summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Python 3.8.20v3.8.203.8Łukasz Langa2024-09-0621-61/+206
|
* [3.8] [CVE-2023-27043] gh-102988: Reject malformed addresses in ↵Petr Viktorin2024-09-065-21/+371
| | | | | | | | | | | | | | email.parseaddr() (GH-111116) (#123770) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19) Co-authored-by: Victor Stinner <vstinner@python.org> Co-Authored-By: Thomas Dwyer <github@tomd.tel>
* [3.8] gh-123678: Upgrade libexpat 2.6.3 (#123712)Seth Michael Larson2024-09-054-15/+36
| | | (cherry picked from commit fdc04ad75a410ed3af99edfc32c38b5fc3375f52)
* [3.8] gh-112275: Fix HEAD_LOCK deadlock in child process after fork ↵Miss Islington (bot)2024-09-052-1/+4
| | | | | | | | | | | (GH-112336) (GH-123688) (#123713) HEAD_LOCK is called from _PyEval_ReInitThreads->_PyThreadState_DeleteExcept before _PyRuntimeState_ReInitThreads reinit runtime->interpreters.mutex which might be locked before fork. (cherry picked from commit 522799a05e3e820339718151ac055af6d864d463) (cherry picked from commit 0152431f179e85f582a4c393aa3b99d3918a1109) Co-authored-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: ChuBoning <102216855+ChuBoning@users.noreply.github.com>
* [3.8] gh-119690: Fixes buffer type confusion in _winapi.CreateFile and ↵Miss Islington (bot)2024-09-042-2/+4
| | | | | | | _winapi.CreateNamedPipe audit events (GH-119735) (#123680) (cherry picked from commit 2e861ac1cd4359463f6a13efd3d3578fce71e5ab) Co-authored-by: Steve Dower <steve.dower@python.org>
* [3.8] gh-67693: Fix urlunparse() and urlunsplit() for URIs with path ↵Serhiy Storchaka2024-09-043-4/+70
| | | | | | | starting with multiple slashes and no authority (GH-113563) (#119028) (cherry picked from commit e237b25a4fa5626fcd1b1848aa03f725f892e40e) Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.8] gh-121285: Remove backtracking when parsing tarfile headers ↵Seth Michael Larson2024-09-043-38/+111
| | | | | | | | | | | | | | (GH-121286) (#123642) * Remove backtracking when parsing tarfile headers * Rewrite PAX header parsing to be stricter * Optimize parsing of GNU extended sparse headers v0.0 (cherry picked from commit 34ddb64d088dd7ccc321f6103d23153256caa5d4) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.8] gh-123270: Replaced SanitizedNames with a more surgical fix. ↵Jason R. Coombs2024-09-043-2/+87
| | | | | | | | | | | (GH-123354) (#123433) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286d78d328c2f575e0b05b16fe447d1656d6) (cherry picked from commit 17b77bb41409259bad1cd6c74761c18b6ab1e860) (cherry picked from commit 66d3383) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
* [3.8] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values ↵Miss Islington (bot)2024-09-043-26/+47
| | | | | | | | with backslashes (GH-123075) (#123108) This fixes CVE-2024-7592. (cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.8] gh-121650: Encode newlines in headers, and verify headers are sound ↵Łukasz Langa2024-09-0410-4/+165
| | | | | | | | | | | | | | | | | | | | | | | | | (GH-122233) (#122611) Per RFC 2047: > [...] these encoding schemes allow the > encoding of arbitrary octet values, mail readers that implement this > decoding should also ensure that display of the decoded data on the > recipient's terminal will not cause unwanted side-effects It seems that the "quoted-word" scheme is a valid way to include a newline character in a header value, just like we already allow undecodable bytes or control characters. They do need to be properly quoted when serialized to text, though. This should fail for custom fold() implementations that aren't careful about newlines. (cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.8] gh-122133: Rework pure Python socketpair tests to avoid use of ↵Miss Islington (bot)2024-08-022-77/+64
| | | | | | | | importlib.reload. (GH-122493) (GH-122509) (cherry picked from commit f071f01b7b7e19d7d6b3a4b0ec62f820ecb14660) Co-authored-by: Russell Keith-Magee <russell@keith-magee.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.8] gh-122133: Authenticate socket connection for `socket.socketpair()` ↵Miss Islington (bot)2024-07-303-3/+147
