summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Add empty 2.7.18 NEWS file.v2.7.182.7Benjamin Peterson2020-04-191-0/+8
|
* Bump version to 2.7.18.Benjamin Peterson2020-04-191-3/+3
|
* Remove incorrect comma. (GH-19604)Benjamin Peterson2020-04-191-1/+1
|
* [2.7] Doc: Add an optional obsolete header. (GH-19229)Leonard Richardson2020-04-183-0/+21
|
* Bump version to 2.7.18rc1.v2.7.18rc1Benjamin Peterson2020-04-042-5/+5
|
* Make 2.7.18rc1 release notes.Benjamin Peterson2020-04-0410-16/+89
|
* Update macOS installer build for 2.7.18 end-of-life. (GH-19352)Ned Deily2020-04-044-27/+27
|
* [2.7] closes bpo-40125: Update multissltests.py to use OpenSSL 1.1.1f. ↵Benjamin Peterson2020-04-011-3/+3
| | | | | | (GH-19251) (cherry picked from commit cd16661f903153ecac55f190ed682e576c5deb24)
* [2.7] closes bpo-38576: Disallow control characters in hostnames in ↵Matěj Cepl2020-03-194-8/+53
| | | | | | | | | http.client. (GH-19052) Add host validation for control characters for more CVE-2019-18348 protection. (cherry picked from commit 83fc70159b24) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
* Doc: Change Python 2 status to EOL. (GH-17885)Miss Islington (bot)2020-01-071-1/+1
| | | | | (cherry picked from commit f4800b8ed3dbe15a0078869a836d968ab3362b8c) Co-authored-by: Inada Naoki <songofacandy@gmail.com>
* bpo-27973 - Use test.support.temp_dir instead of NamedTemporaryFile for the ↵Senthil Kumaran2020-01-041-4/+4
| | | | | | | (#17774) desired behavior under windows platform. Suggestion by David Bolen
* Update copyright year in macOS installer license copy (GH-17806)Miss Islington (bot)2020-01-031-3/+3
| | | | | (cherry picked from commit 32f1443aa98db769d87db497b45bd0dcb732445b) Co-authored-by: Ned Deily <nad@python.org>
* [2.7] Bring Python into the next decade. (GH-17805)Benjamin Peterson2020-01-037-7/+7
| | | | | (cherry picked from commit 946b29ea0b3b386ed05e87e60b8617c9dc19cd53) Co-authored-by: Benjamin Peterson <benjamin@python.org>
* [2.7] bpo-27973 - Fix for urllib.urlretrieve() failing on second ftp ↵Senthil Kumaran2019-12-313-1/+46
| | | | | | | | transfer (#1040) * bpo-27973: Fix urllib.urlretrieve failing on subsequent ftp transfers from the same host. * bpo-35411: Skip test_urllibnet FTP tests on Travis CI.
* [2.7] Minor C API documentation improvements. (GH-17699)Benjamin Peterson2019-12-251-1/+1
| | | | | | (cherry picked from commit 5c7ed7550ec2da16d7679e538fcd7c1a5631811f) Co-authored-by: William Ayd <william.ayd@icloud.com>
* bpo-38295: prevent test_relative_path of test_py_compile failure on macOS ↵Miss Islington (bot)2019-12-172-1/+2
| | | | | | | Catalina (GH-17636) (cherry picked from commit bf3aa1060a29a05813abbe877193af16e3e7131e) Co-authored-by: Ned Deily <nad@python.org>
* bpo-38730: Replace strncpy in import.c with memcpy. (GH-17633)Benjamin Peterson2019-12-171-3/+3
| | | In all these cases, we know the exact length we want copied, so memcpy is the right function to use.
