From 74e70284acb2eb2f2a47a1ab1aa5ee0928d46344 Mon Sep 17 00:00:00 2001 From: Trevor Gamblin Date: Tue, 25 Jul 2023 15:09:43 -0400 Subject: python3-sqlparse: upgrade 0.4.3 -> 0.4.4 - Use python_flit_core instead of setuptools3 - Modify 0001-sqlparse-change-shebang-to-python3.patch to apply on 0.4.4 - Remove CVE-2023-30608.patch since it's now upstream: [tgamblin@megalith sqlparse]$ git tag --contains c457abd 0.4.4 Changelog (https://github.com/andialbrecht/sqlparse/blob/master/CHANGELOG): Release 0.4.4 (Apr 18, 2023) ---------------------------- Notable Changes * IMPORTANT: This release fixes a security vulnerability in the parser where a regular expression vulnerable to ReDOS (Regular Expression Denial of Service) was used. See the security advisory for details: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 The vulnerability was discovered by @erik-krogh from GitHub Security Lab (GHSL). Thanks for reporting! Bug Fixes * Revert a change from 0.4.0 that changed IN to be a comparison (issue694). The primary expectation is that IN is treated as a keyword and not as a comparison operator. That also follows the definition of reserved keywords for the major SQL syntax definitions. * Fix regular expressions for string parsing. Other * sqlparse now uses pyproject.toml instead of setup.cfg (issue685). Signed-off-by: Trevor Gamblin Signed-off-by: Khem Raj --- .../python/python3-sqlparse/CVE-2023-30608.patch | 51 ---------------------- 1 file changed, 51 deletions(-) delete mode 100644 meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch (limited to 'meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch') diff --git a/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch b/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch deleted file mode 100644 index f5526c5b88..0000000000 --- a/meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch +++ /dev/null @@ -1,51 +0,0 @@ -From c457abd5f097dd13fb21543381e7cfafe7d31cfb Mon Sep 17 00:00:00 2001 -From: Andi Albrecht -Date: Mon, 20 Mar 2023 08:33:46 +0100 -Subject: [PATCH] Remove unnecessary parts in regex for bad escaping. - -The regex tried to deal with situations where escaping in the -SQL to be parsed was suspicious. - -Upstream-Status: Backport -CVE: CVE-2023-30608 - -Reference to upstream patch: -https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb - -[AZ: drop changes to CHANGELOG file and adjust context whitespaces] -Signed-off-by: Adrian Zaharia - -Adjust indentation in keywords.py. -Signed-off-by: Joe Slater ---- - sqlparse/keywords.py | 4 ++-- - tests/test_split.py | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - ---- sqlparse-0.4.3.orig/sqlparse/keywords.py -+++ sqlparse-0.4.3/sqlparse/keywords.py -@@ -72,9 +72,9 @@ SQL_REGEX = { - (r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])', - tokens.Number.Float), - (r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer), -- (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single), -+ (r"'(''|\\'|[^'])*'", tokens.String.Single), - # not a real string literal in ANSI SQL: -- (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol), -+ (r'"(""|\\"|[^"])*"', tokens.String.Symbol), - (r'(""|".*?[^\\]")', tokens.String.Symbol), - # sqlite names can be escaped with [square brackets]. left bracket - # cannot be preceded by word character or a right bracket -- ---- sqlparse-0.4.3.orig/tests/test_split.py -+++ sqlparse-0.4.3/tests/test_split.py -@@ -18,8 +18,8 @@ def test_split_semicolon(): - - - def test_split_backslash(): -- stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';") -- assert len(stmts) == 3 -+ stmts = sqlparse.parse("select '\'; select '\'';") -+ assert len(stmts) == 2 - - - @pytest.mark.parametrize('fn', ['function.sql', -- cgit v1.2.3-54-g00ecf