| | | | | | | | | | | fallback (GH-122134) (GH-122429) Authenticate socket connection for `socket.socketpair()` fallback when the platform does not have a native `socketpair` C API. We authenticate in-process using `getsocketname` and `getpeername` (thanks to Nathaniel J Smith for that suggestion). (cherry picked from commit 78df1043dbdce5c989600616f9f87b4ee72944e5) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.8] gh-121957: Emit audit events for python -i and python -m asyncio ↵Łukasz Langa2024-07-225-0/+34
| | | | (GH-122121)
* [3.8] gh-112769: test_zlib: test_zlib: Fix comparison of ↵Ned Deily2024-05-302-12/+18
| | | | | | | | | ZLIB_RUNTIME_VERSION with non-int suffix (GH-112771) (GH-119567) zlib-ng defines the version as "1.3.0.zlib-ng". (cherry picked from commit d384813) Co-authored-by: Miro Hrončok miro@hroncok.cz
* [3.8] gh-118486: Support mkdir(mode=0o700) on Windows (GH-118488) (GH-118742)Steve Dower2024-05-246-3/+108
| | | Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.8] gh-114572: Fix locking in cert_store_stats and get_ca_certs (#118442)Seth Michael Larson2024-05-102-3/+92
| | | (cherry picked from commit 732c7d512e7cdf656a3f02a38c329b14a14a8573)
* [3.8] gh-113171: gh-65056: Fix "private" (non-global) IP address ranges ↵Petr Viktorin2024-05-076-21/+195
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (GH-113179) (GH-113186) (GH-118177) (GH-118479) The _private_networks variables, used by various is_private implementations, were missing some ranges and at the same time had overly strict ranges (where there are more specific ranges considered globally reachable by the IANA registries). This patch updates the ranges with what was missing or otherwise incorrect. 100.64.0.0/10 is left alone, for now, as it's been made special in [1]. The _address_exclude_many() call returns 8 networks for IPv4, 121 networks for IPv6. [1] https://github.com/python/cpython/issues/61602 In 3.10 and below, is_private checks whether the network and broadcast address are both private. In later versions (where the test wss backported from), it checks whether they both are in the same private network. For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private, but one is in 0.0.0.0/8 ("This network") and the other in 255.255.255.255/32 ("Limited broadcast"). --------- Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
* [3.8] gh-116741: Upgrade libexpat to 2.6.2 (GH-117296) (GH-118188)Seth Michael Larson2024-05-074-16/+37
| | | (cherry picked from commit c9829eec0883a8991ea4d319d965e123a3cf6c20)
* [3.8] gh-114539: Clarify implicit launching of shells by subprocess ↵Miss Islington (bot)2024-05-071-2/+10
| | | | | | | (GH-117996) (GH-118006) (cherry picked from commit a4b44d39cd6941cc03590fee7538776728bdfd0a) Co-authored-by: Steve Dower <steve.dower@python.org>
* [3.8] gh-116773: Fix overlapped memory corruption crash (GH-116774) (GH-117083)jkriegshauser2024-03-274-12/+71
| | | Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.8] gh-117187: Fix XML tests for vanilla Expat <2.6.0 (GH-117203) (#117248)Miss Islington (bot)2024-03-273-9/+9
| | | | | | | This fixes XML unittest fallout from the https://github.com/python/cpython/issues/115398 security fix. When configured using `--with-system-expat` on systems with older pre 2.6.0 versions of libexpat, our unittests were failing. (cherry picked from commit 9f74e86c78853c101a23e938f8e32ea838d8f62e) Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
* Post 3.8.19Łukasz Langa2024-03-191-1/+1
|
* Python 3.8.19v3.8.19Łukasz Langa2024-03-1917-40/+152
|
* [3.8] gh-115197: Stop resolving host in urllib.request proxy bypass ↵Miss Islington (bot)2024-03-193-44/+64
| | | | | | | | (GH-115210) (GH-116069) Use of a proxy is intended to defer DNS for the hosts to the proxy itself, rather than a potential for information leak of the host doing DNS resolution itself for any reason. Proxy bypass lists are strictly name based. Most implementations of proxy support agree. (cherry picked from commit c43b26d02eaa103756c250e8d36829d388c5f3be) Co-authored-by: Weii Wang <weii.wang@canonical.com>
