diff --git a/CVE-2024-4340.patch b/CVE-2024-4340.patch index 74652f2718d0142ff932cf83a0d91e96877190ad..83d7e660f8d331f30c674ae4cc5675141e1265d9 100644 --- a/CVE-2024-4340.patch +++ b/CVE-2024-4340.patch @@ -3,15 +3,30 @@ From: Andi Albrecht Date: Sat, 13 Apr 2024 13:59:00 +0200 Subject: [PATCH] Raise SQLParseError instead of RecursionError. -Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 - --- + CHANGELOG | 5 +++++ sqlparse/sql.py | 14 +++++++++----- - tests/test_regressions.py | 14 ++++++++++++++ - 2 files changed, 23 insertions(+), 5 deletions(-) + tests/test_regressions.py | 17 ++++++++++++++++- + 3 files changed, 30 insertions(+), 6 deletions(-) +diff --git a/CHANGELOG b/CHANGELOG +index 4e98e7f..6c442c0 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -5,6 +5,11 @@ Notable Changes + + * Drop support for Python 3.5, 3.6, and 3.7. + * Python 3.12 is now supported (pr725, by hugovk). ++* IMPORTANT: Fixes a potential denial of service attack (DOS) due to recursion ++ error for deeply nested statements. Instead of recursion error a generic ++ SQLParseError is raised. See the security advisory for details: ++ https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-2m57-hf25-phgg ++ The vulnerability was discovered by @uriyay-jfrog. Thanks for reporting! + + Enhancements: + diff --git a/sqlparse/sql.py b/sqlparse/sql.py -index 1ccfbdb..2090621 100644 +index 05e1774..bd5f35b 100644 --- a/sqlparse/sql.py +++ b/sqlparse/sql.py @@ -10,6 +10,7 @@ @@ -43,23 +58,29 @@ index 1ccfbdb..2090621 100644 def get_sublists(self): for token in self.tokens: diff --git a/tests/test_regressions.py b/tests/test_regressions.py -index bc8b7dd..33162f1 100644 +index 29cb502..1edd3da 100644 --- a/tests/test_regressions.py +++ b/tests/test_regressions.py -@@ -1,7 +1,9 @@ - import pytest +@@ -1,9 +1,11 @@ + import copy +import sys + import pytest + import sqlparse from sqlparse import sql, tokens as T +from sqlparse.exceptions import SQLParseError def test_issue9(): -@@ -436,3 +438,15 @@ def test_comment_between_cte_clauses_issue632(): - baz AS () - SELECT * FROM baz;""") - assert p.get_type() == "SELECT" +@@ -449,4 +451,17 @@ def test_copy_issue672(): + def test_primary_key_issue740(): + p = sqlparse.parse('PRIMARY KEY')[0] + assert len(p.tokens) == 1 +- assert p.tokens[0].ttype == T.Keyword +\ No newline at end of file ++ assert p.tokens[0].ttype == T.Keyword ++ + +@pytest.fixture +def limit_recursion(): @@ -73,5 +94,5 @@ index bc8b7dd..33162f1 100644 + with pytest.raises(SQLParseError): + sqlparse.parse('[' * 100 + ']' * 100) -- -2.33.0 +2.9.3.windows.1 diff --git a/python-sqlparse.spec b/python-sqlparse.spec index e4134365e0414fb16ff052c4d00ad595fe063d8f..5da48b069be203a07b03f2d04b4b348622b49eae 100644 --- a/python-sqlparse.spec +++ b/python-sqlparse.spec @@ -2,7 +2,7 @@ %global shortname sqlparse Name: python-sqlparse -Version: 0.4.4 +Version: 0.5.0 Release: 2 Summary: A non-validating SQL parser. License: BSD-3-Clause @@ -49,6 +49,12 @@ A non-validating SQL parser. %{_bindir}/sqlformat %changelog +* Fri May 31 2024 wuzhaomin - 0.5.0-1 +- Update package to version 0.5.0 +- Fix Function.get_parameters(), add Funtion.get_window() +- Fix parsing of PRIMARY KEY (fixes #740). +- Add option to remove trailing semicolon when splitting (fixes #742). + * Mon May 06 2024 wangkai <13474090681@163.com> - 0.4.4-2 - Fix CVE-2024-4340 diff --git a/sqlparse-0.4.4.tar.gz b/sqlparse-0.4.4.tar.gz deleted file mode 100644 index 03e1c3f053c3425dc5d4f54bfa0a661b1076f08c..0000000000000000000000000000000000000000 Binary files a/sqlparse-0.4.4.tar.gz and /dev/null differ diff --git a/sqlparse-0.5.0.tar.gz b/sqlparse-0.5.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..34aaee1be8314f6173e5bbf638480bda4a2bd222 Binary files /dev/null and b/sqlparse-0.5.0.tar.gz differ