| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
checked with PyErr_Occurred (GH-105223)
(cherry picked from commit ee26ca13a129da8cf549409d0a1b2e892ff2b4ec)
Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-104896)
`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
(cherry picked from commit d7f8a5fe07b0ff3a419ccec434cc405b21a5a304)
(cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10)
(cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941)
(cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946)
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
|
| | |
|
| |
|
|
| |
(cherry picked from commit 0aeda297931820436a50b78f4f7f0597274b5df4)
Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
SimpleHTTPRequestHandler (GH-104122)
Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)
(cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a)
Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
|
| |
|
| |
(cherry picked from commit 89d9ff0f48c51a85920c7372a7df4a2204e32ea5)
|
| |
|
|
|
|
|
|
|
|
|
| |
(GH-104998)
Note that this is intended solely for the current GitHub Actions CI
macOS environment, in particular, macOS 12 on Intel-64 only.
Out of the box, 3.7.x does not fully support macOS 11 and
later systems and does not fully support building or running on
Apple Silicon Macs (which were first supported in macOS 11),
all of which were released after 3.7 had reached the
security-fix-only phase of its life cycle.
|
| |
|
|
|
| |
appropriate macOS SDK. (GH-102427)
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
|
| |
|
|
|
|
|
|
|
| |
(GH-102630) (GH-102668)
(cherry picked from commit 61479d46848bc7a7f9b571b0b09c4a4b4436d839)
Co-authored-by: Blind4Basics <32236948+Blind4Basics@users.noreply.github.com>
Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM>
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
Fixes CVE-2023-0286 (High) and a couple of Medium security issues.
https://www.openssl.org/news/secadv/20230207.txt
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
|
|
| |
Windows (GH-101286) (#101713)
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Oleg Iarygin <dralife@yandex.ru>
|
| |
|
| |
(cherry picked from commit 46521826cb1883e29e4640f94089dd92c57efc5b)
|
| |
|
|
|
| |
(cherry picked from commit ea232716d3de1675478db3a302629ba43194c967)
Co-authored-by: Owain Davies <116417456+OTheDev@users.noreply.github.com>
|
| | |
|
| |
|
| |
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
|
| |
|
|
|
| |
(cherry picked from commit 30a6cc418a60fccb91ba574b552203425e594c47)
Co-authored-by: Ned Deily <nad@python.org>
Co-authored-by: HARSHA VARDHAN <75431678+Thunder-007@users.noreply.github.com>
|
| |
|
|
|
|
| |
Co-authored-by: Jeremy Paige <ucodery@gmail.com>.
(cherry picked from commit 88fe8d701af3316c8869ea18ea1c7acec6f68c04)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
| |
* [3.7] Update copyright years to 2023. (gh-100848).
(cherry picked from commit 11f99323c2ae0ec428c370a335695e3d8d4afc1d)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
* Update additional copyright years to 2023.
Co-authored-by: Ned Deily <nad@python.org>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
(GH-100002) (GH-100034)
Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
(cherry picked from commit d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
| |
There was an unnecessary quadratic loop in idna decoding. This restores
the behavior to linear.
(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
| |
Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.
Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f827b359617664ad0880f218f17ae4483299)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].
[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
[2]: https://mouha.be/sha-3-buffer-overflow/
Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3)
Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
regression test. (GH-96717) (#98195)
gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717)
A regression would still absolutely fail and even a flaky pass isn't
harmful as it'd fail most of the time across our N system test runs.
Windows has a low resolution timer and CI systems are prone to odd
timing so this just gives more leeway to avoid flakiness.
(cherry picked from commit 11e3548fd1d3445ccde971d613633b58d73c3016)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
| |
(GH-91993) (GH-98191)
gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
(cherry picked from commit b9509ba7a9c668b984dab876c7926fe1dc5aa0ba)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(#97634)
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.
Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.
Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341)
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix multiplying a list by an integer (list *= int): detect the
integer overflow when the new allocated length is close to the
maximum size. Issue reported by Jordan Limor.
list_resize() now checks for integer overflow before multiplying the
new allocated length by the list item size (sizeof(PyObject*)).
(cherry picked from commit a5f092f3c469b674b8d9ccbd4e4377230c9ac7cf)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
| |
Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 41351662bcd21672d8ccfa62fe44d72027e6bcf8)
|
| |
|
|
|
|
| |
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d398c31cc1695752fc52bc6ca2ce9ef6237e)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-96874) (GH-96877) (GH-97836)
[3.9] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877)
When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.
