diff --git a/CVE-2024-4340.patch b/CVE-2024-4340.patch deleted file mode 100644 index 74652f2718d0142ff932cf83a0d91e96877190ad..0000000000000000000000000000000000000000 --- a/CVE-2024-4340.patch +++ /dev/null @@ -1,77 +0,0 @@ -From b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Mon Sep 17 00:00:00 2001 -From: Andi Albrecht -Date: Sat, 13 Apr 2024 13:59:00 +0200 -Subject: [PATCH] Raise SQLParseError instead of RecursionError. - -Origin: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 - ---- - sqlparse/sql.py | 14 +++++++++----- - tests/test_regressions.py | 14 ++++++++++++++ - 2 files changed, 23 insertions(+), 5 deletions(-) - -diff --git a/sqlparse/sql.py b/sqlparse/sql.py -index 1ccfbdb..2090621 100644 ---- a/sqlparse/sql.py -+++ b/sqlparse/sql.py -@@ -10,6 +10,7 @@ - import re - - from sqlparse import tokens as T -+from sqlparse.exceptions import SQLParseError - from sqlparse.utils import imt, remove_quotes - - -@@ -209,11 +210,14 @@ class TokenList(Token): - - This method is recursively called for all child tokens. - """ -- for token in self.tokens: -- if token.is_group: -- yield from token.flatten() -- else: -- yield token -+ try: -+ for token in self.tokens: -+ if token.is_group: -+ yield from token.flatten() -+ else: -+ yield token -+ except RecursionError as err: -+ raise SQLParseError('Maximum recursion depth exceeded') from err - - def get_sublists(self): - for token in self.tokens: -diff --git a/tests/test_regressions.py b/tests/test_regressions.py -index bc8b7dd..33162f1 100644 ---- a/tests/test_regressions.py -+++ b/tests/test_regressions.py -@@ -1,7 +1,9 @@ - import pytest -+import sys - - import sqlparse - from sqlparse import sql, tokens as T -+from sqlparse.exceptions import SQLParseError - - - def test_issue9(): -@@ -436,3 +438,15 @@ def test_comment_between_cte_clauses_issue632(): - baz AS () - SELECT * FROM baz;""") - assert p.get_type() == "SELECT" -+ -+@pytest.fixture -+def limit_recursion(): -+ curr_limit = sys.getrecursionlimit() -+ sys.setrecursionlimit(70) -+ yield -+ sys.setrecursionlimit(curr_limit) -+ -+ -+def test_max_recursion(limit_recursion): -+ with pytest.raises(SQLParseError): -+ sqlparse.parse('[' * 100 + ']' * 100) --- -2.33.0 - diff --git a/python-sqlparse.spec b/python-sqlparse.spec index e4134365e0414fb16ff052c4d00ad595fe063d8f..489e33fac87a4c3474b4fdfb90399de68d41e6d5 100644 --- a/python-sqlparse.spec +++ b/python-sqlparse.spec @@ -2,13 +2,12 @@ %global shortname sqlparse Name: python-sqlparse -Version: 0.4.4 -Release: 2 +Version: 0.5.1 +Release: 1 Summary: A non-validating SQL parser. License: BSD-3-Clause URL: https://github.com/andialbrecht/sqlparse Source0: https://github.com/andialbrecht/%{shortname}/archive/%{version}/%{shortname}-%{version}.tar.gz -Patch0: CVE-2024-4340.patch BuildArch: noarch %description @@ -26,6 +25,7 @@ BuildRequires: python3-pip BuildRequires: python3-wheel BuildRequires: python3-pytest BuildRequires: python3-flit +BuildRequires: python3-hatchling %description -n python3-sqlparse A non-validating SQL parser. @@ -49,6 +49,11 @@ A non-validating SQL parser. %{_bindir}/sqlformat %changelog +* Mon Aug 05 2024 dongjiao - 0.5.1-1 +- Update package to version 0.5.1 + - Support python 3.12, drop support for Python 3.5, 3.6, and 3.7. + - Fixes a potential denial of service attack (DOS) due to recursion error for deeply nested statements. + * Mon May 06 2024 wangkai <13474090681@163.com> - 0.4.4-2 - Fix CVE-2024-4340 diff --git a/sqlparse-0.4.4.tar.gz b/sqlparse-0.4.4.tar.gz deleted file mode 100644 index 03e1c3f053c3425dc5d4f54bfa0a661b1076f08c..0000000000000000000000000000000000000000 Binary files a/sqlparse-0.4.4.tar.gz and /dev/null differ diff --git a/sqlparse-0.5.1.tar.gz b/sqlparse-0.5.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..17248069164b1afb379ad364cf3788a9ae0af310 Binary files /dev/null and b/sqlparse-0.5.1.tar.gz differ