summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Version bump and copyright update for 3.5.10rc1.v3.5.10rc1Larry Hastings2020-08-196-12/+12
|
* Blurb release and pydoc topics for 3.5.10rc1.Larry Hastings2020-08-1912-18/+107
|
* [3.5] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface ↵Tapas Kundu2020-08-043-2/+14
| | | | | | | | | | | | | | (GH-21033) (#21233) CVE-2020-14422: The __hash__() methods of classes IPv4Interface and IPv6Interface had issue of generating constant hash values of 32 and 128 respectively causing hash collisions. The fix uses the hash() function to generate hash values for the objects instead of XOR operation. (cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28) Co-authored-by: Ravi Teja P <rvteja92@gmail.com> Signed-off-by: Tapas Kundu <tkundu@vmware.com>
* [3.5] bpo-29778: Ensure python3.dll is loaded from correct locations when ↵Steve Dower2020-08-045-40/+92
| | | | | Python is embedded (GH-21297) (#21377) bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded.
* [3.5] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21489)Petr Viktorin2020-07-164-0/+10
| | | | | | | Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). (cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4) Co-authored-by: Rishi <rishi_devan@mail.com>
* bpo-41183: Update finite DH params to 3072 bits (#21278)Christian Heimes2020-07-023-8/+42
| | | Signed-off-by: Christian Heimes <christian@python.org>
* bpo-41183: Update test certs and keys (#21258)Christian Heimes2020-07-0216-397/+900
| | | | | | Manual backport of bpo-34542, GH-8997 and commit 1da2b23504a68ed0432aa74a17ec2533933f5af8 to Python 3.5. Signed-off-by: Christian Heimes <christian@python.org>
* [3.5] closes bpo-38576: Disallow control characters in hostnames in ↵Tapas Kundu2020-06-204-3/+59
| | | | | | | http.client. (#19300) Add host validation for control characters for more CVE-2019-18348 protection. (cherry picked from commit 83fc70159b24)
* bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (#19305)Victor Stinner2020-06-204-52/+115
| | | | | | | | | | | The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge.
* bpo-39073: validate Address parts to disallow CRLF (#19007) (#20450)Victor Stinner2020-06-123-0/+25
| | | | | Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f17211c5fc0e5b828be1d3320661d1038fe8f)
* bpo-39035: travis: Update image to xenial (#17623)Inada Naoki2020-06-121-3/+1
| | | | Use image same to master to ease maintainance. Remove "group: beta" to make Travis more stable.
* bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (#17344)Victor Stinner2020-04-034-6/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 # Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): # Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was. (cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e) Co-authored-by: bcaller <bcaller@users.noreply.github.com>
* bpo-40156: Copy Codecov configuration from master (#19309)Victor Stinner2020-04-021-9/+3
| | | Disable "Codevov patch" job on pull requests.
* bpo-38945: UU Encoding: Don't let newline in filename corrupt the output ↵Ned Deily2020-03-214-0/+21
| | | | | | | format (GH-17418) (GH-17444) (#17445) (cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a) Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
* Post-release update for 3.5.9 final.Larry Hastings2019-11-021-1/+1
|
* Version bump for 3.5.9 final.v3.5.9Larry Hastings2019-11-012-3/+3
|
* Blurb release and pydoc topics for 3.5.9 final.Larry Hastings2019-11-012-1/+12
|
* Post release updates for 3.5.8 final.Larry Hastings2019-10-291-1/+1
|
* Version bump for 3.5.8 final.v3.5.8Larry Hastings2019-10-292-5/+5
|
* Blurb release and pydoc topics for 3.5.8 final.Larry Hastings2019-10-293-4/+10
|
* [3.5] bpo-31026: Fix test_dbm if dbm.ndbm is build with Berkeley DB. (GH-6632)Serhiy Storchaka2019-10-292-2/+29
| | | | (cherry picked from commit 70af06cdc4e8fbee0b9d7d46bdc193097d4bc71f)
* bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) (#16516)Victor Stinner2019-10-293-1/+21
| | | | | | Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering the document page as HTML. (cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa)
* Post-release update for 3.5.8rc2.Larry Hastings2019-10-121-1/+1
|
* Version bump for 3.5.8rc2.v3.5.8rc2Larry Hastings2019-10-122-3/+3
|
* Fix docs, blurb release, pydoc-topics for 3.5.8rc2.Larry Hastings2019-10-125-881/+1122
|
* closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) (#16434)Victor Stinner2019-10-0922-5850/+4913
| | | Fixes CVE-2019-15903. See full changelog at https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes.
