| From 3ba1b40e5a828a26a1df1b49cdc87395f3274c81 Mon Sep 17 00:00:00 2001 |
| From: Mek <michael.karpeles@gmail.com> |
| Date: Wed, 7 May 2025 15:14:44 -0400 |
| Subject: [PATCH] Address CVE-2025-3818 (#807) |
| |
| * Address CVE-2025-3818 |
| |
| Co-authored-by: Scott Barnes <scottreidbarnes@gmail.com> |
| |
| Upstream: https://github.com/webpy/webpy/commit/3ba1b40e5a828a26a1df1b49cdc87395f3274c81 |
| |
| Fixes CVE-2025-3818: https://github.com/advisories/GHSA-9g47-36rw-gjh2 |
| |
| Signed-off-by: Bernd Kuhls <bernd@kuhls.net> |
| --- |
| web/db.py | 10 +++++++++- |
| 1 file changed, 9 insertions(+), 1 deletion(-) |
| |
| diff --git a/web/db.py b/web/db.py |
| index 5284f8d0..ba3e12c5 100644 |
| --- a/web/db.py |
| +++ b/web/db.py |
| @@ -1198,10 +1198,18 @@ def _process_insert_query(self, query, tablename, seqname): |
| seqname = None |
| |
| if seqname: |
| - query += "; SELECT currval('%s')" % seqname |
| + query += self.get_sequence_query(seqname) |
| |
| return query |
| |
| + def get_sequence_query(self, seqname): |
| + import re |
| + # Ensure the sequence name is valid |
| + if not re.match(r'^[a-zA-Z_][a-zA-Z0-9_$]*$', seqname): |
| + raise ValueError(f"Invalid sequence name: {seqname}") |
| + return SQLQuery("; SELECT currval(%s)", seqname) |
| + |
| + |
| def _get_all_sequences(self): |
| """Query postgres to find names of all sequences used in this database.""" |
| if self._sequences is None: |
