From 7ff7fe0b9b2dd806e08d75cb53e6214fd708f987 Mon Sep 17 00:00:00 2001 From: houyingchao <1348375921@qq.com> Date: Mon, 11 Oct 2021 16:53:22 +0800 Subject: [PATCH] fix CVE-2021-32839 --- CVE-2021-32839.patch | 55 ++++++++++++++++++++++++++++++++++++++++++++ python-sqlparse.spec | 8 +++++-- 2 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 CVE-2021-32839.patch diff --git a/CVE-2021-32839.patch b/CVE-2021-32839.patch new file mode 100644 index 0000000..9a2282a --- /dev/null +++ b/CVE-2021-32839.patch @@ -0,0 +1,55 @@ +From 8238a9e450ed1524e40cb3a8b0b3c00606903aeb Mon Sep 17 00:00:00 2001 +From: Andi Albrecht +Date: Tue, 7 Sep 2021 12:27:28 +0200 +Subject: [PATCH] Optimize regular expression for identifying line breaks in + comments. + +--- + sqlparse/filters/others.py | 5 ++++- + tests/test_format.py | 17 +++++++++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/sqlparse/filters/others.py b/sqlparse/filters/others.py +index e0e1ca19..6905f2d6 100644 +--- a/sqlparse/filters/others.py ++++ b/sqlparse/filters/others.py +@@ -22,7 +22,10 @@ def get_next_comment(): + def _get_insert_token(token): + """Returns either a whitespace or the line breaks from token.""" + # See issue484 why line breaks should be preserved. +- m = re.search(r'((\r\n|\r|\n)+) *$', token.value) ++ # Note: The actual value for a line break is replaced by \n ++ # in SerializerUnicode which will be executed in the ++ # postprocessing state. ++ m = re.search(r'((\r|\n)+) *$', token.value) + if m is not None: + return sql.Token(T.Whitespace.Newline, m.groups()[0]) + else: +diff --git a/tests/test_format.py b/tests/test_format.py +index 7117d9d6..70bb8055 100644 +--- a/tests/test_format.py ++++ b/tests/test_format.py +@@ -84,6 +84,23 @@ def test_strip_comments_multi(self): + res = sqlparse.format(sql, strip_comments=True) + assert res == 'select (select 2)' + ++ def test_strip_comments_preserves_linebreak(self): ++ sql = 'select * -- a comment\r\nfrom foo' ++ res = sqlparse.format(sql, strip_comments=True) ++ assert res == 'select *\nfrom foo' ++ sql = 'select * -- a comment\nfrom foo' ++ res = sqlparse.format(sql, strip_comments=True) ++ assert res == 'select *\nfrom foo' ++ sql = 'select * -- a comment\rfrom foo' ++ res = sqlparse.format(sql, strip_comments=True) ++ assert res == 'select *\nfrom foo' ++ sql = 'select * -- a comment\r\n\r\nfrom foo' ++ res = sqlparse.format(sql, strip_comments=True) ++ assert res == 'select *\n\nfrom foo' ++ sql = 'select * -- a comment\n\nfrom foo' ++ res = sqlparse.format(sql, strip_comments=True) ++ assert res == 'select *\n\nfrom foo' ++ + def test_strip_ws(self): + f = lambda sql: sqlparse.format(sql, strip_whitespace=True) + s = 'select\n* from foo\n\twhere ( 1 = 2 )\n' diff --git a/python-sqlparse.spec b/python-sqlparse.spec index 1ac2814..936a7b1 100644 --- a/python-sqlparse.spec +++ b/python-sqlparse.spec @@ -1,12 +1,13 @@ %global _empty_manifest_terminate_build 0 Name: python-sqlparse Version: 0.3.1 -Release: 1 +Release: 2 Summary: Non-validating SQL parser License: BSD URL: https://github.com/andialbrecht/sqlparse Source0: https://files.pythonhosted.org/packages/67/4b/253b6902c1526885af6d361ca8c6b1400292e649f0e9c95ee0d2e8ec8681/sqlparse-0.3.1.tar.gz BuildArch: noarch +Patch0001: CVE-2021-32839.patch %description @@ -33,7 +34,7 @@ It provides support for parsing, splitting and formatting SQL statements. %prep -%autosetup -n sqlparse-0.3.1 +%autosetup -n sqlparse-0.3.1 -p1 %build %py3_build @@ -73,5 +74,8 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Mon Oct 11 2021 houyingchao 0.3.1-2 +- Fix CVE-2021-32839 + * Sun Jul 12 2020 Python_Bot - Package Spec generated -- Gitee