From c457abd5f097dd13fb21543381e7cfafe7d31cfb Mon Sep 17 00:00:00 2001 From: Andi Albrecht Date: Mon, 20 Mar 2023 08:33:46 +0100 Subject: [PATCH] Remove unnecessary parts in regex for bad escaping. The regex tried to deal with situations where escaping in the SQL to be parsed was suspicious. Upstream-Status: Backport CVE: CVE-2023-30608 Reference to upstream patch: https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb [AZ: drop changes to CHANGELOG file and adjust context whitespaces] Signed-off-by: Adrian Zaharia Adjust indentation in keywords.py. Signed-off-by: Joe Slater --- sqlparse/keywords.py | 4 ++-- tests/test_split.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) --- sqlparse-0.4.3.orig/sqlparse/keywords.py +++ sqlparse-0.4.3/sqlparse/keywords.py @@ -72,9 +72,9 @@ SQL_REGEX = { (r'(?![_A-ZÀ-Ü])-?(\d+(\.\d*)|\.\d+)(?![_A-ZÀ-Ü])', tokens.Number.Float), (r'(?![_A-ZÀ-Ü])-?\d+(?![_A-ZÀ-Ü])', tokens.Number.Integer), - (r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single), + (r"'(''|\\'|[^'])*'", tokens.String.Single), # not a real string literal in ANSI SQL: - (r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol), + (r'"(""|\\"|[^"])*"', tokens.String.Symbol), (r'(""|".*?[^\\]")', tokens.String.Symbol), # sqlite names can be escaped with [square brackets]. left bracket # cannot be preceded by word character or a right bracket -- --- sqlparse-0.4.3.orig/tests/test_split.py +++ sqlparse-0.4.3/tests/test_split.py @@ -18,8 +18,8 @@ def test_split_semicolon(): def test_split_backslash(): - stmts = sqlparse.parse(r"select '\\'; select '\''; select '\\\'';") - assert len(stmts) == 3 + stmts = sqlparse.parse("select '\'; select '\'';") + assert len(stmts) == 2 @pytest.mark.parametrize('fn', ['function.sql',