| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and 6.17.x (GH-139552) (GH-139762)
Currently, Fedora 42 uses a custom Linux Kernel 6.16.9 that backported an upstream change
from 6.17-rc7 [1,3] but not its subsequent fix [2]. Until the issue is resolved upstream,
we skip the failing test `test_socket.test_aead_aes_gcm` for kernel versions between 6.16
and 6.17.x.
[1] https://github.com/torvalds/linux/commit/1b34cbbf4f011a121ef7b2d7d6e6920a036d5285
[2] https://github.com/torvalds/linux/commit/d0ca0df179c4b21e2a6c4a4fb637aa8fa14575cb.
[3] https://gitlab.com/cki-project/kernel-ark/-/commit/45bcf60fe49b37daab1acee57b27211ad1574042
(cherry picked from commit 41712c4e095b2cc988febfe3887616c2779c6210)
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
record (GH-139702) (GH-139708) (GH-139713)
(cherry picked from commit 333d4a6f4967d3ace91492a39ededbcf3faa76a6)
Support records with "zip64 extensible data" if there are no bytes
prepended to the ZIP file.
(cherry picked from commit 162997bb70e067668c039700141770687bc8f267)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-137774) (GH-139659)
"] ]>" and "]] >" no longer end the CDATA section.
Make CDATA section parsing context depending.
Add private method HTMLParser._set_support_cdata() to change the context.
If called with True, "<[CDATA[" starts a CDATA section which ends with "]]>".
If called with False, "<[CDATA[" starts a bogus comments which ends with ">".
(cherry picked from commit 0cbbfc462119b9107b373c24d2bda5a1271bed36)
(cherry picked from commit dcf24768c918c41821cda6fe6a1aa20ce26545dd)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`pyexpat` (GH-139403) (#139612)
* gh-139400: Make sure that parent parsers outlive their subparsers in `pyexpat` (#139403)
* Modules/pyexpat.c: Disallow collection of in-use parent parsers.
Within libexpat, a parser created via `XML_ExternalEntityParserCreate`
is relying on its parent parser throughout its entire lifetime.
Prior to this fix, is was possible for the parent parser to be
garbage-collected too early.
(cherry picked from commit 6edb2ddb5f3695cf4938979d645f31d7fba43ec8)
* Move news item from section "Core and Builtins" to section "Security"
|
| | |
|
| | |
|
| |
|
|
|
| |
gh-138998: Upgrade vendored expat to 2.7.2 (#138999)
(cherry picked from commit 64c876dd6812ade19cb7a0c619111d30f0b2b860)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-138796)
ensurepip installs a bundled copy of distutils, which overrides
the stdlib module. This affects several tests. This commit:
- skips distutils in test___all__, as we're unlikely to break
`__all__` in a security-fix-only branch (and if we do it's not
much of a a big deal)
- skips importability tests of distutils submodules if the
setuptools hack is detected
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Emma Smith <emma@emmatyping.dev>
|
| |
|
|
|
|
|
|
| |
* [3.11] gh-138744: GitHub Actions: pin to `windows-2022` (GH-138743)
(cherry picked from commit 6e78a539bfb406238ec251ba01b7a1819e5c303e)
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
* Update .azure-pipelines/libffi-build.yml
|
| |
|
|
|
| |
Adapted from GH-137989.
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
|
| |
|
|
|
|
|
|
| |
HTMLParser (GH-135310) (GH-137782)
(cherry picked from commit 4d02f31cdd45d81b95540d9076222b709d4f2335)
Co-authored-by: Timon Viola <44016238+timonviola@users.noreply.github.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
| |
|
|
|
|
|
|
|
| |
are non-negative (GH-137027) (#137172)
gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027)
(cherry picked from commit 7040aa54f14676938970e10c5f74ea93cd56aa38)
Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
| |
separator in HTMLParser (GH-136908) (GH-136920)
This fixes a regression introduced in GH-135930.
(cherry picked from commit dee650189497735edbc08a54edabb5b06ef1bd09)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the HTML5 standard (GH-135930) (GH-136268) (#136291)
* Whitespaces no longer accepted between `</` and the tag name.
E.g. `</ script>` does not end the script section.
* Vertical tabulation (`\v`) and non-ASCII whitespaces no longer recognized
as whitespaces. The only whitespaces are `\t\n\r\f `.
* Null character (U+0000) no longer ends the tag name.
* Attributes and slashes after the tag name in end tags are now ignored,
instead of terminating after the first `>` in quoted attribute value.
E.g. `</script/foo=">"/>`.
* Multiple slashes and whitespaces between the last attribute and closing `>`
are now ignored in both start and end tags. E.g. `<a foo=bar/ //>`.
* Multiple `=` between attribute name and value are no longer collapsed.
E.g. `<a foo==bar>` produces attribute "foo" with value "=bar".