* [3.8] gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) ↵Sebastian Pipping2024-03-0614-20/+435
| | | | | | | | | | | | | | | | | | (GH-115623) (GH-116275) Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods: - `xml.etree.ElementTree.XMLParser.flush` - `xml.etree.ElementTree.XMLPullParser.flush` - `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled` - `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled` - `xml.sax.expatreader.ExpatParser.flush` Based on the "flush" idea from https://github.com/python/cpython/pull/115138#issuecomment-1932444270 . Includes code suggested-by: Snild Dolkow <snild@sony.com> and by core dev Serhiy Storchaka. Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.8] gh-107077: Raise SSLCertVerificationError even if the error is set via ↵Miss Islington (bot)2024-02-212-0/+10
| | | | | | | | | | SSL_ERROR_SYSCALL (GH-107586) (GH-107591) (cherry picked from commit 77e09192b5f1caf14cd5f92ccb53a4592e83e8bc) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com> Co-authored-by: T. Wouters <thomas@python.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.8] Upgrade bundled libexpat to 2.6.0 (GH-115399) (GH-115475)Seth Michael Larson2024-02-2112-262/+402
| | | | | | Manual backport due to code differences. (cherry picked from commit e071b0d558b2f5cddd5a9fc6afadb4ba109ec77e) Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.8] gh-115399: Document CVE-2023-52425 under "XML vulnerabilities" ↵Miss Islington (bot)2024-02-212-0/+14
| | | | | | | | (GH-115400) (GH-115764) Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities" (cherry picked from commit fbd40ce46e7335a5dbaf48a3aa841be22d7302ba) Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
* [3.8] gh-97032: avoid test_squeezer crash on macOS buildbots (GH-115508) ↵Miss Islington (bot)2024-02-211-0/+1
| | | | | | | (GH-115656) (cherry picked from commit 17a6533dbf5ffdfd707c1514a61423d9ac59a9cb) Co-authored-by: Ned Deily <nad@python.org>
* [3.8] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (GH-115164) ↵Seth Michael Larson2024-02-212-22/+40
| | | | | | | | | (GH-115536) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.8] gh-115349: Pin theme to fix code snippets (GH-115351) (#115404)Łukasz Langa2024-02-131-1/+1
| | | | | (cherry picked from commit 3fcea416f8261790ce700c52c4262ccb668716d6) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
* [3.8] Add missing sections to blurbs (GH-114553) (GH-115340)Miss Islington (bot)2024-02-133-0/+3
| | | | | | Add missing sections to blurbs (GH-114553) (cherry picked from commit dc8893af7df706138161d82ce7d1d2f9132d14f9) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
* [3.8] gh-111239: Update Windows build to use zlib 1.3.1 (GH-114877) (#115086)Łukasz Langa2024-02-063-2/+3
| | | | | (cherry picked from commit 618d7256e78da8200f6e2c6235094a1ef885dca4) Co-authored-by: Zachary Ware <zach@python.org>
* [3.8] gh-107888: Fix test_mmap.test_access_parameter() on macOS 14 ↵Miss Islington (bot)2024-01-171-4/+9
| | | | | | | (GH-109928) (GH-114183) (cherry picked from commit 9dbfe2dc8e7bba25e52f9470ae6969821a365297) Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.8] gh-109991: Update Windows build to use OpenSSL 1.1.1w (GH-111266)Zachary Ware2024-01-173-4/+8
| | | | | (cherry picked from commit dcb16c98be61630369227f0d893f8d9262d25cac) Co-authored-by: Steve Dower <steve.dower@python.org>
* [3.8] gh-91133: tempfile.TemporaryDirectory: fix symlink bug in cleanup ↵Serhiy Storchaka2024-01-173-10/+136
| | | | | | | (GH-99930) (GH-112843) (cherry picked from commit 81c16cd94ec38d61aa478b9a452436dc3b1b524d) Co-authored-by: Søren Løvborg <sorenl@unity3d.com>
* [3.8] bpo-37013: Fix the error handling in socket.if_indextoname() ↵Miss Islington (bot)2024-01-173-5/+27
| | | | | | | | | (GH-13503) (GH-113474) * Fix a crash when pass UINT_MAX. * Fix an integer overflow on 64-bit non-Windows platforms. (cherry picked from commit 0daf555c6fb3feba77989382135a58215e1d70a5) Co-authored-by: Zackery Spytz <zspytz@gmail.com>
