| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Correctly pre-check for int-to-str conversion
Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)
The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.
The justification for the current check. The C code check is:
```c
max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10
```
In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:
$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$
From this it follows that
$$\frac{M}{3L} < \frac{s-1}{10}$$
hence that
$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
So
$$2^{L(s-1)} > 10^M.$$
But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.
<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit 07374cce52abb7fd39729dc1b646ca3029b64c64)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
|
| |
|
|
|
|
|
|
| |
(GH-95313)
Three test cases were failing on FreeBSD with latest OpenSSL.
(cherry picked from commit 1bc86c26253befa006c0f52eebb6ed633c7d1e5c)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
| |
Co-authored-by: Carter Dodd <carter.dodd@gmail.com>
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c8556bcf6c0b05ac46bd74880626a2853e7c99a1)
|
| |
|
|
|
|
|
| |
links (GH-94416) (GH-94495)
(cherry picked from commit 80aaeabb8bd1e6b49598a7e23e0f8d99b3fcecaf)
Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
(GH-31885) (GH-94124)
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
(cherry picked from commit d36954b7ead06daead3dcf9b0dd9f8002eab508f)
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-94094)
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).
Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
| |
(cherry picked from commit 56b5daf15970be449d44e91f08db84c698ac5506)
Co-authored-by: Stanley <46876382+slateny@users.noreply.github.com>
|
| |
|
|
|
| |
(cherry picked from commit 2985feac4e02d590bb78bcce9e30864be53280ac)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(GH-93066) (#93148)
Also while there, clarify a few things about why we reduce the hash to 32 bits.
Co-authored-by: Eli Libman <eli@hyro.ai>
Co-authored-by: Yury Selivanov <yury@edgedb.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c1f5c903a7e4ed27190488f4e33b00d3c3d952e5)
|
| |
|
|
|
|
|
|
|
| |
(#92333)
(cherry picked from commit c908dc5b4798c311981bd7e1f7d92fb623ee448b)
Co-authored-by: Sergey Fedoseev <fedoseev.sergey@gmail.com>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
|
| |
|
|
|
|
|
| |
(GH-32241) (GH-32250)
(cherry picked from commit 6066739ff7794e54c98c08b953a699cbc961cd28)
Co-authored-by: Zachary Ware <zach@python.org>
|
| |
|
|
|
|
|
|
| |
(GH-92605)
(cherry picked from commit 45e1721d100bab09510ccf9da49f14ca5cc268f4)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
|
| |
|
|
|
|
|
|
| |
* Update Sphinx bpo role to use redirect URI. (GH-32342)
* [3.8] Update Sphinx bpo role to use redirect URI. (GH-32342).
(cherry picked from commit 08cfe079503ffd19d8b7ab324f0fdb1c6b150ca8)
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
|
| |
|
|
|
|
|
| |
(cherry picked from commit 17dbb6bc10ca8a8b602335414c047294f00afcbe)
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* gh-91888: Add a :gh: role to the documentation (GH-91889).
* [3.8] gh-91888: add a `:gh:` role to the documentation (GH-91889)
* Add a new :gh:`...` role for GitHub issues.
* Fix a GitHub id to use the :gh: role.
* Add Misc/NEWS entry.
* Refactoring and rephrasing.
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>.
(cherry picked from commit f7641a2ffec243e5f600028a84debe9028a9ee44)
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
* Fix use of the default role in NEWS entry
|
| |
|
|
|
| |
platforms (GH-32161) (#32183)
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
| |
(GH-32109)
Co-authored-by: Ned Deily <nad@python.org>
|
| | |
|
| |
|
|
| |
This reverts commit e5f711f5eeb6db4290db1b747f42f5d723d12ed3.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-31827)
As per the comments, this mirrors the [datetime documentation](https://docs.python.org/3/library/datetime.htmlGH-datetime.datetime.fromtimestamp).
```
>>> import time
>>> time.localtime(999999999999999999999)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OverflowError: timestamp out of range for platform time_t
>>> time.localtime(-3600)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: [Errno 22] Invalid argument
```
(cherry picked from commit c83fc9c02c9846ec3a2d0123999c98e02f00b3f5)
Co-authored-by: slateny <46876382+slateny@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
(GH-31920) (GH-31924)
(cherry picked from commit 708812085355c92f32e547d1f1d1f29aefbbc27e)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
OpenSSL 1.1.1n. (GH-31912)
* bpo-47024: Update Windows builds and macOS installer build to use OpenSSL 1.1.1n.
* Revert inadvertent sqlite downgrade
|
| |
|
|
|
| |
(cherry picked from commit d87f1b787ed38dfd307d82452f2efe9dc5b93942)
Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
recent versions of clang. (GH-28845) (GH-31889)
Change the configure logic to function properly on macOS when the compiler
outputs a platform triplet for option --print-multiarch.
The Apple Clang included with Xcode 13.3 now supports --print-multiarch
causing configure to fail without this change.