* Whitespaces between the `=` separator and attribute name or value are no
longer ignored. E.g. `<a foo =bar>` produces two attributes "foo" and
"=bar", both with value None; `<a foo= bar>` produces two attributes:
"foo" with value "" and "bar" with value None.
* Fix data loss after unclosed script or style tag (gh-86155).
Also backport test.support.subTests() (gh-135120).
---------
(cherry picked from commit 0243f97cbadec8d985e63b1daec5d1cbc850cae3)
(cherry picked from commit c555f889c3558a0a8cd8d8ecc2b493014b88a700)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
Co-authored-by: Waylan Limberg <waylan.limberg@icloud.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
standard (GH-135664) (GH-136274)
* "--!>" now ends the comment.
* "-- >" no longer ends the comment.
* Support abnormally ended empty comments "<-->" and "<--->".
---------
(cherry picked from commit 8ac7613dc8b8f82253d7c0e2b6ef6ed703a0a1ee)
Co-author: Kerim Kabirov <the.privat33r+gh@pm.me>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
|
| |
|
|
|
|
|
| |
HTMLParser (GH-135464) (GH-135484)
End-of-file errors are now handled according to the HTML5 specs --
comments and declarations are automatically closed, tags are ignored.
(cherry picked from commit 6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(GH-127813) (#135463)
[3.12] gh-127563: use `dk_log2_index_bytes=3` in empty dicts (GH-127568) (GH-127813)
This fixes a UBSan failure (unaligned zero-size memcpy) in `dictobject.c`.
(cherry picked from commit 9af96f440618304e7cc609c246e1f8c8b2d7a119)
(cherry picked from commit 320a1dcd97110598a4fe6ae1c0018cd3decc408f)
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`os.path.realpath(strict='allow_missing')` (GH-135037) (GH-135068)
Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
(cherry picked from commit 3612d8f51741b11f36f8fb0494d79086bac9390a)
(cherry picked from commit c358142cab7ce621a2745262a90df967b357f61c)
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
| |
(GH-134836) (GH-135091)
(cherry picked from commit d83576bf48d07d5e29d5d171c4e25afb048622aa)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
| |
addresses (GH-123419) (GH-135087)
Fix functionality that was broken with better textual representation for IPv4-mapped addresses (gh-87799)
(cherry picked from commit 77a2fb4bf1a1b160d6ce105508288fc77f636943)
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(GH-128841) (GH-134613)
Limit length of IP address string to 39
(cherry picked from commit 47f1161d3a2bec52b5b5e952150141709c247da2)
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
addresses (GH-29345) (GH-135080)
Represent IPv4-mapped IPv6 address as x:x:x:x:x:x:d.d.d.d,
where the 'x's are the hexadecimal values
of the six high-order 16-bit pieces of the address,
and the 'd's are the decimal values
of the four low-order 8-bit pieces of the address
(standard IPv4 representation).
(cherry picked from commit f22bf8e3cf899896cf587099d29290cb43aa9724)
Co-authored-by: opavliuk <40970635+opavlyuk@users.noreply.github.com>
Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
|
| |
|
|
|
|
|
| |
(GH-134063) (GH-134479)
(cherry picked from commit f3fc0c16e08b317cb201cf1073e934e6909f1251)
Co-authored-by: Mike Salvatore <mike.s.salvatore@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
error handler (GH-129648) (GH-133944) (GH-134341)
If the error handler is used, a new bytes object is created to set as
the object attribute of UnicodeDecodeError, and that bytes object then
replaces the original data. A pointer to the decoded data will became invalid
after destroying that temporary bytes object. So we need other way to return
the first invalid escape from _PyUnicode_DecodeUnicodeEscapeInternal().
_PyBytes_DecodeEscape() does not have such issue, because it does not
use the error handlers registry, but it should be changed for compatibility
with _PyUnicode_DecodeUnicodeEscapeInternal().
(cherry picked from commit 9f69a58623bd01349a18ba0c7a9cb1dad6a51e8e)
(cherry picked from commit 6279eb8c076d89d3739a6edb393e43c7929b429d)
(cherry picked from commit a75953b347716fff694aa59a7c7c2489fa50d1f5)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ConnectionHandler; rely on __exit__ (GH-126503) (GH-126572) (GH-133148)
gh-126500: test_ssl: Don't stop ThreadedEchoServer on OSError in ConnectionHandler; rely on __exit__ (GH-126503)
If `read()` in the ConnectionHandler thread raises `OSError` (except `ConnectionError`),
the ConnectionHandler shuts down the entire ThreadedEchoServer,
preventing further connections.
It also does that for `EPROTOTYPE` in `wrap_conn`.
As far as I can see, this is done to avoid the server thread getting stuck,
forgotten, in its accept loop. However, since 2011 (5b95eb90a7167285b6544b50865227c584943c9a)
the server is used as a context manager, and its `__exit__` does `stop()` and `join()`.
(I'm not sure if we *always* used `with` since that commit, but currently we do.)
