marshmallow 3.26.1__tar.gz → 3.26.2__tar.gz

{marshmallow-3.26.1 → marshmallow-3.26.2}/CHANGELOG.rst

@@ -1,6 +1,14 @@
 Changelog
 ---------
 
+3.26.2 (2025-12-19)
+++++++++++++++++++
+
+Bug fixes:
+
+- :cve:`CVE-2025-68480`: Merge error store messages without rebuilding collections.
+  Thanks 카푸치노 for reporting and :user:`deckar01` for the fix.
+
 3.26.1 (2025-02-03)
 *******************
 

{marshmallow-3.26.1 → marshmallow-3.26.2}/PKG-INFO

@@ -1,6 +1,6 @@
-Metadata-Version: 2.3
+Metadata-Version: 2.4
 Name: marshmallow
-Version: 3.26.1
+Version: 3.26.2
 Summary: A lightweight library for converting complex datatypes to and from native Python datatypes.
 Author-email: Steven Loria <sloria1@gmail.com>
 Maintainer-email: Steven Loria <sloria1@gmail.com>, Jérôme Lafréchoux <jerome@jolimont.fr>, Jared Deckard <jared@shademaps.com>
@@ -15,6 +15,7 @@ Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
+License-File: LICENSE
 Requires-Dist: packaging>=17.0
 Requires-Dist: marshmallow[tests] ; extra == "dev"
 Requires-Dist: tox ; extra == "dev"

{marshmallow-3.26.1 → marshmallow-3.26.2}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "marshmallow"
-version = "3.26.1"
+version = "3.26.2"
 description = "A lightweight library for converting complex datatypes to and from native Python datatypes."
 readme = "README.rst"
 license = { file = "LICENSE" }
@@ -121,7 +121,7 @@ ignore = [
 [tool.mypy]
 files = ["src", "tests", "examples"]
 ignore_missing_imports = true
-warn_unreachable = true
+warn_unreachable = false
 warn_unused_ignores = true
 warn_redundant_casts = true
 no_implicit_optional = true

{marshmallow-3.26.1 → marshmallow-3.26.2}/src/marshmallow/error_store.py

@@ -18,6 +18,7 @@ class ErrorStore:
         # field error  -> store/merge error messages under field name key
         # schema error -> if string or list, store/merge under _schema key
         #              -> if dict, store/merge with other top-level keys
+        messages = copy_containers(messages)
         if field_name != SCHEMA or not isinstance(messages, dict):
             messages = {field_name: messages}
         if index is not None:
@@ -25,6 +26,14 @@ class ErrorStore:
         self.errors = merge_errors(self.errors, messages)
 
 
+def copy_containers(errors):
+    if isinstance(errors, list):
+        return [copy_containers(val) for val in errors]
+    if isinstance(errors, dict):
+        return {key: copy_containers(val) for key, val in errors.items()}
+    return errors
+
+
 def merge_errors(errors1, errors2):  # noqa: PLR0911
     """Deeply merge two error messages.
 
@@ -37,24 +46,26 @@ def merge_errors(errors1, errors2):  # noqa: PLR0911
         return errors1
     if isinstance(errors1, list):
         if isinstance(errors2, list):
-            return errors1 + errors2
+            errors1.extend(errors2)
+            return errors1
         if isinstance(errors2, dict):
-            return dict(errors2, **{SCHEMA: merge_errors(errors1, errors2.get(SCHEMA))})
-        return [*errors1, errors2]
+            errors2[SCHEMA] = merge_errors(errors1, errors2.get(SCHEMA))
+            return errors2
+        errors1.append(errors2)
+        return errors1
     if isinstance(errors1, dict):
-        if isinstance(errors2, list):
-            return dict(errors1, **{SCHEMA: merge_errors(errors1.get(SCHEMA), errors2)})
         if isinstance(errors2, dict):
-            errors = dict(errors1)
             for key, val in errors2.items():
-                if key in errors:
-                    errors[key] = merge_errors(errors[key], val)
+                if key in errors1:
+                    errors1[key] = merge_errors(errors1[key], val)
                 else:
-                    errors[key] = val
-            return errors
-        return dict(errors1, **{SCHEMA: merge_errors(errors1.get(SCHEMA), errors2)})
+                    errors1[key] = val
+            return errors1
+        errors1[SCHEMA] = merge_errors(errors1.get(SCHEMA), errors2)
+        return errors1
     if isinstance(errors2, list):
         return [errors1, *errors2]
     if isinstance(errors2, dict):
-        return dict(errors2, **{SCHEMA: merge_errors(errors1, errors2.get(SCHEMA))})
+        errors2[SCHEMA] = merge_errors(errors1, errors2.get(SCHEMA))
+        return errors2
     return [errors1, errors2]

{marshmallow-3.26.1 → marshmallow-3.26.2}/src/marshmallow/schema.py

@@ -374,7 +374,7 @@ class Schema(base.SchemaABC, metaclass=SchemaMeta):
 
                 class MySchema2(Schema):
                     # Type checkers will check attributes
-                    class Meta(Schema.Opts):
+                    class Meta(Schema.Meta):
                         additional = True  # Incompatible types in assignment
 
         .. versionremoved:: 3.0.0b7 Remove ``strict``.
@@ -1139,7 +1139,7 @@ class Schema(base.SchemaABC, metaclass=SchemaMeta):
                 msg = (
                     f'Field for "{field_name}" must be declared as a '
                     "Field instance, not a class. "
-                    f'Did you mean "fields.{field_obj.__name__}()"?'  # type: ignore[attr-defined]
+                    f'Did you mean "fields.{field_obj.__name__}()"?'
                 )
                 raise TypeError(msg) from error
             raise

{marshmallow-3.26.1 → marshmallow-3.26.2}/tests/test_error_store.py

@@ -1,7 +1,7 @@
 from typing import NamedTuple
 
 from marshmallow import missing
-from marshmallow.error_store import merge_errors
+from marshmallow.error_store import ErrorStore, merge_errors
 
 
 def test_missing_is_falsy():
@@ -149,3 +149,19 @@ class TestMergeErrors:
         assert merge_errors(
             {"field1": {"field2": "error1"}}, {"field1": {"field2": "error2"}}
         ) == {"field1": {"field2": ["error1", "error2"]}}
+
+    def test_list_not_changed(self):
+        store = ErrorStore()
+        message = ["foo"]
+        store.store_error(message)
+        store.store_error(message)
+        assert message == ["foo"]
+        assert store.errors == {"_schema": ["foo", "foo"]}
+
+    def test_dict_not_changed(self):
+        store = ErrorStore()
+        message = {"foo": ["bar"]}
+        store.store_error(message)
+        store.store_error(message)
+        assert message == {"foo": ["bar"]}
+        assert store.errors == {"foo": ["bar", "bar"]}