packages/python-sqlparse
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-30608

Browse Source
This commit is contained in:
wk333 2023-05-04 11:32:02 +08:00
parent 9b6acfb1b2
commit b5b92f45df
2 changed files with 54 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
CVE-2023-30608.patch Normal file
View File

@ -0,0 +1,49 @@
From c457abd5f097dd13fb21543381e7cfafe7d31cfb Mon Sep 17 00:00:00 2001
From: Andi Albrecht <albrecht.andi@gmail.com>
Date: Mon, 20 Mar 2023 08:33:46 +0100
Subject: [PATCH] Remove unnecessary parts in regex for bad escaping.
The regex tried to deal with situations where escaping in the
SQL to be parsed was suspicious.
From : https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
---
sqlparse/keywords.py | 4 ++--
tests/test_split.py | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/sqlparse/keywords.py b/sqlparse/keywords.py
index 9c37e50..2017b6c 100644
--- a/sqlparse/keywords.py
+++ b/sqlparse/keywords.py
@@ -67,9 +67,9 @@ SQL_REGEX = {
(r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])',
tokens.Number.Float),
(r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer),
- (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single),
+ (r"'(''|\\'|[^'])*'", tokens.String.Single),
# not a real string literal in ANSI SQL:
- (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol),
+ (r'"(""|\\"|[^"])*"', tokens.String.Symbol),
(r'(""|".*?[^\\]")', tokens.String.Symbol),
# sqlite names can be escaped with [square brackets]. left bracket
# cannot be preceded by word character or a right bracket --
diff --git a/tests/test_split.py b/tests/test_split.py
index a93e3d4..bcc96cf 100644
--- a/tests/test_split.py
+++ b/tests/test_split.py
@@ -20,8 +20,8 @@ def test_split_semicolon():
def test_split_backslash():
- stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';")
- assert len(stmts) == 3
+ stmts = sqlparse.parse("select '\'; select '\'';")
+ assert len(stmts) == 2
@pytest.mark.parametrize('fn', ['function.sql',
--
2.33.0

6
python-sqlparse.spec
View File

@ -1,11 +1,12 @@
%global _empty_manifest_terminate_build 0 %global _empty_manifest_terminate_build 0
Name: python-sqlparse Name: python-sqlparse
Version: 0.4.2 Version: 0.4.2
Release: 1 Release: 2
Summary: A non-validating SQL parser. Summary: A non-validating SQL parser.
License: BSD-3-Clause License: BSD-3-Clause
URL: https://github.com/andialbrecht/sqlparse URL: https://github.com/andialbrecht/sqlparse
Source0: https://files.pythonhosted.org/packages/32/fe/8a8575debfd924c8160295686a7ea661107fc34d831429cce212b6442edb/sqlparse-0.4.2.tar.gz Source0: https://files.pythonhosted.org/packages/32/fe/8a8575debfd924c8160295686a7ea661107fc34d831429cce212b6442edb/sqlparse-0.4.2.tar.gz
Patch001: CVE-2023-30608.patch
BuildArch: noarch BuildArch: noarch
%description %description
@ -77,6 +78,9 @@ mv %{buildroot}/doclist.lst .
%{_docdir}/* %{_docdir}/*
%changelog %changelog
* Thu May 04 2023 wangkai <13474090681@163.com> - 0.4.2-2
- Fix CVE-2023-30608
* Tue Oct 25 2022 yaoxin <yaoxin30@h-partners.com> - 0.4.2-1 * Tue Oct 25 2022 yaoxin <yaoxin30@h-partners.com> - 0.4.2-1
- Upgrade to 0.4.2 - Upgrade to 0.4.2