* bpo-39035: travis: Don't use beta group (GH-17605)Inada Naoki2019-12-141-1/+0
|
* [2.7] bpo-38945: UU Encoding: Don't let newline in filename corrupt the ↵Matthew Rollings2019-12-034-0/+22
| | | | | | | output format (GH-17418). (#17452) (cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a) Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
* document threading.Lock.locked() (GH-17427)Miss Islington (bot)2019-12-011-0/+4
| | | | | (cherry picked from commit fdafa1d0ed0a8930b52ee81e57c931cc4d5c2388) Co-authored-by: idomic <michael.ido@gmail.com>
* bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (GH-17345)Victor Stinner2019-11-244-8/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 # Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): # Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was. (cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e)
* bpo-38730: Remove usage of stpncpy as it's not supported on MSVC 2008. ↵Benjamin Peterson2019-11-071-1/+6
| | | | (GH-17081)
* [2.7] bpo-38730: Fix -Wstringop-truncation warnings. (GH-17075)Benjamin Peterson2019-11-078-18/+19
|
* bpo-37731: Squish another _POSIX_C_SOURCE redefinition problem in expat. ↵Benjamin Peterson2019-11-071-6/+6
| | | | (GH-17077)
* bpo-37731: Reorder includes in xmltok.c to avoid redefinition of ↵Miss Islington (bot)2019-11-071-8/+8
| | | | | | | _POSIX_C_SOURCE (GH-16733) (cherry picked from commit 8177404d520e81f16324a900f093adf3856d33f8) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* bpo-38557: Improve documentation for list and tuple C API. (GH-16925)Miss Skeleton (bot)2019-10-263-12/+19
| | | | | (cherry picked from commit d898d20e8c228229eb68e545f544db13f246f216) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [2.7] bpo-38535: Fix positions for AST nodes for calls without arguments in ↵Serhiy Storchaka2019-10-263-2/+14
| | | | | | decorators. (GH-16861). (GH-16931) (cherry picked from commit 26ae9f6d3d755734c9f371b9356325afe5764813)
* Update URL in macOS installer copy of license (GH-16905)Miss Skeleton (bot)2019-10-231-1/+1
| | | | | (cherry picked from commit 01659ca62c4508518478a74615ac91c0009427ad) Co-authored-by: Ned Deily <nad@python.org>
* bpo-37025: AddRefActCtx() shouldn't be checked for failure (GH-16897)Zackery Spytz2019-10-232-5/+12
| | | AddRefActCtx() does not return a value.
* Fix Zope URL (GH-16880)Miss Skeleton (bot)2019-10-221-1/+1
| | | | | (cherry picked from commit dfe726b1ace03f206f45253b93ed7610473ae20f) Co-authored-by: Kyle Stanley <aeros167@gmail.com>
* [2.7] bpo-38540: Fix possible leak in PyArg_Parse for "es#" and "et#". ↵Serhiy Storchaka2019-10-212-1/+16
| | | | | | (GH-16869). (GH-16877) (cherry picked from commit 5bc6a7c06eda20ba131ecba6752be0506d310181)
* Work around Path.glob() issue when creating nuget package (GH-16855)Steve Dower2019-10-201-1/+1
|
* 2.2.17+Benjamin Peterson2019-10-191-1/+1
|
* Empty blurb file for 2.7.17.v2.7.17Benjamin Peterson2019-10-191-0/+8
|
* Bump version to 2.7.17 final.Benjamin Peterson2019-10-191-3/+3
|
* Update doc switcher list for 3.8.0 (GH-16809)Miss Islington (bot)2019-10-191-1/+1
| | | | | (cherry picked from commit 3f36043db22361500f52634f2b8de49dde0e7da9) Co-authored-by: Ned Deily <nad@python.org>
* Update build docs for macOS (GH-16844)Ned Deily2019-10-193-90/+85
|
* bpo-32758: Warn that ast.parse() and ast.literal_eval() can segfault the ↵Ashley Whetter2019-10-181-0/+10
| | | | | | | interpreter (GH-5960) (GH-16565) (cherry picked from commit 7a7f100eb352d08938ee0f5ba59c18f56dc4a7b5) Co-authored-by: Brett Cannon <brettcannon@users.noreply.github.com>
* bpo-32758: Warn that compile() can crash when compiling to an AST object ↵Ashley Whetter2019-10-181-0/+6