* [3.5] bpo-38216, bpo-36274: Allow subclasses to separately override ↵Jason R. Coombs2019-10-083-11/+54
| | | | | | validation and encoding behavior (GH-16448) (#16475) * [3.5] bpo-38216, bpo-36274: Allow subclasses to separately override validation and encoding behavior (GH-16448)
* [3.7] Doc: Bump sphinx. (GH-10676) (GH-10803) (#16522)Victor Stinner2019-10-081-1/+1
| | | | | | (cherry picked from commit 2db96ae7444880d66d4ef65abab8a5e6ff328711) Co-authored-by: Julien Palard <julien@palard.fr> (cherry picked from commit 23a98abd4256f931ed89b65ec6babd4f06dbff97)
* Sphinx 1.8 is now preferred for building 3.5 docs.v3.5.8rc1Larry Hastings2019-09-091-2/+2
|
* Version bump for 3.5.8rc1.Larry Hastings2019-09-092-6/+6
|
* Blurb release and pydoc-topics for 3.5.8rc1.Larry Hastings2019-09-0910-89/+12502
|
* [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email ↵Abhilash Raj2019-09-073-0/+12
| | | | | | | | | | | | | | | headers (GH-14794) (#15446) * [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994bd3e619cbaff97610a1cee8ffa87c672f5) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com> Co-Authored-By: Ashwin Ramaswami <aramaswamis@gmail.com>
* bpo-36742: Corrects fix to handle decomposition in usernames (GH-13812) ↵Victor Stinner2019-09-072-8/+9
| | | | | | | | (GH-13814) (#14772) (cherry picked from commit 8d0ef0b5edeae52960c7ed05ae8a12388324f87e) Co-authored-by: Steve Dower <steve.dower@python.org> (cherry picked from commit fd1771dbdd28709716bd531580c40ae5ed814468)
* bpo-36576: Skip test_ssl and test_asyncio tests failing with OpenSSL 1.1.1 ↵Victor Stinner2019-09-073-0/+13
| | | | | (#12694) Some test_ssl and test_asyncio tests were written for OpenSSL 1.0 and TLS 1.0, but fail with OpenSSL 1.1.1 and TLS 1.3. Fixing these requires backporting new ssl flags like ssl.OP_NO_TLSv1_3 or ssl.OP_NO_COMPRESSION, which is inappropriate at this stage in Python 3.5's lifetime. Moreover, it's not really worth it: the code works fine, the problem is just in the tests. This patch disables those problematic tests when Python 3.5 is built using newer versions of OpenSSL.
* [3.5] bpo-34155: Dont parse domains containing @ (GH-13079) (#15317)Abhilash Raj2019-09-075-1/+37
| | | | | | https://bugs.python.org/issue34155 (cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9) Co-authored-by: jpic <jpic@users.noreply.github.com>
* bpo-30458: Disallow control chars in http URLs. (GH-12755) (#13207)Miro Hrončok2019-07-144-1/+79
| | | | | | | | | | Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected. Disable https related urllib tests on a build without ssl (GH-13032) These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures. Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044) Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
* bpo-36742: Fixes handling of pre-normalization characters in urlsplit() ↵Steve Dower2019-07-143-4/+14
| | | | (GH-13017) (#13042)
* bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474) ↵Victor Stinner2019-07-143-1/+22
| | | | | | | | | (GH-13505) (#13510) CVE-2019-9948: Avoid file reading by disallowing local-file:// and local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of urllib.request. Co-Authored-By: SH <push0ebp@gmail.com>
* Fix compatibility with ISO C89 needed by "gnu89" standard of GCC 4.8: use ↵Anthony Sottile2019-07-132-4/+8
| | | | C89 for loops in backported pickle patch (#12622)
* [3.5] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) (#13200)Gregory P. Smith2019-07-133-14/+67
| | | | | | | | | | | | * [3.5] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) We updated the server, our testsuite must match. https://bugs.python.org/issue36816 ✈️ CLE -> DEN ✈️ GH-pycon2019 (cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.5] Doc: Add an optional obsolete header. (GH-13638). (#13658)Julien Palard2019-07-132-0/+20
| | | | | | | * [3.5] Doc: Add an optional obsolete header. (GH-13638). (cherry picked from commit 46ed90dd014010703c7a3b2a61c4927644fa8210) Co-authored-by: Julien Palard <julien@palard.fr>
* Post-release version bump for 3.5.7.Larry Hastings2019-03-191-1/+1
|
* Version bump for 3.5.7 final.v3.5.7Larry Hastings2019-03-172-5/+5
|
* Blurb release and pydoc-topics for 3.5.7 final.Larry Hastings2019-03-175-11/+33
|
* [3.5] bpo-35121: prefix dot in domain for proper subdomain validation ↵Xtreak2019-03-173-2/+45
| | | | | | | | (GH-10258) (#12281) Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan. (cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14) Co-authored-by: Xtreak <tir.karthi@gmail.com>
* bpo-35647: Fix path check in cookiejar (#11436) (#12277)Xtreak2019-03-163-5/+38
| | | | | | | | | | | | | * Refactor cookie path check as per RFC 6265 * Add tests for prefix match of path * Add news entry * Fix set_ok_path and refactor tests * Use slice for last letter (cherry picked from commit 0e1f1f01058bd4a9b98cfe443214adecc019a38c)
* bpo-36216: Add check for characters in netloc that normalize to separators ↵Steve Dower2019-03-114-0/+61
| | | | (GH-12201) (#12223)
* Post-release verison bump for 3.5.7rc1.Larry Hastings2019-03-041-1/+1
|
* Version bump & copyright year update for 3.5.7rc1.v3.5.7rc1Larry Hastings2019-03-047-17/+17
|
* PyDoc and blurb updates for 3.5.7rc1.Larry Hastings2019-03-047-13098/+127
|
generated by cgit v0.12 at 2025-04-26 10:12:36 (GMT)