Blame - meta-openembedded/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch - openbmc/openbmc

blob: f5526c5b88ea063123ae08e19948d75e016910af [file] [log] [blame]

Patrick Williams	520786c	2023-06-25 16:20:36 -0500	[diff] [blame^]	1	From c457abd5f097dd13fb21543381e7cfafe7d31cfb Mon Sep 17 00:00:00 2001
				2	From: Andi Albrecht <albrecht.andi@gmail.com>
				3	Date: Mon, 20 Mar 2023 08:33:46 +0100
				4	Subject: [PATCH] Remove unnecessary parts in regex for bad escaping.
				5
				6	The regex tried to deal with situations where escaping in the
				7	SQL to be parsed was suspicious.
				8
				9	Upstream-Status: Backport
				10	CVE: CVE-2023-30608
				11
				12	Reference to upstream patch:
				13	https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
				14
				15	[AZ: drop changes to CHANGELOG file and adjust context whitespaces]
				16	Signed-off-by: Adrian Zaharia <Adrian.Zaharia@windriver.com>
				17
				18	Adjust indentation in keywords.py.
				19	Signed-off-by: Joe Slater <joe.slater@windriver.com>
				20	---
				21	sqlparse/keywords.py \| 4 ++--
				22	tests/test_split.py \| 4 ++--
				23	2 files changed, 4 insertions(+), 4 deletions(-)
				24
				25	--- sqlparse-0.4.3.orig/sqlparse/keywords.py
				26	+++ sqlparse-0.4.3/sqlparse/keywords.py
				27	@@ -72,9 +72,9 @@ SQL_REGEX = {
				28	(r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)\|\.\d+)(?![_A-ZÀ-Ü])',
				29	tokens.Number.Float),
				30	(r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer),
				31	- (r"'(''\|\\\\\|\\'\|[^'])*'", tokens.String.Single),
				32	+ (r"'(''\|\\'\|[^'])*'", tokens.String.Single),
				33	# not a real string literal in ANSI SQL:
				34	- (r'"(""\|\\\\\|\\"\|[^"])*"', tokens.String.Symbol),
				35	+ (r'"(""\|\\"\|[^"])*"', tokens.String.Symbol),
				36	(r'(""\|".*?[^\\]")', tokens.String.Symbol),
				37	# sqlite names can be escaped with [square brackets]. left bracket
				38	# cannot be preceded by word character or a right bracket --
				39	--- sqlparse-0.4.3.orig/tests/test_split.py
				40	+++ sqlparse-0.4.3/tests/test_split.py
				41	@@ -18,8 +18,8 @@ def test_split_semicolon():
				42
				43
				44	def test_split_backslash():
				45	- stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';")
				46	- assert len(stmts) == 3
				47	+ stmts = sqlparse.parse("select '\'; select '\'';")
				48	+ assert len(stmts) == 2
				49
				50
				51	@pytest.mark.parametrize('fn', ['function.sql',