(cherry picked from commit e841ffc915e82e5ea6e3b473205417d63494808d)
Co-authored-by: Ned Deily <nad@python.org>
(cherry picked from commit 41188134bd2120f0cedd681ed88743c11c7f3742)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
| |
(cherry picked from commit 4114bcc9ef7595a07196bcecf9c7d6d39f57f64d)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| | |
|
| |
|
|
|
| |
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
|
| | |
|
| |
|
|
| |
This makes 3.7 doc builds similar to later releases,
simplifying build tooling.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Converting between `int` and `str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
raises a `ValueError` if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).
This new limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
Limitation` documentation. The default limit is 4300
digits in string form.
Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
|
| |
|
|
|
|
| |
Previous to commit ee171a2 the logline was working because of self.info() (now
deprecated) defaults to an empty message.
Co-authored-by: Xtreak <tirkarthi@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add ABI and generated files checks to CI.
This includes checking in an initial Abigail ABI definition for 3.7.
* Backport ctypes test_macholib fix from b29d0a5a7811418c0a1082ca188fd4850185e290.
This is required for the 3.7 tree to pass on modern macOS.
* annotate test_bad_password @requires_zlib.
I don't know why, but macOS in 3.7 CI is failing to build the zlib
module these days so it's exposing this test that didn't have the
proper `@requires_zlib` annotation.
Getting it to build with zlib and other things that are now wrongly
"missing" in the 3.7 CI setup would be nice, but probably involves
invasive backporting of parts of
https://github.com/python/cpython/commit/b29d0a5a7811418c0a1082ca188fd4850185e290
by a macOS domain expert.
Not worth it.
* disable MachOTest.test_find unless macOS 11+ support is backported.
This test also appears to require changes to
Lib/ctypes/macholib/dyld.py to work in the existing macOS CI config.
I'm just skipping it, backporting that would be a feature.
Not going to happen in 3.7.
There may be a way to configure macOS CI to use an older macOS and
toolchain instead as an alternate option. Someone else can figure
that out if so. This branch only lives for another 9 months per
https://peps.python.org/pep-0537/
* LOL at my typo
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-21806) (GH-92342)
On Git 2.28, "git diff master..." (3 dots) no longer works when
"fetch --depth=1" is used, whereas it works on Git 2.26.
Replace "..." (3 dots) with ".." (2 dots) in the "git diff" command
computing the list of modified files between the base branch and the
PR branch.
(cherry picked from commit eaa551702d80fd67219c48ee6a13ffb571ca360b)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
| |
* Add ABI and generated files checks to CI.
* Fix the Windows CI config.
This matches what 3.8 did in 899eb4167264a17ba703677814d69d4f7dcaea41.
|
| |
|
|
|
|
|
|
|
|
| |
This fixes the test failure with Tk 6.8.10 which is caused by changes to how Tk rounds the `from`, `to` and `tickinterval` arguments. This PR uses `noconv` if the patchlevel is greater than or equal to 8.6.10 (credit to Serhiy for this idea as it is much simpler than what I previously proposed).
Going into more detail for those who want it, the Tk change was made in [commit 591f68c](https://github.com/tcltk/tk/commit/591f68cb382525b72664c6fecaab87742b6cc87a) and means that the arguments listed above are rounded relative to the value of `from`. However, when rounding the `from` argument ([line 623](https://github.com/tcltk/tk/blob/591f68cb382525b72664c6fecaab87742b6cc87a/generic/tkScale.cGH-L623)), it is rounded relative to itself (i.e. rounding `0`) and therefore the assigned value for `from` is always what is given (no matter what values of `from` and `resolution`).
Automerge-Triggered-By: @pablogsal
(cherry picked from commit aecf036738a404371303e770f4ce4fd9f7d43de7)
Co-authored-by: E-Paine <63801254+E-Paine@users.noreply.github.com>
|
| |
|
|
|
|
|
|
| |
(GH-95314)
Three test cases were failing on FreeBSD with latest OpenSSL.
(cherry picked from commit 1bc86c26253befa006c0f52eebb6ed633c7d1e5c)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
(cherry picked from commit 07374cce52abb7fd39729dc1b646ca3029b64c64)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
|
| |
|
|
|
|
|
| |
links (GH-94416) (GH-94496)
(cherry picked from commit 80aaeabb8bd1e6b49598a7e23e0f8d99b3fcecaf)
Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-94095)
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).
Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
