summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* 3.6.14v3.6.14Ned Deily2021-06-289-28/+71
|
* bpo-44022: Improve the regression test. (GH-26503) (GH-26508)Miss Islington (bot)2021-06-031-1/+6
| | | | | | | | It wasn't actually detecting the regression due to the assertion being too lenient. (cherry picked from commit e60ab843cbb016fb6ff8b4f418641ac05a9b2fcc) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.6] bpo-43882 - Mention urllib.parse changes in Whats New section for ↵Senthil Kumaran2021-05-201-0/+7
| | | | | 3.6.14 (GH-26268) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 ↵Miss Islington (bot)2021-05-063-18/+32
| | | | | | | | | | | Continue (GH-25916) (GH-25935) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 47895e31b6f626bc6ce47d175fe9d43c1098909d) Co-authored-by: Gen Xu <xgbarry@gmail.com>
* bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (GH-25250)Miss Islington (bot)2021-05-062-1/+2
| | | | | | | | | | | Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. (cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1) Co-authored-by: Yeting Li <liyt@ios.ac.cn>
* [3.6] bpo-43882 - urllib.parse should sanitize urls containing ASCII newline ↵Miss Islington (bot)2021-05-064-0/+77
| | | | | | | | | | | | and tabs (GH-25924) Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> (cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4) Co-authored-by: Senthil Kumaran <senthil@uthcode.com> (cherry picked from commit 515a7bc4e13645d0945b46a8e1d9102b918cd407) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
* bpo-42988: Remove the pydoc getfile feature (GH-25015) (GH-25067)Miss Islington (bot)2021-03-293-24/+4
| | | | | | | | | | | CVE-2021-3426: Remove the "getfile" feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer. (cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048) Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.6] bpo-43285 Make ftplib not trust the PASV response. (GH-24838) ↵Miss Islington (bot)2021-03-164-2/+51
| | | | | | | | | | | | | | | | | | | | (GH-24881) (GH-24882) The IPv4 address value returned from the server in response to the PASV command should not be trusted. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Instead of using the returned address, we use the IP address we're already connected to. This is the strategy other ftp clients adopted, and matches the only strategy available for the modern IPv6 EPSV command where the server response must return a port number and nothing else. For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address` attribute on your `ftplib.FTP` instance to True.. (cherry picked from commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e) Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 664d1d16274b47eea6ec92572e1ebf3939a6fa0c)
* Post release updatesNed Deily2021-02-162-3/+3
|
* 3.6.13v3.6.13Ned Deily2021-02-1613-23/+95
|
* [3.6] bpo-42967: only use '&' as a query string separator (GH-24297) (GH-24532)Senthil Kumaran2021-02-158-43/+134
| | | | | | | | | | | | | bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl(). urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator. Co-authored-by: Éric Araujo <merwok@netwok.org> Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
* [3.6] closes bpo-42938: Replace snprintf with Python unicode formatting in ↵Benjamin Peterson2021-01-183-34/+66
| | | | | | | ctypes param reprs. (GH-24250) (cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) Co-authored-by: Benjamin Peterson <benjamin@python.org>
* [3.6] Bring Python into the new year. (GH-24036). (GH-24054)Dong-hee Na2021-01-029-12/+12
| | | | | (cherry picked from commit de6f20a6de48d63066b2cf5b317f50629f01d74a) Co-authored-by: Dong-hee Na <donghee.na@python.org>
* bpo-42794: Update test_nntplib to use offical group name for testing ↵Miss Islington (bot)2021-01-012-3/+9
| | | | | | | (GH-24037) (GH-24042) (cherry picked from commit ec3165320e81ac87edcb85c86c452528ddbaec1c) Co-authored-by: Dong-hee Na <donghee.na@python.org>
* bpo-40791: Make compare_digest more constant-time. (GH-23438) (GH-23767)Miss Islington (bot)2020-12-142-1/+2
| | | | | | | | | The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization. (This is change GH-1 from https://bugs.python.org/issue40791 .) (cherry picked from commit 31729366e2bc09632e78f3896dbce0ae64914f28) Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>
* bpo-35560: Remove assertion from format(float, "n") (GH-11288) (GH-23231)Miss Islington (bot)2020-11-103-1/+23
| | | | | | | | | Fix an assertion error in format() in debug build for floating point formatting with "n" format, zero padding and small width. Release build is not impacted. Patch by Karthikeyan Singaravelan. (cherry picked from commit 3f7983a25a3d19779283c707fbdd5bc91b1587ef) Co-authored-by: Xtreak <tir.karthi@gmail.com>
