Fix CVE-2024-4340

2024-05-06 14:36:22 +08:00 · 2024-05-06 14:36:22 +08:00 · f6453a6d0f
commit f6453a6d0f
parent 0807f72070
2 changed files with 86 additions and 1 deletions
--- a/CVE-2024-4340.patch
+++ b/CVE-2024-4340.patch
@ -0,0 +1,81 @@
+From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001
+From: Andi Albrecht <albrecht.andi@gmail.com>
+Date: Sat, 13 Apr 2024 13:59:00 +0200
+Subject: [PATCH] Raise SQLParseError instead of RecursionError.
+
+Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03
+
+---
+ sqlparse/sql.py           | 15 +++++++++------
+ tests/test_regressions.py | 14 ++++++++++++++
+ 2 files changed, 23 insertions(+), 6 deletions(-)
+
+diff --git a/sqlparse/sql.py b/sqlparse/sql.py
+index a942bcd..84ed1c2 100644
+--- a/sqlparse/sql.py
+++ b/sqlparse/sql.py
+@@ -12,6 +12,7 @@ from __future__ import print_function
+ import re
+ 
+ from sqlparse import tokens as T
+from sqlparse.exceptions import SQLParseError
+ from sqlparse.compat import string_types, text_type, unicode_compatible
+ from sqlparse.utils import imt, remove_quotes
+ 
+@@ -214,12 +215,14 @@ class TokenList(Token):
+ 
+         This method is recursively called for all child tokens.
+         """
+-        for token in self.tokens:
+-            if token.is_group:
+-                for item in token.flatten():
+-                    yield item
+-            else:
+-                yield token
+        try:
+            for token in self.tokens:
+                if token.is_group:
+                    yield from token.flatten()
+                else:
+                    yield token
+        except RecursionError as err:
+            raise SQLParseError('Maximum recursion depth exceeded') from err
+ 
+     def get_sublists(self):
+         for token in self.tokens:
+diff --git a/tests/test_regressions.py b/tests/test_regressions.py
+index 2ed0ff3..0f843b6 100644
+--- a/tests/test_regressions.py
+++ b/tests/test_regressions.py
+@@ -1,10 +1,12 @@
+ # -*- coding: utf-8 -*-
+ 
+ import pytest
+import sys
+ 
+ import sqlparse
+ from sqlparse import sql, tokens as T
+ from sqlparse.compat import PY2
+from sqlparse.exceptions import SQLParseError
+ 
+ 
+ def test_issue9():
+@@ -406,3 +408,15 @@ def test_issue489_tzcasts():
+     p = sqlparse.parse('select bar at time zone \'UTC\' as foo')[0]
+     assert p.tokens[-1].has_alias() is True
+     assert p.tokens[-1].get_alias() == 'foo'
+
+@pytest.fixture
+def limit_recursion():
+    curr_limit = sys.getrecursionlimit()
+    sys.setrecursionlimit(70)
+    yield
+    sys.setrecursionlimit(curr_limit)
+
+
+def test_max_recursion(limit_recursion):
+    with pytest.raises(SQLParseError):
+        sqlparse.parse('[' * 100 + ']' * 100)
+-- 
+2.33.0
+
--- a/python-sqlparse.spec
+++ b/python-sqlparse.spec
@ -1,12 +1,13 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-sqlparse
 Version:	0.3.1
-Release:	2
+Release:	3
 Summary:	Non-validating SQL parser
 License:	BSD
 URL:		https://github.com/andialbrecht/sqlparse
 Source0:	https://files.pythonhosted.org/packages/67/4b/253b6902c1526885af6d361ca8c6b1400292e649f0e9c95ee0d2e8ec8681/sqlparse-0.3.1.tar.gz
 Patch0: 	CVE-2023-30608.patch
+Patch1: 	CVE-2024-4340.patch
 BuildArch:	noarch


@ -74,6 +75,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Mon May 06 2024 wangkai <13474090681@163.com> - 0.3.1-3
+- Fix CVE-2024-4340
+
 * Thu May 04 2023 wangkai <13474090681@163.com> - 0.3.1-2
 - Fix CVE-2023-30608