packages/python-sqlparse
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-32839

Browse Source
This commit is contained in:
houyingchao 2021-10-11 15:30:57 +08:00
parent d4b4dba2c9
commit 3fe9f6771b
2 changed files with 61 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
CVE-2021-32839.patch Normal file
View File

@ -0,0 +1,55 @@
From 8238a9e450ed1524e40cb3a8b0b3c00606903aeb Mon Sep 17 00:00:00 2001
From: Andi Albrecht <albrecht.andi@gmail.com>
Date: Tue, 7 Sep 2021 12:27:28 +0200
Subject: [PATCH] Optimize regular expression for identifying line breaks in
comments.
---
sqlparse/filters/others.py | 5 ++++-
tests/test_format.py | 17 +++++++++++++++++
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/sqlparse/filters/others.py b/sqlparse/filters/others.py
index e0e1ca19..6905f2d6 100644
--- a/sqlparse/filters/others.py
+++ b/sqlparse/filters/others.py
@@ -22,7 +22,10 @@ def get_next_comment():
def _get_insert_token(token):
"""Returns either a whitespace or the line breaks from token."""
# See issue484 why line breaks should be preserved.
- m = re.search(r'((\r\n|\r|\n)+) *$', token.value)
+ # Note: The actual value for a line break is replaced by \n
+ # in SerializerUnicode which will be executed in the
+ # postprocessing state.
+ m = re.search(r'((\r|\n)+) *$', token.value)
if m is not None:
return sql.Token(T.Whitespace.Newline, m.groups()[0])
else:
diff --git a/tests/test_format.py b/tests/test_format.py
index 7117d9d6..70bb8055 100644
--- a/tests/test_format.py
+++ b/tests/test_format.py
@@ -84,6 +84,23 @@ def test_strip_comments_multi(self):
res = sqlparse.format(sql, strip_comments=True)
assert res == 'select (select 2)'
+ def test_strip_comments_preserves_linebreak(self):
+ sql = 'select * -- a comment\r\nfrom foo'
+ res = sqlparse.format(sql, strip_comments=True)
+ assert res == 'select *\nfrom foo'
+ sql = 'select * -- a comment\nfrom foo'
+ res = sqlparse.format(sql, strip_comments=True)
+ assert res == 'select *\nfrom foo'
+ sql = 'select * -- a comment\rfrom foo'
+ res = sqlparse.format(sql, strip_comments=True)
+ assert res == 'select *\nfrom foo'
+ sql = 'select * -- a comment\r\n\r\nfrom foo'
+ res = sqlparse.format(sql, strip_comments=True)
+ assert res == 'select *\n\nfrom foo'
+ sql = 'select * -- a comment\n\nfrom foo'
+ res = sqlparse.format(sql, strip_comments=True)
+ assert res == 'select *\n\nfrom foo'
+
def test_strip_ws(self):
f = lambda sql: sqlparse.format(sql, strip_whitespace=True)
s = 'select\n* from foo\n\twhere ( 1 = 2 )\n'

8
python-sqlparse.spec
View File

@ -1,10 +1,11 @@
%global _empty_manifest_terminate_build 0 %global _empty_manifest_terminate_build 0
Name: python-sqlparse Name: python-sqlparse
Version: 0.4.1 Version: 0.4.1
Release: 1 Release: 2
Summary: A non-validating SQL parser. Summary: A non-validating SQL parser.
License: BSD License: BSD
URL: https://github.com/andialbrecht/sqlparse URL: https://github.com/andialbrecht/sqlparse
Patch001: CVE-2021-32839.patch
Source0: https://files.pythonhosted.org/packages/a2/54/da10f9a0235681179144a5ca02147428f955745e9393f859dec8d0d05b41/sqlparse-0.4.1.tar.gz Source0: https://files.pythonhosted.org/packages/a2/54/da10f9a0235681179144a5ca02147428f955745e9393f859dec8d0d05b41/sqlparse-0.4.1.tar.gz
BuildArch: noarch BuildArch: noarch
@ -33,7 +34,7 @@ Provides: python3-sqlparse-doc
A non-validating SQL parser. A non-validating SQL parser.
%prep %prep
%autosetup -n sqlparse-%{version} %autosetup -n sqlparse-%{version} -p1
%build %build
%py3_build %py3_build
@ -77,6 +78,9 @@ mv %{buildroot}/doclist.lst .
%{_docdir}/* %{_docdir}/*
%changelog %changelog
* Mon Oct 11 2021 houyingchao <houyingchao@huawei.com> - 0.4.1-2
- Fix CVE-2021-32839
* Fri Aug 06 2021 OpenStack_SIG <openstack@openeuler.org> - 0.4.1-1 * Fri Aug 06 2021 OpenStack_SIG <openstack@openeuler.org> - 0.4.1-1
- Upgrade version to 0.4.1 - Upgrade version to 0.4.1