++++++++++++++
2 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/sqlparse/sql.py b/sqlparse/sql.py
index 1ccfbdb..2090621 100644
--- a/sqlparse/sql.py
+++ b/sqlparse/sql.py
@@ -10,6 +10,7 @@
import re
from sqlparse import tokens as T
+from sqlparse.exceptions import SQLParseError
from sqlparse.utils import imt, remove_quotes
@@ -209,11 +210,14 @@ class TokenList(Token):
This method is recursively called for all child tokens.
"""
- for token in self.tokens:
- if token.is_group:
- yield from token.flatten()
- else:
- yield token
+ try:
+ for token in self.tokens:
+ if token.is_group:
+ yield from token.flatten()
+ else:
+ yield token
+ except RecursionError as err:
+ raise SQLParseError('Maximum recursion depth exceeded') from err
def get_sublists(self):
for token in self.tokens:
diff --git a/tests/test_regressions.py b/tests/test_regressions.py
index bc8b7dd..33162f1 100644
--- a/tests/test_regressions.py
+++ b/tests/test_regressions.py
@@ -1,7 +1,9 @@
import pytest
+import sys
import sqlparse
from sqlparse import sql, tokens as T
+from sqlparse.exceptions import SQLParseError
def test_issue9():
@@ -436,3 +438,15 @@ def test_splitting_at_and_backticks_issue588():
'grant foo to user1@`myhost`; grant bar to user1@`myhost`;')
assert len(splitted) == 2
assert splitted[-1] == 'grant bar to user1@`myhost`;'
+
+@pytest.fixture
+def limit_recursion():
+ curr_limit = sys.getrecursionlimit()
+ sys.setrecursionlimit(80)
+ yield
+ sys.setrecursionlimit(curr_limit)
+
+
+def test_max_recursion(limit_recursion):
+ with pytest.raises(SQLParseError):
+ sqlparse.parse('[' * 100 + ']' * 100)
--
2.33.0

6
python-sqlparse.spec
View File

@ -1,12 +1,13 @@
%global _empty_manifest_terminate_build 0 %global _empty_manifest_terminate_build 0
Name: python-sqlparse Name: python-sqlparse
Version: 0.4.2 Version: 0.4.2
Release: 2 Release: 3
Summary: A non-validating SQL parser. Summary: A non-validating SQL parser.
License: BSD-3-Clause License: BSD-3-Clause
URL: https://github.com/andialbrecht/sqlparse URL: https://github.com/andialbrecht/sqlparse
Source0: https://files.pythonhosted.org/packages/32/fe/8a8575debfd924c8160295686a7ea661107fc34d831429cce212b6442edb/sqlparse-0.4.2.tar.gz Source0: https://files.pythonhosted.org/packages/32/fe/8a8575debfd924c8160295686a7ea661107fc34d831429cce212b6442edb/sqlparse-0.4.2.tar.gz
Patch001: CVE-2023-30608.patch Patch001: CVE-2023-30608.patch
Patch002: CVE-2024-4340.patch
BuildArch: noarch BuildArch: noarch
%description %description
@ -78,6 +79,9 @@ mv %{buildroot}/doclist.lst .
%{_docdir}/* %{_docdir}/*
%changelog %changelog
* Mon May 06 2024 wangkai <13474090681@163.com> - 0.4.2-3
- Fix CVE-2024-4340
* Thu May 04 2023 wangkai <13474090681@163.com> - 0.4.2-2 * Thu May 04 2023 wangkai <13474090681@163.com> - 0.4.2-2
- Fix CVE-2023-30608 - Fix CVE-2023-30608