* [3.6] bpo-42103: Improve validation of Plist files. (GH-22882) (GH-23118)Serhiy Storchaka2020-11-104-67/+367
| | | | | | | | | | | * Prevent some possible DoS attacks via providing invalid Plist files with extremely large number of objects or collection sizes. * Raise InvalidFileException for too large bytes and string size instead of returning garbage. * Raise InvalidFileException instead of ValueError for specific invalid datetime (NaN). * Raise InvalidFileException instead of TypeError for non-hashable dict keys. * Add more tests for invalid Plist files.. (cherry picked from commit 34637a0ce21e7261b952fbd9d006474cc29b681f) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.6] Remove 3.5 from Doc version switcher in master. (GH-22886) (#22891)larryhastings2020-10-222-2/+0
| | | (cherry picked from commit 283f9a253b4ff4df728558205629b3bb3af6e47f)
* bpo-41944: No longer call eval() on content received via HTTP in the CJK ↵Miss Skeleton (bot)2020-10-202-14/+9
| | | | | | | codec tests (GH-22566) (GH-22579) (cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* bpo-42051: Reject XML entity declarations in plist files (GH-22760) ↵Miss Skeleton (bot)2020-10-203-0/+28
| | | | | | | | | (GH-22801) (GH-22804) Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com> (cherry picked from commit e512bc799e3864fe3b1351757261762d63471efc) Co-authored-by: Ned Deily <nad@python.org>
* Disable macOS CI tests in azure-pipelines (GH-22639)Ned Deily2020-10-203-4/+9
|
* Post release updatesNed Deily2020-08-172-3/+3
|
* 3.6.12v3.6.12Ned Deily2020-08-159-13/+56
|
* bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539)Miss Islington (bot)2020-07-193-0/+39
| | | | | | reject control chars in http method in http.client.putrequest to prevent http header injection (cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
* bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21485)Miss Islington (bot)2020-07-154-0/+10
| | | | | | | Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). (cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4) Co-authored-by: Rishi <rishi_devan@mail.com>
* bpo-41288: Fix a crash in unpickling invalid NEWOBJ_EX. (GH-21458) (GH-21462)Miss Islington (bot)2020-07-133-8/+41
| | | | | | Automerge-Triggered-By: @tiran (cherry picked from commit 4f309abf55f0e6f8950ac13d6ec83c22b8d47bf8) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.6] bpo-29778: Ensure python3.dll is loaded from correct locations when ↵Steve Dower2020-07-065-46/+81
| | | | | | | | | | | Python is embedded (GH-21298) (#21354) * bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (GH-21298) * bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded. * Add CVE number * Updates for 3.6
* [3.6] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface ↵Tapas Kundu2020-06-303-2/+14
| | | | | | | | | | | | | | (GH-21033) (GH-21232) CVE-2020-14422 The __hash__() methods of classes IPv4Interface and IPv6Interface had issue of generating constant hash values of 32 and 128 respectively causing hash collisions. The fix uses the hash() function to generate hash values for the objects instead of XOR operation (cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28) Co-authored-by: Ravi Teja P <rvteja92@gmail.com> Signed-off-by: Tapas Kundu <tkundu@vmware.com>
* Post release updatesNed Deily2020-06-272-3/+3
|
* 3.6.11v3.6.11Ned Deily2020-06-274-7/+15
|
* Post release updateNed Deily2020-06-182-3/+3
|
* 3.6.11rc1v3.6.11rc1Ned Deily2020-06-1712-425/+547
|
* bpo-39073: validate Address parts to disallow CRLF (GH-19007) (#19224)Miss Islington (bot)2020-05-273-0/+25
| | | | | | | | Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f17211c5fc0e5b828be1d3320661d1038fe8f) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com> Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
* Add pt-br switcher to the Documentation website (GH-20301)Rafael Fontenelle2020-05-231-0/+1
|
* Doc: Python 3.10 in sidebar and version switcher. (GH-20209) (GH-20224)Miss Islington (bot)2020-05-192-2/+4
| | | | | | | (cherry picked from commit 19e3e0026417caa92ffe21a67157363b45da9aa2) Co-authored-by: Julien Palard <julien@palard.fr> Co-authored-by: Julien Palard <julien@palard.fr>
* bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19304)Victor Stinner2020-04-034-52/+115
| | | | | | | | | | | | | | The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge. Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com> (cherry picked from commit 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
* bpo-40156: Copy Codecov configuration from master (GH-19306)Victor Stinner2020-04-031-9/+3
| | | Disable "Codevov patch" job on pull requests.
