Fix CVE-2023-30608

2023-05-04 11:32:02 +08:00 · 2023-05-04 11:32:02 +08:00 · b5b92f45df
commit b5b92f45df
parent 9b6acfb1b2
2 changed files with 54 additions and 1 deletions
--- a/CVE-2023-30608.patch
+++ b/CVE-2023-30608.patch
@ -0,0 +1,49 @@
+From c457abd5f097dd13fb21543381e7cfafe7d31cfb Mon Sep 17 00:00:00 2001
+From: Andi Albrecht <albrecht.andi@gmail.com>
+Date: Mon, 20 Mar 2023 08:33:46 +0100
+Subject: [PATCH] Remove unnecessary parts in regex for bad escaping.
+
+The regex tried to deal with situations where escaping in the
+SQL to be parsed was suspicious.
+
+From : https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
+
+---
+ sqlparse/keywords.py | 4 ++--
+ tests/test_split.py  | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sqlparse/keywords.py b/sqlparse/keywords.py
+index 9c37e50..2017b6c 100644
+--- a/sqlparse/keywords.py
+++ b/sqlparse/keywords.py
+@@ -67,9 +67,9 @@ SQL_REGEX = {
+         (r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])',
+          tokens.Number.Float),
+         (r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer),
+-        (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single),
+        (r"'(''|\\'|[^'])*'", tokens.String.Single),
+         # not a real string literal in ANSI SQL:
+-        (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol),
+        (r'"(""|\\"|[^"])*"', tokens.String.Symbol),
+         (r'(""|".*?[^\\]")', tokens.String.Symbol),
+         # sqlite names can be escaped with [square brackets]. left bracket
+         # cannot be preceded by word character or a right bracket --
+diff --git a/tests/test_split.py b/tests/test_split.py
+index a93e3d4..bcc96cf 100644
+--- a/tests/test_split.py
+++ b/tests/test_split.py
+@@ -20,8 +20,8 @@ def test_split_semicolon():
+ 
+ 
+ def test_split_backslash():
+-    stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';")
+-    assert len(stmts) == 3
+    stmts = sqlparse.parse("select '\'; select '\'';")
+    assert len(stmts) == 2
+ 
+ 
+ @pytest.mark.parametrize('fn', ['function.sql',
+-- 
+2.33.0
+
--- a/python-sqlparse.spec
+++ b/python-sqlparse.spec
@ -1,11 +1,12 @@
 %global _empty_manifest_terminate_build 0
 Name:           python-sqlparse
 Version:        0.4.2
-Release:        1
+Release:        2
 Summary:        A non-validating SQL parser.
 License:        BSD-3-Clause
 URL:            https://github.com/andialbrecht/sqlparse
 Source0:        https://files.pythonhosted.org/packages/32/fe/8a8575debfd924c8160295686a7ea661107fc34d831429cce212b6442edb/sqlparse-0.4.2.tar.gz
+Patch001:       CVE-2023-30608.patch
 BuildArch:      noarch

 %description
@ -77,6 +78,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Thu May 04 2023 wangkai <13474090681@163.com> - 0.4.2-2
+- Fix CVE-2023-30608
+
 * Tue Oct 25 2022 yaoxin <yaoxin30@h-partners.com> - 0.4.2-1
 - Upgrade to 0.4.2