fix CVE-2021-32839

CVE-2021-32839.patch

@@ -0,0 +1,55 @@
+From 8238a9e450ed1524e40cb3a8b0b3c00606903aeb Mon Sep 17 00:00:00 2001
+From: Andi Albrecht <albrecht.andi@gmail.com>
+Date: Tue, 7 Sep 2021 12:27:28 +0200
+Subject: [PATCH] Optimize regular expression for identifying line breaks in
+ comments.
+
+---
+ sqlparse/filters/others.py |  5 ++++-
+ tests/test_format.py       | 17 +++++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/sqlparse/filters/others.py b/sqlparse/filters/others.py
+index e0e1ca19..6905f2d6 100644
+--- a/sqlparse/filters/others.py
++++ b/sqlparse/filters/others.py
+@@ -22,7 +22,10 @@ def get_next_comment():
+         def _get_insert_token(token):
+             """Returns either a whitespace or the line breaks from token."""
+             # See issue484 why line breaks should be preserved.
+-            m = re.search(r'((\r\n|\r|\n)+) *$', token.value)
++            # Note: The actual value for a line break is replaced by \n
++            # in SerializerUnicode which will be executed in the
++            # postprocessing state.
++            m = re.search(r'((\r|\n)+) *$', token.value)
+             if m is not None:
+                 return sql.Token(T.Whitespace.Newline, m.groups()[0])
+             else:
+diff --git a/tests/test_format.py b/tests/test_format.py
+index 7117d9d6..70bb8055 100644
+--- a/tests/test_format.py
++++ b/tests/test_format.py
+@@ -84,6 +84,23 @@ def test_strip_comments_multi(self):
+         res = sqlparse.format(sql, strip_comments=True)
+         assert res == 'select (select 2)'
+ 
++    def test_strip_comments_preserves_linebreak(self):
++        sql = 'select * -- a comment\r\nfrom foo'
++        res = sqlparse.format(sql, strip_comments=True)
++        assert res == 'select *\nfrom foo'
++        sql = 'select * -- a comment\nfrom foo'
++        res = sqlparse.format(sql, strip_comments=True)
++        assert res == 'select *\nfrom foo'
++        sql = 'select * -- a comment\rfrom foo'
++        res = sqlparse.format(sql, strip_comments=True)
++        assert res == 'select *\nfrom foo'
++        sql = 'select * -- a comment\r\n\r\nfrom foo'
++        res = sqlparse.format(sql, strip_comments=True)
++        assert res == 'select *\n\nfrom foo'
++        sql = 'select * -- a comment\n\nfrom foo'
++        res = sqlparse.format(sql, strip_comments=True)
++        assert res == 'select *\n\nfrom foo'
++
+     def test_strip_ws(self):
+         f = lambda sql: sqlparse.format(sql, strip_whitespace=True)
+         s = 'select\n* from      foo\n\twhere  ( 1 = 2 )\n'

python-sqlparse.spec

@@ -1,10 +1,11 @@
 %global _empty_manifest_terminate_build 0
 Name:           python-sqlparse
 Version:        0.4.1
-Release:        1
+Release:        2
 Summary:        A non-validating SQL parser.
 License:        BSD
 URL:            https://github.com/andialbrecht/sqlparse
+Patch001:	CVE-2021-32839.patch
 Source0:        https://files.pythonhosted.org/packages/a2/54/da10f9a0235681179144a5ca02147428f955745e9393f859dec8d0d05b41/sqlparse-0.4.1.tar.gz
 BuildArch:      noarch
 
@@ -33,7 +34,7 @@ Provides:       python3-sqlparse-doc
 A non-validating SQL parser.
 
 %prep
-%autosetup -n sqlparse-%{version}
+%autosetup -n sqlparse-%{version} -p1
 
 %build
 %py3_build
@@ -77,6 +78,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Mon Oct 11 2021 houyingchao <houyingchao@huawei.com> - 0.4.1-2
+- Fix CVE-2021-32839
+
 * Fri Aug 06 2021 OpenStack_SIG <openstack@openeuler.org> - 0.4.1-1
 - Upgrade version to 0.4.1