* bpo-38576: Disallow control characters in hostnames in http.client ↵Miss Islington (bot)2020-03-144-3/+57
| | | | | | | | (GH-18995) (GH-19002) Add host validation for control characters for more CVE-2019-18348 protection. (cherry picked from commit 9165addc22d05e776a54319a8531ebd0b2fe01ef) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
* bpo-39869: Fix typo in 'Instance objects' section. (GH-18889) (GH-18898)Miss Islington (bot)2020-03-141-1/+1
| | | | | | (cherry picked from commit e5e56328afac50aad6d8893185d8e7ba8928afe2) Co-authored-by: Antoine <43954001+awecx@users.noreply.github.com>
* bpo-39545: Document restrictions on "await" and "async for" in f-strings. ↵Serhiy Storchaka2020-02-132-1/+10
| | | | (GH-18459)
* bpo-39545: docs: do not use await in f-strings (GH-18434)Elena Oat2020-02-101-1/+1
|
* closes bpo-39510: Fix use-after-free in BufferedReader.readinto() (GH-18350)Miss Islington (bot)2020-02-043-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | When called on a closed object, readinto() segfaults on account of a write to a freed buffer: ==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==220553== Access not within mapped region at address 0x2A ==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272) ==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972) ==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053) ==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253) Reproducer: reader = open ("/dev/zero", "rb") _void = reader.read (42) reader.close () reader.readinto (bytearray (42)) GH-GH-GH- BANG! The problem exists since 2012 when commit dc469454ec added code to free the read buffer on close(). Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> (cherry picked from commit cb1c0746f277052e45a60d6c436a765e34722821) Co-authored-by: Philipp Gesang <phg@phi-gamma.net> Co-authored-by: Philipp Gesang <phg@phi-gamma.net>
* [3.6] bpo-39401: Avoid unsafe DLL load on Windows 7 and earlier (GH-18231) ↵Steve Dower2020-01-313-4/+15
| | | | | | (GH-18233)
* bpo-39421: Fix posible crash in heapq with custom comparison operators ↵Miss Islington (bot)2020-01-233-9/+59
| | | | | | | | (GH-18118) (GH-18146) (cherry picked from commit 79f89e6e5a659846d1068e8b1bd8e491ccdef861) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* Doc: Change Python 2 status to EOL. (GH-17885) (GH-17887)Miss Islington (bot)2020-01-071-1/+1
| | | | | | (cherry picked from commit f4800b8ed3dbe15a0078869a836d968ab3362b8c) Co-authored-by: Inada Naoki <songofacandy@gmail.com>
* Update copyright year in macOS installer license copy (GH-17806) (GH-17810)Ned Deily2020-01-031-25/+26
|
* [3.6] Bring Python into the next decade. (GH-17804)Benjamin Peterson2020-01-038-13/+9
| | | | | (cherry picked from commit 946b29ea0b3b386ed05e87e60b8617c9dc19cd53) Co-authored-by: Benjamin Peterson <benjamin@python.org>
* Post release updatesNed Deily2019-12-192-3/+3
|
* 3.6.10v3.6.10Ned Deily2019-12-184-6/+12
|
* bpo-38295: prevent test_relative_path of test_py_compile failure on macOS ↵Miss Islington (bot)2019-12-172-1/+2
| | | | | | | Catalina (GH-17636) (GH-17638) (cherry picked from commit bf3aa1060a29a05813abbe877193af16e3e7131e) Co-authored-by: Ned Deily <nad@python.org>
generated by cgit v0.12 at 2026-01-04 02:26:59 (GMT)