Narcissus/shredos.x86_64
2
0
Fork 1
mirror of https://github.com/PartialVolume/shredos.x86_64.git synced 2026-02-20 17:42:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d893547c0e067a21aee59e9b6d24d53d16438e5b
shredos.x86_64/package/python-webpy/0001-Address-CVE-2025-3818.patch
PartialVolume c525a2ff71 Updated ShredOS to Buildroot 2025.11, kernel 6.18.0
2026-01-06 22:53:29 +00:00

43 lines
1.4 KiB
Diff
Raw Blame History

From 3ba1b40e5a828a26a1df1b49cdc87395f3274c81 Mon Sep 17 00:00:00 2001
From: Mek <michael.karpeles@gmail.com>
Date: Wed, 7 May 2025 15:14:44 -0400
Subject: [PATCH] Address CVE-2025-3818 (#807)
* Address CVE-2025-3818
Co-authored-by: Scott Barnes <scottreidbarnes@gmail.com>
Upstream: https://github.com/webpy/webpy/commit/3ba1b40e5a828a26a1df1b49cdc87395f3274c81
Fixes CVE-2025-3818: https://github.com/advisories/GHSA-9g47-36rw-gjh2
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
web/db.py | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/web/db.py b/web/db.py
index 5284f8d0..ba3e12c5 100644
--- a/web/db.py
+++ b/web/db.py
@@ -1198,10 +1198,18 @@ def _process_insert_query(self, query, tablename, seqname):
seqname = None
if seqname:
- query += "; SELECT currval('%s')" % seqname
+ query += self.get_sequence_query(seqname)
return query
+ def get_sequence_query(self, seqname):
+ import re
+ # Ensure the sequence name is valid
+ if not re.match(r'^[a-zA-Z_][a-zA-Z0-9_$]*$', seqname):
+ raise ValueError(f"Invalid sequence name: {seqname}")
+ return SQLQuery("; SELECT currval(%s)", seqname)
+
+
def _get_all_sequences(self):
"""Query postgres to find names of all sequences used in this database."""
if self._sequences is None:
Reference in New Issue View Git Blame Copy Permalink