Description: CVE-2024-36039: forbid dict parameter
Author: Inada Naoki <songofacandy@gmail.com>
Date: Sat, 18 May 2024 11:33:30 +0900
Origin: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c.patch
Bug-Debian: https://bugs.debian.org/1071628
Last-Update: 2024-05-28

diff --git a/pymysql/converters.py b/pymysql/converters.py
index 1adac752..dbf97ca7 100644
--- a/pymysql/converters.py
+++ b/pymysql/converters.py
@@ -27,11 +27,7 @@ def escape_item(val, charset, mapping=None):
 
 
 def escape_dict(val, charset, mapping=None):
-    n = {}
-    for k, v in val.items():
-        quoted = escape_item(v, charset, mapping)
-        n[k] = quoted
-    return n
+    raise TypeError("dict can not be used as parameter")
 
 
 def escape_sequence(val, charset, mapping=None):
diff --git a/pymysql/tests/test_connection.py b/pymysql/tests/test_connection.py
index ccfc4a32..dcf3394c 100644
--- a/pymysql/tests/test_connection.py
+++ b/pymysql/tests/test_connection.py
@@ -754,13 +754,16 @@
 
         self.assertRaises(TypeError, con.escape, 42, {})
 
-    def test_escape_dict_value(self):
+    def test_escape_dict_raise_typeerror(self):
+        """con.escape(dict) should raise TypeError"""
         con = self.connect()
         cur = con.cursor()
 
         mapping = con.encoders.copy()
         mapping[Foo] = escape_foo
-        self.assertEqual(con.escape({"foo": Foo()}, mapping), {"foo": "bar"})
+        #self.assertEqual(con.escape({"foo": Foo()}, mapping), {"foo": "bar"})
+        with self.assertRaises(TypeError):
+            con.escape({"foo": Foo()})
 
     def test_escape_list_item(self):
         con = self.connect()