Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-sqlparse for openSUSE:Factory
checked in at 2021-10-20 20:23:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-sqlparse (Old)
and /work/SRC/openSUSE:Factory/.python-sqlparse.new.1890 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-sqlparse"
Wed Oct 20 20:23:12 2021 rev:13 rq:922565 version:0.4.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-sqlparse/python-sqlparse.changes
2021-02-01 13:26:09.585912304 +0100
+++
/work/SRC/openSUSE:Factory/.python-sqlparse.new.1890/python-sqlparse.changes
2021-10-20 20:23:49.585361117 +0200
@@ -1,0 +2,11 @@
+Fri Oct 1 12:42:17 UTC 2021 - Johannes Grassler <johannes.grass...@suse.com>
+
+- update to 0.4.2 (bsc#1190741, CVE-2021-32839):
+ * This release fixes a security vulnerability in the strip
+ comments filter.
+ * Add ELSIF as keyword (issue584).
+ * Add CONFLICT and ON_ERROR_STOP keywords.
+ * Fix parsing of backticks (issue588).
+ * Fix parsing of scientific number (issue399).
+
+-------------------------------------------------------------------
Old:
----
sqlparse-0.4.1.tar.gz
New:
----
sqlparse-0.4.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-sqlparse.spec ++++++
--- /var/tmp/diff_new_pack.UvGDDu/_old 2021-10-20 20:23:50.089361428 +0200
+++ /var/tmp/diff_new_pack.UvGDDu/_new 2021-10-20 20:23:50.093361430 +0200
@@ -19,7 +19,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define skip_python2 1
Name: python-sqlparse
-Version: 0.4.1
+Version: 0.4.2
Release: 0
Summary: Non-validating SQL parser
License: BSD-3-Clause
@@ -31,7 +31,7 @@
BuildRequires: fdupes
BuildRequires: python-rpm-macros
Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
BuildArch: noarch
%python_subpackages
++++++ sqlparse-0.4.1.tar.gz -> sqlparse-0.4.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sqlparse-0.4.1/AUTHORS new/sqlparse-0.4.2/AUTHORS
--- old/sqlparse-0.4.1/AUTHORS 2020-09-30 15:44:45.000000000 +0200
+++ new/sqlparse-0.4.2/AUTHORS 2020-12-12 09:28:18.000000000 +0100
@@ -30,6 +30,7 @@
* hurcy <cinyoung....@gmail.com>
* Ian Robertson <ian.robert...@capitalone.com>
* JacekPliszka <jacek.plis...@gmail.com>
+* Jean-Martin Archer <j...@jmartin.ca>
* Jes??s Legan??s Combarro "Piranna" <pira...@gmail.com>
* Johannes Hoff <johsh...@gmail.com>
* John Bodley <john.bod...@airbnb.com>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sqlparse-0.4.1/CHANGELOG new/sqlparse-0.4.2/CHANGELOG
--- old/sqlparse-0.4.1/CHANGELOG 2020-10-08 07:59:43.000000000 +0200
+++ new/sqlparse-0.4.2/CHANGELOG 2021-09-10 08:50:44.000000000 +0200
@@ -1,7 +1,31 @@
+Release 0.4.2 (Sep 10, 2021)
+----------------------------
+
+Notable Changes
+
+* IMPORTANT: This release fixes a security vulnerability in the
+ strip comments filter. In this filter a regular expression that was
+ vulnerable to ReDOS (Regular Expression Denial of Service) was
+ used. See the security advisory for details:
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf
+ The vulnerability was discovered by @erik-krogh and @yoff from
+ GitHub Security Lab (GHSL). Thanks for reporting!
+
+Enhancements
+
+* Add ELSIF as keyword (issue584).
+* Add CONFLICT and ON_ERROR_STOP keywords (pr595, by j-martin).
+
+Bug Fixes
+
+* Fix parsing of backticks (issue588).
+* Fix parsing of scientific number (issue399).
+
+
Release 0.4.1 (Oct 08, 2020)
----------------------------
Bug Fixes
+
* Just removed a debug print statement, sorry...
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sqlparse-0.4.1/PKG-INFO new/sqlparse-0.4.2/PKG-INFO
--- old/sqlparse-0.4.1/PKG-INFO 2020-10-08 07:59:53.000000000 +0200
+++ new/sqlparse-0.4.2/PKG-INFO 2021-09-10 08:51:15.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 1.2
Name: sqlparse
-Version: 0.4.1
+Version: 0.4.2
Summary: A non-validating SQL parser.