* [3.8] gh-108310: Fix TestPreHandshakeClose tests in test_ssl (#110718)Lumír 'Frenzy' Balhar2024-01-172-6/+11
| | | | | | | | | The new class is part of the fix for CVE-2023-40217: https://github.com/python/cpython/commit/b4bcc06a9cfe13d96d5270809d963f8ba278f89b but it's not in the lists of tests so they're not executed. The new tests also need `SHORT_TIMEOUT` constant not available in test.support in 3.8. Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.8] gh-113659: Skip hidden .pth files (GH-113660) (GH-114147)Serhiy Storchaka2024-01-173-1/+50
| | | | Skip .pth files with names starting with a dot or hidden file attribute. (cherry picked from commit 74208ed0c440244fb809d8acc97cb9ef51e888e3)
* [3.8] gh-114021: Pin various sphinxcontrib extensions to older versions ↵Adam Turner2024-01-172-0/+26
| | | | | | | (GH-114022) (GH-114040) (cherry picked from commit 94b1d1fa38ada8cf7d196184a04a195c152eed75) Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
* [3.8] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) ↵Serhiy Storchaka2024-01-173-0/+75
| | | | | | | (GH-113916) Raise BadZipFile when try to read an entry that overlaps with other entry or central directory. (cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba)
* [3.8] Fix documentation build by pinning Alabaster version to 0.7.13 ↵Miss Islington (bot)2024-01-101-0/+2
| | | | | | | | | | | (GH-113815) (#113899) Alabaster is Sphinx's dependency. Alabaster 0.7.14 released on 2024-01-08 dropped support for Sphinx 3.3 and earlier. (cherry picked from commit f86e20e4a86de4a06c04200c55e6f639f6795257) https://alabaster.readthedocs.io/en/latest/changelog.html Co-authored-by: Maciej Olko <maciej.olko@affirm.com>
* [3.8] gh-112160: Add 'regen-configure' make target (#112167)Seth Michael Larson2023-12-065-5/+42
|
* [3.8] gh-101180: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs ↵Łukasz Langa2023-11-063-3/+53
| | | | | | | read out of bounds (gh-111695) (gh-111781) (cherry picked from commit c8faa3568afd255708096f6aa8df0afa80cf7697) Co-authored-by: Masayuki Moriyama <masayuki.moriyama@miraclelinux.com>
* [3.8] CI: Bump GitHub Actions (GH-108879) (#108894)Hugo van Kemenade2023-09-075-16/+16
| | | Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.8] gh-109002: Ensure only one wheel for each vendored package (GH-109003) ↵Miss Islington (bot)2023-09-061-4/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | (#109009) Output with one wheel: ``` ❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py Verifying checksum for /Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl. Expected digest: 7ccf472345f20d35bdc9d1841ff5f313260c2c33fe417f48c30ac46cccabf5be Actual digest: 7ccf472345f20d35bdc9d1841ff5f313260c2c33fe417f48c30ac46cccabf5be ::notice file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl::Successfully verified the checksum of the pip wheel. ``` Output with two wheels: ``` ❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py ::error file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-22.0.4-py3-none-any.whl::Found more than one wheel for package pip. ::error file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl::Found more than one wheel for package pip. ``` Output without wheels: ``` ❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py ::error file=::Could not find a pip wheel on disk. ``` (cherry picked from commit f8a047941f2e4a1848700c21d58a08c9ec6a9c68) Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.8] gh-101997: Remove stale pip-22.0.4-py3-none-any.whl from the 3.8 ↵Łukasz Langa2023-09-061-0/+0
| | | | | branch (#108998) This was left over in gh-102244.
* [3.8] Add a dummy .rtfd.yml file to silence invalid failing webhooks ↵Miss Islington (bot)2023-09-051-0/+12
| | | | | | | | (GH-108908) (#108926) (cherry picked from commit 5970435b26fc85c83490bc915c894ea7dd0fbf21) Co-authored-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>
* Post 3.8.18Łukasz Langa2023-08-241-1/+1
|
* Fix invalid string escapeŁukasz Langa2023-08-241-2/+2
|
generated by cgit v0.12 at 2025-12-26 19:25:52 (GMT)