packages/python-sqlparse
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-4340

Browse Source
This commit is contained in:
wk333 2024-05-06 14:36:22 +08:00
parent 0807f72070
commit f6453a6d0f
2 changed files with 86 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
CVE-2024-4340.patch Normal file
View File

@ -0,0 +1,81 @@
From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001
From: Andi Albrecht <albrecht.andi@gmail.com>
Date: Sat, 13 Apr 2024 13:59:00 +0200
Subject: [PATCH] Raise SQLParseError instead of RecursionError.
Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03
---
sqlparse/sql.py | 15 +++++++++------
tests/test_regressions.py | 14 ++++++++++++++
2 files changed, 23 insertions(+), 6 deletions(-)
diff --git a/sqlparse/sql.py b/sqlparse/sql.py
index a942bcd..84ed1c2 100644
--- a/sqlparse/sql.py
+++ b/sqlparse/sql.py
@@ -12,6 +12,7 @@ from __future__ import print_function
import re
from sqlparse import tokens as T
+from sqlparse.exceptions import SQLParseError
from sqlparse.compat import string_types, text_type, unicode_compatible
from sqlparse.utils import imt, remove_quotes
@@ -214,12 +215,14 @@ class TokenList(Token):
This method is recursively called for all child tokens.
"""
- for token in self.tokens:
- if token.is_group:
- for item in token.flatten():
- yield item
- else:
- yield token
+ try:
+ for token in self.tokens:
+ if token.is_group:
+ yield from token.flatten()
+ else:
+ yield token
+ except RecursionError as err:
+ raise SQLParseError('Maximum recursion depth exceeded') from err
def get_sublists(self):
for token in self.tokens:
diff --git a/tests/test_regressions.py b/tests/test_regressions.py
index 2ed0ff3..0f843b6 100644
--- a/tests/test_regressions.py
+++ b/tests/test_regressions.py
@@ -1,10 +1,12 @@
# -*- coding: utf-8 -*-
import pytest
+import sys
import sqlparse
from sqlparse import sql, tokens as T
from sqlparse.compat import PY2
+from sqlparse.exceptions import SQLParseError
def test_issue9():
@@ -406,3 +408,15 @@ def test_issue489_tzcasts():
p = sqlparse.parse('select bar at time zone \'UTC\' as foo')[0]
assert p.tokens[-1].has_alias() is True
assert p.tokens[-1].get_alias() == 'foo'
+
+@pytest.fixture
+def limit_recursion():
+ curr_limit = sys.getrecursionlimit()
+ sys.setrecursionlimit(70)
+ yield
+ sys.setrecursionlimit(curr_limit)
+
+
+def test_max_recursion(limit_recursion):
+ with pytest.raises(SQLParseError):
+ sqlparse.parse('[' * 100 + ']' * 100)
--
2.33.0

6
python-sqlparse.spec
View File

@ -1,12 +1,13 @@
%global _empty_manifest_terminate_build 0 %global _empty_manifest_terminate_build 0
Name: python-sqlparse Name: python-sqlparse
Version: 0.3.1 Version: 0.3.1
Release: 2 Release: 3
Summary: Non-validating SQL parser Summary: Non-validating SQL parser
License: BSD License: BSD
URL: https://github.com/andialbrecht/sqlparse URL: https://github.com/andialbrecht/sqlparse
Source0: https://files.pythonhosted.org/packages/67/4b/253b6902c1526885af6d361ca8c6b1400292e649f0e9c95ee0d2e8ec8681/sqlparse-0.3.1.tar.gz Source0: https://files.pythonhosted.org/packages/67/4b/253b6902c1526885af6d361ca8c6b1400292e649f0e9c95ee0d2e8ec8681/sqlparse-0.3.1.tar.gz
Patch0: CVE-2023-30608.patch Patch0: CVE-2023-30608.patch
Patch1: CVE-2024-4340.patch
BuildArch: noarch BuildArch: noarch
@ -74,6 +75,9 @@ mv %{buildroot}/doclist.lst .
%{_docdir}/* %{_docdir}/*
%changelog %changelog
* Mon May 06 2024 wangkai <13474090681@163.com> - 0.3.1-3
- Fix CVE-2024-4340
* Thu May 04 2023 wangkai <13474090681@163.com> - 0.3.1-2 * Thu May 04 2023 wangkai <13474090681@163.com> - 0.3.1-2
- Fix CVE-2023-30608 - Fix CVE-2023-30608