From dd0f6aa5309d4b8ff784a233581768a81ea29041 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Fri, 24 May 2024 10:05:27 +0800
Subject: [PATCH] Fix CVE-2024-36039

(cherry picked from commit a3469abe0457251c89c39268dc5237c06afeac97)
---
 CVE-2024-36039.patch | 28 ++++++++++++++++++++++++++++
 python-PyMySQL.spec  |  6 +++++-
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-36039.patch

diff --git a/CVE-2024-36039.patch b/CVE-2024-36039.patch
new file mode 100644
index 0000000..381ae9d
--- /dev/null
+++ b/CVE-2024-36039.patch
@@ -0,0 +1,28 @@
+From 521e40050cb386a499f68f483fefd144c493053c Mon Sep 17 00:00:00 2001
+From: Inada Naoki <songofacandy@gmail.com>
+Date: Sat, 18 May 2024 11:33:30 +0900
+Subject: [PATCH] forbid dict parameter
+
+Origin: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c
+
+---
+ pymysql/converters.py | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/pymysql/converters.py b/pymysql/converters.py
+index 1adac752..dbf97ca7 100644
+--- a/pymysql/converters.py
++++ b/pymysql/converters.py
+@@ -28,11 +28,7 @@ def escape_item(val, charset, mapping=None):
+     return val
+
+ def escape_dict(val, charset, mapping=None):
+-    n = {}
+-    for k, v in val.items():
+-        quoted = escape_item(v, charset, mapping)
+-        n[k] = quoted
+-    return n
++    raise TypeError("dict can not be used as parameter")
+
+ def escape_sequence(val, charset, mapping=None):
+     n = []
diff --git a/python-PyMySQL.spec b/python-PyMySQL.spec
index c480670..4c7e75c 100644
--- a/python-PyMySQL.spec
+++ b/python-PyMySQL.spec
@@ -1,10 +1,11 @@
 Name:           python-PyMySQL
 Version:        0.9.2
-Release:        3
+Release:        4
 Summary:        Pure Python MySQL Client
 License:        MIT
 URL:            https://pypi.python.org/pypi/PyMySQL/
 Source0:        https://files.pythonhosted.org/packages/source/P/PyMySQL/PyMySQL-%{version}.tar.gz
+Patch0:         CVE-2024-36039.patch
 
 BuildRequires:  python2-cryptography python2-devel python2-setuptools
 BuildRequires:  python3-cryptography python3-devel python3-setuptools
@@ -63,5 +64,8 @@ Most public APIs are compatible with mysqlclient and MySQLdb.
 
 
 %changelog
+* Fri May 24 2024 wangkai <13474090681@163.com> - 0.9.2-4
+- Fix CVE-2024-36039
+
 * Fri Feb 14 2020 hy-euler <eulerstoragemt@huawei.com> - 0.9.2-3
 - Package Initialization
-- 
Gitee