| | | | | | | (GH-6043) (GH-16566) (cherry picked from commit f7a6ff6fcab32a53f262ba3f8a072c27afc330d7) Co-authored-by: Brett Cannon <brettcannon@users.noreply.github.com>
* Doc: 3.8 is now stable. (GH-16790) (GH-16794)Miss Islington (bot)2019-10-141-1/+1
| | | | | (cherry picked from commit 4504b4500d2a1a80c26b27b0bfff8b624d5ce06c) Co-authored-by: Julien Palard <julien@palard.fr>
* [2.7] Update macOS installer display files for 2.7.17 (GH-16768)Ned Deily2019-10-144-163/+83
|
* [2.7] bpo-31036: Allow sphinx and blurb to be found automatically (GH-16638)Benjamin Peterson2019-10-082-7/+14
| | | | | | Rather than requiring the path to blurb and/or sphinx-build to be specified to the make rule, enhance the Doc/Makefile to look for each first in a virtual environment created by make venv and, if not found, look on the normal process PATH. This allows the Doc/Makefile to take advantage of an installed spinx-build or blurb and, thus, do the right thing most of the time. Also, make the directory for the venv be configurable and document the `make venv` target.. (cherry picked from commit 590665c399fc4aa3c4a9f8e7104d43a02e9f3a0c) Co-authored-by: Ned Deily <nad@python.org>
* bpo-35036: Remove empty log line in the suspicious.py tool (GH-10024)Miss Islington (bot)2019-10-081-1/+0
| | | | | | | Previous to commit ee171a2 the logline was working because of self.info() (now deprecated) defaults to an empty message. (cherry picked from commit c3f52a59ce8406d9e59253ad4621e4749abdaeef) Co-authored-by: Xtreak <tirkarthi@users.noreply.github.com>
* bpo-31589 : Build PDF using xelatex for better UTF8 support. (GH-3940)Miss Islington (bot)2019-10-081-3/+2
| | | | | | Also addresses doc build failures documented in bpo-32200. (cherry picked from commit 7324b5ce8e7c031a0a3832a6a8d7c639111ae0ff) Co-authored-by: Julien Palard <julien@palard.fr>
* [2.7] Stop using deprecated logging API in Sphinx suspicious checker (GH-16635)Benjamin Peterson2019-10-083-7/+10
| | | | | (cherry picked from commit ee171a26c1169abfae534b08acc0d95c6e45a22a) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* Update macOS installer displays for 2.7.17rc1 (#16634)v2.7.17rc1Ned Deily2019-10-082-3/+16
|
* Bump version to 2.7.17rc1.Benjamin Peterson2019-10-082-5/+5
|
* Roll up news for 2.7.17rc1.Benjamin Peterson2019-10-0880-146/+785
|
* [2.7] bpo-38216, bpo-36274: Allow subclasses to separately override ↵Jason R. Coombs2019-10-083-11/+40
| | | | | | | | | | | | | validation and encoding behavior (GH-16476) Backporting this change, I observe a couple of things: 1. The _encode_request call is no longer meaningful because the request construction will implicitly encode the request using the default encoding when the format string is used (request = '%s %s %s'...). In order to keep the code as consistent as possible, I decided to include the call as a pass-through. I'd be just as happy to remove it entirely, but I'll leave that up to the reviewer to decide. It's okay that this functionality is disabled on Python 2 because this functionality was mainly around bpo-36274, which was mainly a concern with the transition to Python 3. 2. Because _encode_request is no longer meaningful, neither is the test for it, so I've removed that test. Therefore, the meaningful part of this test is that for bpo-38216, adding a (underscore-protected) hook to customize/disable validation. (cherry picked from commit 7774d7831e8809795c64ce27f7df52674581d298) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
* [2.7] bpo-37664: Update ensurepip bundled wheels, again (GH-16633)Benjamin Peterson2019-10-084-2/+3
| | | | | (cherry picked from commit 10c452b894d95fed06056fe11e8fe8e1a2a60040) Co-authored-by: Pradyun Gedam <pradyunsg@gmail.com>
generated by cgit v0.12 at 2025-04-27 15:07:02 (GMT)