From 24282699ba9bbd0e44fe40bea2a3e2faafbe9c0e Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Mon, 6 May 2024 10:33:44 +0800 Subject: [PATCH] Fix CVE-2024-4340 (cherry picked from commit 4ae2a68930cc0a60f8f112334cde75956dd89da2) --- CVE-2024-4340.patch | 77 ++++++++++++++++++++++++++++++++++++++++++++ python-sqlparse.spec | 6 +++- 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-4340.patch diff --git a/CVE-2024-4340.patch b/CVE-2024-4340.patch new file mode 100644 index 0000000..1d07aec --- /dev/null +++ b/CVE-2024-4340.patch @@ -0,0 +1,77 @@ +From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001 +From: Andi Albrecht +Date: Sat, 13 Apr 2024 13:59:00 +0200 +Subject: [PATCH] Raise SQLParseError instead of RecursionError. + +Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 + +--- + sqlparse/sql.py | 14 +++++++++----- + tests/test_regressions.py | 14 ++++++++++++++ + 2 files changed, 23 insertions(+), 5 deletions(-) + +diff --git a/sqlparse/sql.py b/sqlparse/sql.py +index 1ccfbdb..2090621 100644 +--- a/sqlparse/sql.py ++++ b/sqlparse/sql.py +@@ -10,6 +10,7 @@ + import re + + from sqlparse import tokens as T ++from sqlparse.exceptions import SQLParseError + from sqlparse.utils import imt, remove_quotes + + +@@ -209,11 +210,14 @@ class TokenList(Token): + + This method is recursively called for all child tokens. + """ +- for token in self.tokens: +- if token.is_group: +- yield from token.flatten() +- else: +- yield token ++ try: ++ for token in self.tokens: ++ if token.is_group: ++ yield from token.flatten() ++ else: ++ yield token ++ except RecursionError as err: ++ raise SQLParseError('Maximum recursion depth exceeded') from err + + def get_sublists(self): + for token in self.tokens: +diff --git a/tests/test_regressions.py b/tests/test_regressions.py +index bc8b7dd..33162f1 100644 +--- a/tests/test_regressions.py ++++ b/tests/test_regressions.py +@@ -1,7 +1,9 @@ + import pytest ++import sys + + import sqlparse + from sqlparse import sql, tokens as T ++from sqlparse.exceptions import SQLParseError + + + def test_issue9(): +@@ -436,3 +438,15 @@ def test_splitting_at_and_backticks_issue588(): + 'grant foo to user1@`myhost`; grant bar to user1@`myhost`;') + assert len(splitted) == 2 + assert splitted[-1] == 'grant bar to user1@`myhost`;' ++ ++@pytest.fixture ++def limit_recursion(): ++ curr_limit = sys.getrecursionlimit() ++ sys.setrecursionlimit(80) ++ yield ++ sys.setrecursionlimit(curr_limit) ++ ++ ++def test_max_recursion(limit_recursion): ++ with pytest.raises(SQLParseError): ++ sqlparse.parse('[' * 100 + ']' * 100) +-- +2.33.0 + diff --git a/python-sqlparse.spec b/python-sqlparse.spec index 6a67a16..3890412 100644 --- a/python-sqlparse.spec +++ b/python-sqlparse.spec @@ -1,12 +1,13 @@ %global _empty_manifest_terminate_build 0 Name: python-sqlparse Version: 0.4.2 -Release: 2 +Release: 3 Summary: A non-validating SQL parser. License: BSD-3-Clause URL: https://github.com/andialbrecht/sqlparse Source0: https://files.pythonhosted.org/packages/32/fe/8a8575debfd924c8160295686a7ea661107fc34d831429cce212b6442edb/sqlparse-0.4.2.tar.gz Patch001: CVE-2023-30608.patch +Patch002: CVE-2024-4340.patch BuildArch: noarch %description @@ -78,6 +79,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Mon May 06 2024 wangkai <13474090681@163.com> - 0.4.2-3 +- Fix CVE-2024-4340 + * Thu May 04 2023 wangkai <13474090681@163.com> - 0.4.2-2 - Fix CVE-2023-30608 -- Gitee