Co-authored-by: Ned Deily <nad@python.org>
(cherry picked from commit 9c4766772cda67648184f8ddba546a5fc0167f91)
Co-authored-by: David Bohman <debohman@gmail.com>
Automerge-Triggered-By: GH:ned-deily
(cherry picked from commit 9901d153c201d852d27dc9d3074e283c26468f6d)
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-31419)
The libexpat 2.4.1 upgrade from introduced the following new exported symbols:
* `testingAccountingGetCountBytesDirect`
* `testingAccountingGetCountBytesIndirect`
* `unsignedCharToPrintable`
* `XML_SetBillionLaughsAttackProtectionActivationThreshold`
* `XML_SetBillionLaughsAttackProtectionMaximumAmplification`
We need to adjust [Modules/expat/pyexpatns.h](https://github.com/python/cpython/blob/master/Modules/expat/pyexpatns.h)
(The newer libexpat upgrade has no new symbols).
Automerge-Triggered-By: GH:gpshead
(cherry picked from commit 6312c1052c0186b4596fc45c42fd3ade9f8f5911)
Co-authored-by: Yilei "Dolee" Yang <yileiyang@google.com>
|
| |
|
|
|
|
| |
Automerge-Triggered-By: GH:benjaminp
(cherry picked from commit ba00f0d93a4aea85ae8089f139856a7c450584d7)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
|
| |
|
|
| |
and CVE-2019-12900 (GH-31732) (GH-31734)
|
| |
|
|
| |
uses the install path during repair (GH-31729)
|
| |
|
|
|
| |
(cherry picked from commit 176835c3d5c70f4c1b152cc2062b549144e37094)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which
allowed to bypass authorization. For example, access to URI "example.org/foobar"
was allowed if the user was authorized for URI "example.org/foo".
(cherry picked from commit e2e72567a1c94c548868f6ee5329363e6036057a)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit 1935e1cc284942bec8006287c939e295e1a7bf13)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Curly brackets were never allowed in namespace URIs
according to RFC 3986, and so-called namespace-validating
XML parsers have the right to reject them a invalid URIs.
libexpat >=2.4.5 has become strcter in that regard due to
related security issues; with ET.XML instantiating a
namespace-aware parser under the hood, this test has no
future in CPython.
References:
- https://datatracker.ietf.org/doc/html/rfc3968
- https://www.w3.org/TR/xml-names/
Also, test_minidom.py: Support Expat >=2.4.5
(cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e)
Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
|
| |
|
| |
Co-authored-by: Cyril Jouve <jv.cyril@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit ee2549c2ba8bae00f2b2fea8a39c6dfbd1d06520)
Co-authored-by: Julien Palard <julien@palard.fr>
|
| |
|
|
|
| |
(cherry picked from commit 6fb62b42f4db56ed5efe0ca4c1059049276c1083)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
| |
importlib_metadata 4.10.1) (GH-30803). (#30829)
(cherry picked from commit 51c3e28c8a163e58dc753765e3cc51d5a717e70d)
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
|
| |
|
|
|
|
| |
POST requests to http://www.example.com/ fail randomly.
(cherry picked from commit 1578de2fcd685c71f9c84e09bac32901dea192c1)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
| |
(GH-29691) (GH-29710)
(cherry picked from commit 4fad314246399b69ef0c57ba8527d9efade99069)
Co-authored-by: Carl Friedrich Bolz-Tereick <cfbolz@gmx.de>
|
| |
|
|
|
|
| |
Since `.. module:: contextvars` sets the module using `.. class:: contextvars.Token`, intersphinx records it as `contextvars.contextvars.Token`.
(cherry picked from commit e501d70b347c5093018d12482c30a7a98aab86d0)
Co-authored-by: Hynek Schlawack <hs@ox.cx>
|
| |
|
| |
Patch by Marc Culler of the Tk project.
|
| |
|
|
|
|
|
| |
It should be noted that this part of the documentation is redundant with
function.rst's documentation of int. This one was correctly updated with Python 3.8.
(cherry picked from commit d9c1868c25ec6466e8d8ae21fe9315a8a03836ab)
Co-authored-by: Arthur Milchior <arthur@milchior.fr>
|
| |
|
|
|
|
|
|
|
| |
(GH-29279)
when using the Tk 8.6.11 provided by python.org macOS installers.
Patch by Marc Culler of the Tk project.
(cherry picked from commit be8318be05e1a874215fa75b8845ede74b2c69b6)
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
|
|
| |
0.17.1 (GH-29230) (GH-29241) (GH-29245)
Co-authored-by: Maciej Olko <maciej.olko@yougov.com>
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@innova.no>
|
| |
|
|
|
|
|
|
|
|
| |
Since v8.6.11, a few configuration options seem to accept an empty value
where they did not previously; particularly the `type` of a `Menu`
widget, and the `compound` of any ttk widget with a label. Providing an
explicit expected error message to `checkEnumParam` bypasses the check
of an empty value, which no longer raises `TclError`.
(cherry picked from commit 4fe454c6f54b0948af67b53af6c2f35af6377e69)
Co-authored-by: Zachary Ware <zach@python.org>
|
