| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the
fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy
is most used on Windows and macOS.
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>.
(cherry picked from commit 3fc5d84046ddbd66abac5b598956ea34605a4e5d)
|
| |
|
|
|
|
|
| |
Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 0897253f426068ea6a6fbe0ada01689af9ef1019)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-27946) (GH-27975)
Various date parsing utilities in the email module, such as
email.utils.parsedate(), are supposed to gracefully handle invalid
input, typically by raising an appropriate exception or by returning
None.
The internal email._parseaddr._parsedate_tz() helper used by some of
these date parsing routines tries to be robust against malformed input,
but unfortunately it can still crash ungracefully when a non-empty but
whitespace-only input is passed. This manifests as an unexpected
IndexError.
In practice, this can happen when parsing an email with only a newline
inside a ‘Date:’ header, which unfortunately happens occasionally in the
real world.
Here's a minimal example:
$ python
Python 3.9.6 (default, Jun 30 2021, 10:22:16)
[GCC 11.1.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import email.utils
>>> email.utils.parsedate('foo')
>>> email.utils.parsedate(' ')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.9/email/_parseaddr.py", line 176, in parsedate
t = parsedate_tz(data)
File "/usr/lib/python3.9/email/_parseaddr.py", line 50, in parsedate_tz
res = _parsedate_tz(data)
File "/usr/lib/python3.9/email/_parseaddr.py", line 72, in _parsedate_tz
if data[0].endswith(',') or data[0].lower() in _daynames:
IndexError: list index out of range
The fix is rather straight-forward: guard against empty lists, after
splitting on whitespace, but before accessing the first element.
(cherry picked from commit 989f6a3800f06b2bd31cfef7c3269a443ad94fac)
Co-authored-by: wouter bolsterlee <wouter@bolsterl.ee>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
It wasn't actually detecting the regression due to the
assertion being too lenient.
(cherry picked from commit e60ab843cbb016fb6ff8b4f418641ac05a9b2fcc)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
| |
3.7.11 (GH-26267)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Continue (GH-25916) (GH-25934)
Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e31b6f626bc6ce47d175fe9d43c1098909d)
Co-authored-by: Gen Xu <xgbarry@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
and tabs. (GH-25923)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4)
Co-authored-by: Senthil Kumaran <senthil@uthcode.com>
(cherry picked from commit 515a7bc4e13645d0945b46a8e1d9102b918cd407)
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fix Regular Expression Denial of Service (ReDoS) vulnerability in
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
has quadratic worst-case complexity and it allows cause a denial of
service when identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the HTTP server.
(cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1)
Co-authored-by: Yeting Li <liyt@ios.ac.cn>
|
| |
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 3447750073aff229b049e4ccd6217db2811dcfd1)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-24915) (GH-24928)
Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level
2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow
TLS 1.0 and 1.1 on security level 2.
See:
See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878
See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit f6c6b5821bff815bdc810de53992fd1fbdb2edd4)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
| |
sys.stderr (GH-25075). (GH-25085)
(cherry picked from commit 09b90a037d18f5d4acdf1b14082e57bda78e85d3)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-24881) (GH-24883)
The IPv4 address value returned from the server in response to the PASV command
should not be trusted. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the client network.
Instead of using the returned address, we use the IP address we're
already connected to. This is the strategy other ftp clients adopted,
and matches the only strategy available for the modern IPv6 EPSV command
where the server response must return a port number and nothing else.
For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
attribute on your `ftplib.FTP` instance to True..
(cherry picked from commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 664d1d16274b47eea6ec92572e1ebf3939a6fa0c)
|
| |
|
|
|
|
|
| |
(cherry picked from commit 94894dd45e4bad6efb27eac4497b24cdc18b3e2d)
Co-authored-by: Brandt Bucher <brandt@python.org>
Co-authored-by: Brandt Bucher <brandt@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-24622) (#24642)
The note about the GIL was buried pretty deep in the threading documentation,
and this made it hard for first time users to discover why their attempts
at using threading to parallelizing their application did not work.
In this commit, the note is moved to the top of the module documention for
visibility..
(cherry picked from commit 32181be6081f6c70a1e0bd0540050805c8e88e83)
Co-authored-by: Guanzhong Chen <quantum2048@gmail.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
(GH-24544)
(cherry picked from commit 813db24f7c2c536d587d1832c3c52b44fa9e242e)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
bpo-42967: [security] Address a web cache-poisoning issue reported in
urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default
instead of both ";" and "&" as allowed in earlier versions. An optional
argument seperator with default value "&" is added to specify the
separator.
Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
|
| |
|
|
|
|
|
| |
ctypes param reprs. (GH-24249)
(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
|
| |
|
|
|
| |
(cherry picked from commit de6f20a6de48d63066b2cf5b317f50629f01d74a)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
|
| |
|
|
|
|
|
| |
(GH-24037) (GH-24041)
(cherry picked from commit ec3165320e81ac87edcb85c86c452528ddbaec1c)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
|
| |
|
|
|
|
|
|
| |
Up until now, the `multiprocessing.pool.ThreadPool` class has gone
undocumented, despite being a public class in multiprocessing that is
included in `multiprocessing.pool.__all__`.
(cherry picked from commit 84ebcf271a2cc8bfd1762acb279502b8b6ef236e)
Co-authored-by: Matt Wozniski <mwozniski@bloomberg.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
v2.1.3. (GH-23596)
* build(deps): bump actions/cache from v2.1.2 to v2.1.3 (23582)
Bumps [actions/cache](https://github.com/actions/cache) from v2.1.2 to v2.1.3.
- [Release notes](https://github.com/actions/cache/releases)
- [Commits](https://github.com/actions/cache/compare/v2.1.2...0781355a23dac32fd3bac414512f4b903437991a)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit a43fea88577c460eed7cc92a37b5fce787d6aab1)
* [3.7] build(deps): bump actions/cache from v2.1.2 to v2.1.3 (23582)
Bumps [actions/cache](https://github.com/actions/cache) from v2.1.2 to v2.1.3.
- [Release notes](https://github.com/actions/cache/releases)
- [Commits](https://github.com/actions/cache/compare/v2.1.2...0781355a23dac32fd3bac414512f4b903437991a)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>.
(cherry picked from commit a43fea88577c460eed7cc92a37b5fce787d6aab1)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
| |
|
|
|
|
|
|
| |
The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization.
(This is change GH-1 from https://bugs.python.org/issue40791 .)
(cherry picked from commit 31729366e2bc09632e78f3896dbce0ae64914f28)
Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>
|
| |
|
|
|
| |
* bpo-42336: Improve PCbuild batch files (GH-23325)
* Remove ARM platforms
|
| |
|
|
|
|
|
|
|
|
|
| |
* Prevent some possible DoS attacks via providing invalid Plist files
with extremely large number of objects or collection sizes.
* Raise InvalidFileException for too large bytes and string size instead of returning garbage.
* Raise InvalidFileException instead of ValueError for specific invalid datetime (NaN).
* Raise InvalidFileException instead of TypeError for non-hashable dict keys.
* Add more tests for invalid Plist files..
(cherry picked from commit 34637a0ce21e7261b952fbd9d006474cc29b681f)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
| |
(cherry picked from commit 283f9a253b4ff4df728558205629b3bb3af6e47f)
|
| |
|
|
|
|
|
| |
codec tests (GH-22566) (GH-22578)
(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
| |
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
|
| |
|
|
|
|
|
| |
using gcc>9 (GH-22598). (GH-22601)
(cherry picked from commit 27ac19cca2c639caaf6fedf3632fe6beb265f24f)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
|
| | |
|
| | |
|
| |
|
|
|
| |
Note: macOS 11 is not yet released, this release of Python is not
fully supported on 11.0, and not all tests pass.
|
| |
|
|
|
|
|
|
| |
(GH-7467) (GH-21878)
(cherry picked from commit 52698c7ad9eae9feb35839fde17a7d1da8036a9b)
Co-authored-by: Yury Selivanov <yury@magic.io>
|
| |
|
|
|
|
|
|
| |
docs (GH-21703) (GH-21788)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
(cherry picked from commit 82ca8fada15b121866530f2cdac1b7055be4a244)
Co-authored-by: Yaroslav Pankovych <31005942+P-Alban@users.noreply.github.com>
|
| |
|
|
|
| |
(cherry picked from commit 76643c10ede2813ca921464fe839e81caee21a84)
Co-authored-by: Ram Rachum <ram@rachum.com>
|
| |
|
|
|
|
| |
reject control chars in http method in http.client.putrequest to prevent http header injection
(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
|
| |
|
|
|
| |
(cherry picked from commit 164b04c47e61bd35d55e61bc74f9fd646eba81bb)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| | |
|
| |
|
|
|
|
|
|
| |
Avoid infinite loop when reading specially crafted TAR files using the tarfile module
(CVE-2019-20907).
(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
Co-authored-by: Rishi <rishi_devan@mail.com>
|
| |
|
|
|
|
| |
Automerge-Triggered-By: @tiran
(cherry picked from commit 4f309abf55f0e6f8950ac13d6ec83c22b8d47bf8)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
| |
(GH-21389)
(cherry picked from commit aebc0495572c5bb85d2bd97d27cf93ab038b5a6a)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
|
| |
|
|
|
|
|
| |
Python is embedded (GH-21297) (#21298)
* bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded.
* Add CVE number
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-21033) (GH-21231)
CVE-2020-14422
The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation
(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
Co-authored-by: Ravi Teja P <rvteja92@gmail.com>
Signed-off-by: Tapas Kundu <tkundu@vmware.com>
|