Home-page: https://github.com/andialbrecht/sqlparse
Author: Andi Albrecht
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sqlparse-0.4.1/sqlparse/__init__.py
new/sqlparse-0.4.2/sqlparse/__init__.py
--- old/sqlparse-0.4.1/sqlparse/__init__.py 2020-10-08 07:56:56.000000000
+0200
+++ new/sqlparse-0.4.2/sqlparse/__init__.py 2021-09-10 08:50:06.000000000
+0200
@@ -16,7 +16,7 @@
from sqlparse import formatter
-__version__ = '0.4.1'
+__version__ = '0.4.2'
__all__ = ['engine', 'filters', 'formatter', 'sql', 'tokens', 'cli']
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sqlparse-0.4.1/sqlparse/filters/others.py
new/sqlparse-0.4.2/sqlparse/filters/others.py
--- old/sqlparse-0.4.1/sqlparse/filters/others.py 2020-10-07
08:53:06.000000000 +0200
+++ new/sqlparse-0.4.2/sqlparse/filters/others.py 2021-09-10
08:50:06.000000000 +0200
@@ -22,7 +22,10 @@
def _get_insert_token(token):
"""Returns either a whitespace or the line breaks from token."""
# See issue484 why line breaks should be preserved.
- m = re.search(r'((\r\n|\r|\n)+) *$', token.value)
+ # Note: The actual value for a line break is replaced by \n
+ # in SerializerUnicode which will be executed in the
+ # postprocessing state.
+ m = re.search(r'((\r|\n)+) *$', token.value)
if m is not None:
return sql.Token(T.Whitespace.Newline, m.groups()[0])
else:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sqlparse-0.4.1/sqlparse/keywords.py
new/sqlparse-0.4.2/sqlparse/keywords.py
--- old/sqlparse-0.4.1/sqlparse/keywords.py 2020-10-07 08:52:22.000000000
+0200
+++ new/sqlparse-0.4.2/sqlparse/keywords.py 2021-07-14 15:55:03.000000000
+0200
@@ -62,7 +62,7 @@
(r'(?<=\.)[A-Z??-??]\w*', tokens.Name), # .'Name'
(r'[A-Z??-??]\w*(?=\()', tokens.Name), # side effect: change kw to
func
(r'-?0x[\dA-F]+', tokens.Number.Hexadecimal),
- (r'-?\d*(\.\d+)?E-?\d+', tokens.Number.Float),
+ (r'-?\d+(\.\d+)?E-?\d+', tokens.Number.Float),
(r'(?![_A-Z??-??])-?(\d+(\.\d*)|\.\d+)(?![_A-Z??-??])',
tokens.Number.Float),
(r'(?![_A-Z??-??])-?\d+(?![_A-Z??-??])', tokens.Number.Integer),
@@ -93,7 +93,7 @@
(r'[0-9_A-Z??-??][_$#\w]*', is_keyword),
(r'[;:()\[\],\.]', tokens.Punctuation),
(r'[<>=~!]+', tokens.Operator.Comparison),
- (r'[+/@#%^&|`?^-]+', tokens.Operator),
+ (r'[+/@#%^&|^-]+', tokens.Operator),
]}
FLAGS = re.IGNORECASE | re.UNICODE
@@ -745,6 +745,7 @@
'DOUBLE': tokens.Keyword,
'DUMP': tokens.Keyword,
+ 'ELSIF': tokens.Keyword,
'EVENTS': tokens.Keyword,
'EXCEPTIONS': tokens.Keyword,
'EXPLAIN': tokens.Keyword,
@@ -833,6 +834,7 @@
# PostgreSQL Syntax
KEYWORDS_PLPGSQL = {
+ 'CONFLICT': tokens.Keyword,
'WINDOW': tokens.Keyword,
'PARTITION': tokens.Keyword,
'OVER': tokens.Keyword,
@@ -841,6 +843,7 @@
'PLPGSQL': tokens.Keyword,
'INHERIT': tokens.Keyword,
'INDEXES': tokens.Keyword,
+ 'ON_ERROR_STOP': tokens.Keyword,
'BYTEA': tokens.Keyword,
'BIGSERIAL': tokens.Keyword,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sqlparse-0.4.1/sqlparse.egg-info/PKG-INFO
new/sqlparse-0.4.2/sqlparse.egg-info/PKG-INFO
--- old/sqlparse-0.4.1/sqlparse.egg-info/PKG-INFO 2020-10-08
07:59:53.000000000 +0200
+++ new/sqlparse-0.4.2/sqlparse.egg-info/PKG-INFO 2021-09-10
08:51:14.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 1.2
Name: sqlparse
-Version: 0.4.1
+Version: 0.4.2
Summary: A non-validating SQL parser.
