All of lore.kernel.org
 help / color / mirror / Atom feed
* [meta-python][hardknott][PATCH] python3-sqlparse: Fix CVE-2021-32839
@ 2021-10-05 14:02 Trevor Gamblin
  0 siblings, 0 replies; only message in thread
From: Trevor Gamblin @ 2021-10-05 14:02 UTC (permalink / raw)
  To: openembedded-devel

Backport a patch from version 0.4.2 upstream since the uprev would add
functionality changes.

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
---
 ...-expression-for-identifying-line-bre.patch | 64 +++++++++++++++++++
 .../python/python3-sqlparse_0.4.1.bb          |  1 +
 2 files changed, 65 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-sqlparse/0001-Optimize-regular-expression-for-identifying-line-bre.patch

diff --git a/meta-python/recipes-devtools/python/python3-sqlparse/0001-Optimize-regular-expression-for-identifying-line-bre.patch b/meta-python/recipes-devtools/python/python3-sqlparse/0001-Optimize-regular-expression-for-identifying-line-bre.patch
new file mode 100644
index 000000000..735530a8f
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-sqlparse/0001-Optimize-regular-expression-for-identifying-line-bre.patch
@@ -0,0 +1,64 @@
+From 8238a9e450ed1524e40cb3a8b0b3c00606903aeb Mon Sep 17 00:00:00 2001
+From: Andi Albrecht <albrecht.andi@gmail.com>
+Date: Tue, 7 Sep 2021 12:27:28 +0200
+Subject: [PATCH] Optimize regular expression for identifying line breaks in
+ comments.
+
+CVE: CVE-2021-32839
+
+Upstream-Status: Backport
+(https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb)
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ sqlparse/filters/others.py |  5 ++++-
+ tests/test_format.py       | 17 +++++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/sqlparse/filters/others.py b/sqlparse/filters/others.py
+index e0e1ca1..6905f2d 100644
+--- a/sqlparse/filters/others.py
++++ b/sqlparse/filters/others.py
+@@ -22,7 +22,10 @@ class StripCommentsFilter:
+         def _get_insert_token(token):
+             """Returns either a whitespace or the line breaks from token."""
+             # See issue484 why line breaks should be preserved.
+-            m = re.search(r'((\r\n|\r|\n)+) *$', token.value)
++            # Note: The actual value for a line break is replaced by \n
++            # in SerializerUnicode which will be executed in the
++            # postprocessing state.
++            m = re.search(r'((\r|\n)+) *$', token.value)
+             if m is not None:
+                 return sql.Token(T.Whitespace.Newline, m.groups()[0])
+             else:
+diff --git a/tests/test_format.py b/tests/test_format.py
+index 7117d9d..70bb805 100644
+--- a/tests/test_format.py
++++ b/tests/test_format.py
+@@ -84,6 +84,23 @@ class TestFormat:
+         res = sqlparse.format(sql, strip_comments=True)
+         assert res == 'select (select 2)'
+ 
++    def test_strip_comments_preserves_linebreak(self):
++        sql = 'select * -- a comment\r\nfrom foo'
++        res = sqlparse.format(sql, strip_comments=True)
++        assert res == 'select *\nfrom foo'
++        sql = 'select * -- a comment\nfrom foo'
++        res = sqlparse.format(sql, strip_comments=True)
++        assert res == 'select *\nfrom foo'
++        sql = 'select * -- a comment\rfrom foo'
++        res = sqlparse.format(sql, strip_comments=True)
++        assert res == 'select *\nfrom foo'
++        sql = 'select * -- a comment\r\n\r\nfrom foo'
++        res = sqlparse.format(sql, strip_comments=True)
++        assert res == 'select *\n\nfrom foo'
++        sql = 'select * -- a comment\n\nfrom foo'
++        res = sqlparse.format(sql, strip_comments=True)
++        assert res == 'select *\n\nfrom foo'
++
+     def test_strip_ws(self):
+         f = lambda sql: sqlparse.format(sql, strip_whitespace=True)
+         s = 'select\n* from      foo\n\twhere  ( 1 = 2 )\n'
+-- 
+2.31.1
+
diff --git a/meta-python/recipes-devtools/python/python3-sqlparse_0.4.1.bb b/meta-python/recipes-devtools/python/python3-sqlparse_0.4.1.bb
index c8a64c109..aeb9c2350 100644
--- a/meta-python/recipes-devtools/python/python3-sqlparse_0.4.1.bb
+++ b/meta-python/recipes-devtools/python/python3-sqlparse_0.4.1.bb
@@ -5,6 +5,7 @@ LICENSE = "BSD"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=2b136f573f5386001ea3b7b9016222fc"
 
 SRC_URI += "file://0001-sqlparse-change-shebang-to-python3.patch \
+            file://0001-Optimize-regular-expression-for-identifying-line-bre.patch \
             file://run-ptest \
 	    "
 
-- 
2.31.1



^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2021-10-05 14:02 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-05 14:02 [meta-python][hardknott][PATCH] python3-sqlparse: Fix CVE-2021-32839 Trevor Gamblin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.