Make sure that the context manager *is* used, and remove the `server.stop()`
calls from ConnectionHandler.
(cherry picked from commit c9cda1608edf7664c10f4f467e24591062c2fe62)
(cherry picked from commit aee80cd5e7c6be90c69b9aa9c09faa19b91cdccd)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
|
| | |
|
| | |
|
| |
|
|
|
| |
(cherry picked from commit c0de6500249469e6fc5b458d6afb6bad1b6755cd)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
| |
(GH-131362)
(cherry picked from commit bb0268f60dfe903a9bdb8d84104247a9318c6b18)
(cherry picked from commit 6af54d298d5135302037cdda7a1f5535e48cb1b6)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-122754) (GH-131405)
Email generators using email.policy.default may convert an RFC 2047
encoded-word to unencoded form during header refolding. In a structured
header, this could allow 'specials' chars outside a quoted-string,
leading to invalid address headers and enabling spoofing. This change
ensures a parsed encoded-word that contains specials is kept as an
encoded-word while the header is refolded.
[Better fix from @bitdancer.]
(cherry picked from commit 295b53df2aa18deb625a7da41f7e4babfe6ef34b)
Co-authored-by: Mike Edmunds <medmunds@gmail.com>
Co-authored-by: R David Murray <rdmurray@bitdance.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-131970)
gh-127257: ssl: Raise OSError for ERR_LIB_SYS (GH-127361)
From the ERR_raise manpage:
ERR_LIB_SYS
This "library code" indicates that a system error is
being reported. In this case, the reason code given
to `ERR_raise()` and `ERR_raise_data()` *must* be
`errno(3)`.
This PR only handles ERR_LIB_SYS for the high-lever error types
SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where
OpenSSL indicates it has some more information about the issue.
(cherry picked from commit f4b31edf2d9d72878dab1f66a36913b5bcc848ec)
(cherry picked from commit 7f707fa6c67d0bfa9bbc1a9f344b932789659397)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
|
| | |
|
| |
|
|
|
|
|
| |
When using threaded applications, there is a high risk of a deadlock in
the interpreter. It's a lock ordering deadlock with HEAD_LOCK(&_PyRuntime); and the GIL.
By disabling the GC during the _PyThread_CurrentFrames() and
_PyThread_CurrentExceptions() calls fixes the issue.
|
| |
|
|
| |
(GH-130573) (#130593)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(#129357)
The IMAP4 client could consume an arbitrary amount of memory when trying
to connect to a malicious server, because it read a "literal" data with a
single read(size) call, and BufferedReader.read() allocates the bytes
object of the specified size before reading. Now the IMAP4 client reads data
by chunks, therefore the amount of used memory is limited by the
amount of the data actually been sent by the server.
(cherry picked from commit 735f25c5e3a0f74438c86468ec4dfbe219d93c91)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
| |
parsed URLs (GH-129418) (#129528)
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-122753) (#129009)
Email generators using email.policy.default could incorrectly omit the
quote ('"') characters from a quoted-string during header refolding,
leading to invalid address headers and enabling header spoofing. This
change restores the quote characters on a bare-quoted-string as the
header is refolded, and escapes backslash and quote chars in the string.
(cherry picked from commit 5aaf41685834901e4ed0a40f4c055b92991a0bb5)
Co-authored-by: Mike Edmunds <medmunds@gmail.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
|
| |
|
|
|
| |
Co-authored-by: James De Bias <81095953+DBJim@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
| |
(#122566) (#130260)
|
| |
|
|
| |
(GH-130200) (#130252)
|
| |
|
|
|
|
|
|
|
|
|
| |
* [3.11] Pin python-docs-theme
* Use today's release
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
---------
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GH-119465 (GH-129561) (#129566)
gh-119461: Restore the testSocket VSOCK skipUnless removed by PR GH-119465 (GH-129561)
Restore the skipUnless removed by GH-119465.
This test can only pass on virtual machines, not actual machines.
actual machines see:
```
self.cli.connect((cid, VSOCKPORT))
~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
OSError: [Errno 19] No such device
```
Reproduced on (Linux) Ubuntu 24.04.1 running 6.8.0-52-generic.
(cherry picked from commit e1006ce1ded1b18972888ef057718dba6f2c7edd)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix ThreadedVSOCKSocketStreamTest: if get_cid() returns the host
address or the "any" address, use the local communication address
(loopback): VMADDR_CID_LOCAL.
On Linux 6.9, apparently, the /dev/vsock device is now available but
get_cid() returns VMADDR_CID_ANY (-1).
(cherry picked from commit e94dbe4ed83460f18bd72563c5f09f6cdc71f604)
(cherry picked from commit c750061047ee520d8299334df4b112fd983d7e48)
(cherry picked from commit cbfe3023e46b544b80ea1a38a8c900c6fb881554)
|
| |
|
|
| |
GitHub image's version (GH-128090) (#129172)
|
