From 042ae6dbcbbdee8bf34e0aaf778051b03cb868d1 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Mon, 6 May 2024 14:36:22 +0800 Subject: [PATCH] Fix CVE-2024-4340 (cherry picked from commit f6453a6d0fb7b8a6afb4dabddc925c3c22193e8e) --- CVE-2024-4340.patch | 81 ++++++++++++++++++++++++++++++++++++++++++++ python-sqlparse.spec | 6 +++- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-4340.patch diff --git a/CVE-2024-4340.patch b/CVE-2024-4340.patch new file mode 100644 index 0000000..595e659 --- /dev/null +++ b/CVE-2024-4340.patch @@ -0,0 +1,81 @@ +From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001 +From: Andi Albrecht +Date: Sat, 13 Apr 2024 13:59:00 +0200 +Subject: [PATCH] Raise SQLParseError instead of RecursionError. + +Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 + +--- + sqlparse/sql.py | 15 +++++++++------ + tests/test_regressions.py | 14 ++++++++++++++ + 2 files changed, 23 insertions(+), 6 deletions(-) + +diff --git a/sqlparse/sql.py b/sqlparse/sql.py +index a942bcd..84ed1c2 100644 +--- a/sqlparse/sql.py ++++ b/sqlparse/sql.py +@@ -12,6 +12,7 @@ from __future__ import print_function + import re + + from sqlparse import tokens as T ++from sqlparse.exceptions import SQLParseError + from sqlparse.compat import string_types, text_type, unicode_compatible + from sqlparse.utils import imt, remove_quotes + +@@ -214,12 +215,14 @@ class TokenList(Token): + + This method is recursively called for all child tokens. + """ +- for token in self.tokens: +- if token.is_group: +- for item in token.flatten(): +- yield item +- else: +- yield token ++ try: ++ for token in self.tokens: ++ if token.is_group: ++ yield from token.flatten() ++ else: ++ yield token ++ except RecursionError as err: ++ raise SQLParseError('Maximum recursion depth exceeded') from err + + def get_sublists(self): + for token in self.tokens: +diff --git a/tests/test_regressions.py b/tests/test_regressions.py +index 2ed0ff3..0f843b6 100644 +--- a/tests/test_regressions.py ++++ b/tests/test_regressions.py +@@ -1,10 +1,12 @@ + # -*- coding: utf-8 -*- + + import pytest ++import sys + + import sqlparse + from sqlparse import sql, tokens as T + from sqlparse.compat import PY2 ++from sqlparse.exceptions import SQLParseError + + + def test_issue9(): +@@ -406,3 +408,15 @@ def test_issue489_tzcasts(): + p = sqlparse.parse('select bar at time zone \'UTC\' as foo')[0] + assert p.tokens[-1].has_alias() is True + assert p.tokens[-1].get_alias() == 'foo' ++ ++@pytest.fixture ++def limit_recursion(): ++ curr_limit = sys.getrecursionlimit() ++ sys.setrecursionlimit(70) ++ yield ++ sys.setrecursionlimit(curr_limit) ++ ++ ++def test_max_recursion(limit_recursion): ++ with pytest.raises(SQLParseError): ++ sqlparse.parse('[' * 100 + ']' * 100) +-- +2.33.0 + diff --git a/python-sqlparse.spec b/python-sqlparse.spec index 31a34bd..ada0675 100644 --- a/python-sqlparse.spec +++ b/python-sqlparse.spec @@ -1,12 +1,13 @@ %global _empty_manifest_terminate_build 0 Name: python-sqlparse Version: 0.3.1 -Release: 2 +Release: 3 Summary: Non-validating SQL parser License: BSD URL: https://github.com/andialbrecht/sqlparse Source0: https://files.pythonhosted.org/packages/67/4b/253b6902c1526885af6d361ca8c6b1400292e649f0e9c95ee0d2e8ec8681/sqlparse-0.3.1.tar.gz Patch0: CVE-2023-30608.patch +Patch1: CVE-2024-4340.patch BuildArch: noarch @@ -74,6 +75,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Mon May 06 2024 wangkai <13474090681@163.com> - 0.3.1-3 +- Fix CVE-2024-4340 + * Thu May 04 2023 wangkai <13474090681@163.com> - 0.3.1-2 - Fix CVE-2023-30608 -- Gitee