[Buildroot] [PATCH 2025.02.x 1/1] package/python-webpy: add upstream commit to fix CVE-2025-3818
Bernd Kuhls
bernd at kuhls.net
Thu Oct 16 18:23:17 UTC 2025
Signed-off-by: Bernd Kuhls <bernd at kuhls.net>
---
.../0001-Address-CVE-2025-3818.patch | 42 +++++++++++++++++++
1 file changed, 42 insertions(+)
create mode 100644 package/python-webpy/0001-Address-CVE-2025-3818.patch
diff --git a/package/python-webpy/0001-Address-CVE-2025-3818.patch b/package/python-webpy/0001-Address-CVE-2025-3818.patch
new file mode 100644
index 0000000000..d8373cbac6
--- /dev/null
+++ b/package/python-webpy/0001-Address-CVE-2025-3818.patch
@@ -0,0 +1,42 @@
+From 3ba1b40e5a828a26a1df1b49cdc87395f3274c81 Mon Sep 17 00:00:00 2001
+From: Mek <michael.karpeles at gmail.com>
+Date: Wed, 7 May 2025 15:14:44 -0400
+Subject: [PATCH] Address CVE-2025-3818 (#807)
+
+* Address CVE-2025-3818
+
+Co-authored-by: Scott Barnes <scottreidbarnes at gmail.com>
+
+Upstream: https://github.com/webpy/webpy/commit/3ba1b40e5a828a26a1df1b49cdc87395f3274c81
+
+Fixes CVE-2025-3818: https://github.com/advisories/GHSA-9g47-36rw-gjh2
+
+Signed-off-by: Bernd Kuhls <bernd at kuhls.net>
+---
+ web/db.py | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/web/db.py b/web/db.py
+index 5284f8d0..ba3e12c5 100644
+--- a/web/db.py
++++ b/web/db.py
+@@ -1198,10 +1198,18 @@ def _process_insert_query(self, query, tablename, seqname):
+ seqname = None
+
+ if seqname:
+- query += "; SELECT currval('%s')" % seqname
++ query += self.get_sequence_query(seqname)
+
+ return query
+
++ def get_sequence_query(self, seqname):
++ import re
++ # Ensure the sequence name is valid
++ if not re.match(r'^[a-zA-Z_][a-zA-Z0-9_$]*$', seqname):
++ raise ValueError(f"Invalid sequence name: {seqname}")
++ return SQLQuery("; SELECT currval(%s)", seqname)
++
++
+ def _get_all_sequences(self):
+ """Query postgres to find names of all sequences used in this database."""
+ if self._sequences is None:
--
2.47.3
More information about the buildroot
mailing list