Home-page: https://github.com/andialbrecht/sqlparse
Author: Andi Albrecht
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sqlparse-0.4.1/tests/test_format.py
new/sqlparse-0.4.2/tests/test_format.py
--- old/sqlparse-0.4.1/tests/test_format.py 2020-09-30 15:44:45.000000000
+0200
+++ new/sqlparse-0.4.2/tests/test_format.py 2021-09-10 08:50:06.000000000
+0200
@@ -84,6 +84,23 @@
res = sqlparse.format(sql, strip_comments=True)
assert res == 'select (select 2)'
+ def test_strip_comments_preserves_linebreak(self):
+ sql = 'select * -- a comment\r\nfrom foo'
+ res = sqlparse.format(sql, strip_comments=True)
+ assert res == 'select *\nfrom foo'
+ sql = 'select * -- a comment\nfrom foo'
+ res = sqlparse.format(sql, strip_comments=True)
+ assert res == 'select *\nfrom foo'
+ sql = 'select * -- a comment\rfrom foo'
+ res = sqlparse.format(sql, strip_comments=True)
+ assert res == 'select *\nfrom foo'
+ sql = 'select * -- a comment\r\n\r\nfrom foo'
+ res = sqlparse.format(sql, strip_comments=True)
+ assert res == 'select *\n\nfrom foo'
+ sql = 'select * -- a comment\n\nfrom foo'
+ res = sqlparse.format(sql, strip_comments=True)
+ assert res == 'select *\n\nfrom foo'
+
def test_strip_ws(self):
f = lambda sql: sqlparse.format(sql, strip_whitespace=True)
s = 'select\n* from foo\n\twhere ( 1 = 2 )\n'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sqlparse-0.4.1/tests/test_parse.py
new/sqlparse-0.4.2/tests/test_parse.py
--- old/sqlparse-0.4.1/tests/test_parse.py 2020-09-30 15:44:45.000000000
+0200
+++ new/sqlparse-0.4.2/tests/test_parse.py 2021-07-14 15:57:11.000000000
+0200
@@ -188,11 +188,16 @@
assert p[0].ttype is T.Name.Placeholder
-@pytest.mark.parametrize('num', ['6.67428E-8', '1.988e33', '1e-12'])
-def test_scientific_numbers(num):
+@pytest.mark.parametrize('num, expected', [
+ ('6.67428E-8', T.Number.Float),
+ ('1.988e33', T.Number.Float),
+ ('1e-12', T.Number.Float),
+ ('e1', None),
+])
+def test_scientific_numbers(num, expected):
p = sqlparse.parse(num)[0].tokens
assert len(p) == 1
- assert p[0].ttype is T.Number.Float
+ assert p[0].ttype is expected
def test_single_quotes_are_strings():
@@ -336,7 +341,8 @@
"| | `- 0 Name 'd0'",
"| |- 10 Punctuation ','",
"| |- 11 Whitespace ' '",
- "| `- 12 Float 'e0'",
+ "| `- 12 Identifier 'e0'",
+ "| `- 0 Name 'e0'",
"|- 3 Whitespace ' '",
"|- 4 Keyword 'from'",
"|- 5 Whitespace ' '",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sqlparse-0.4.1/tests/test_regressions.py
new/sqlparse-0.4.2/tests/test_regressions.py
--- old/sqlparse-0.4.1/tests/test_regressions.py 2020-09-30
15:44:45.000000000 +0200
+++ new/sqlparse-0.4.2/tests/test_regressions.py 2020-10-19
08:40:01.000000000 +0200
@@ -411,3 +411,10 @@
# did raise ValueError
formatted = sqlparse.format('where, foo', reindent=True)
assert formatted == 'where, foo'
+
+
+def test_splitting_at_and_backticks_issue588():
+ splitted = sqlparse.split(
+ 'grant foo to user1@`myhost`; grant bar to user1@`myhost`;')
+ assert len(splitted) == 2
+ assert splitted[-1] == 'grant bar to user1@`myhost`;'
