python-PyMySQL/CVE-2024-36039.patch

41 lines
1.5 KiB
Diff
Raw Normal View History

Index: PyMySQL-1.0.3/pymysql/converters.py
===================================================================
--- PyMySQL-1.0.3.orig/pymysql/converters.py
+++ PyMySQL-1.0.3/pymysql/converters.py
@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=No
def escape_dict(val, charset, mapping=None):
- n = {}
- for k, v in val.items():
- quoted = escape_item(v, charset, mapping)
- n[k] = quoted
- return n
+ raise TypeError("dict can not be used as parameter")
def escape_sequence(val, charset, mapping=None):
Index: PyMySQL-1.0.3/pymysql/tests/test_connection.py
===================================================================
--- PyMySQL-1.0.3.orig/pymysql/tests/test_connection.py
+++ PyMySQL-1.0.3/pymysql/tests/test_connection.py
@@ -790,13 +790,16 @@ class TestEscape(base.PyMySQLTestCase):
self.assertRaises(TypeError, con.escape, 42, {})
- def test_escape_dict_value(self):
+ def test_escape_dict_raise_typeerror(self):
+ """con.escape(dict) should raise TypeError"""
con = self.connect()
cur = con.cursor()
mapping = con.encoders.copy()
mapping[Foo] = escape_foo
- self.assertEqual(con.escape({"foo": Foo()}, mapping), {"foo": "bar"})
+ # self.assertEqual(con.escape({"foo": Foo()}, mapping), {"foo": "bar"})
+ with self.assertRaises(TypeError):
+ con.escape({"foo": Foo()})
def test_escape_list_item(self):
con = self.connect()