summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Python 3.8.19v3.8.19Łukasz Langa2024-03-1917-40/+152
|
* [3.8] gh-115197: Stop resolving host in urllib.request proxy bypass ↵Miss Islington (bot)2024-03-193-44/+64
| | | | | | | | (GH-115210) (GH-116069) Use of a proxy is intended to defer DNS for the hosts to the proxy itself, rather than a potential for information leak of the host doing DNS resolution itself for any reason. Proxy bypass lists are strictly name based. Most implementations of proxy support agree. (cherry picked from commit c43b26d02eaa103756c250e8d36829d388c5f3be) Co-authored-by: Weii Wang <weii.wang@canonical.com>
* [3.8] gh-115398: Expose Expat >=2.6.0 reparse deferral API (CVE-2023-52425) ↵Sebastian Pipping2024-03-0614-20/+435
| | | | | | | | | | | | | | | | | | (GH-115623) (GH-116275) Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods: - `xml.etree.ElementTree.XMLParser.flush` - `xml.etree.ElementTree.XMLPullParser.flush` - `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled` - `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled` - `xml.sax.expatreader.ExpatParser.flush` Based on the "flush" idea from https://github.com/python/cpython/pull/115138#issuecomment-1932444270 . Includes code suggested-by: Snild Dolkow <snild@sony.com> and by core dev Serhiy Storchaka. Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.8] gh-107077: Raise SSLCertVerificationError even if the error is set via ↵Miss Islington (bot)2024-02-212-0/+10
| | | | | | | | | | SSL_ERROR_SYSCALL (GH-107586) (GH-107591) (cherry picked from commit 77e09192b5f1caf14cd5f92ccb53a4592e83e8bc) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com> Co-authored-by: T. Wouters <thomas@python.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.8] Upgrade bundled libexpat to 2.6.0 (GH-115399) (GH-115475)Seth Michael Larson2024-02-2112-262/+402
| | | | | | Manual backport due to code differences. (cherry picked from commit e071b0d558b2f5cddd5a9fc6afadb4ba109ec77e) Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.8] gh-115399: Document CVE-2023-52425 under "XML vulnerabilities" ↵Miss Islington (bot)2024-02-212-0/+14
| | | | | | | | (GH-115400) (GH-115764) Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities" (cherry picked from commit fbd40ce46e7335a5dbaf48a3aa841be22d7302ba) Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
* [3.8] gh-97032: avoid test_squeezer crash on macOS buildbots (GH-115508) ↵Miss Islington (bot)2024-02-211-0/+1
| | | | | | | (GH-115656) (cherry picked from commit 17a6533dbf5ffdfd707c1514a61423d9ac59a9cb) Co-authored-by: Ned Deily <nad@python.org>
* [3.8] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (GH-115164) ↵Seth Michael Larson2024-02-212-22/+40
| | | | | | | | | (GH-115536) Feeding the parser by too small chunks defers parsing to prevent CVE-2023-52425. Future versions of Expat may be more reactive. (cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.8] gh-115349: Pin theme to fix code snippets (GH-115351) (#115404)Łukasz Langa2024-02-131-1/+1
| | | | | (cherry picked from commit 3fcea416f8261790ce700c52c4262ccb668716d6) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
* [3.8] Add missing sections to blurbs (GH-114553) (GH-115340)Miss Islington (bot)2024-02-133-0/+3
| | | | | | Add missing sections to blurbs (GH-114553) (cherry picked from commit dc8893af7df706138161d82ce7d1d2f9132d14f9) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
* [3.8] gh-111239: Update Windows build to use zlib 1.3.1 (GH-114877) (#115086)Łukasz Langa2024-02-063-2/+3
| | | | | (cherry picked from commit 618d7256e78da8200f6e2c6235094a1ef885dca4) Co-authored-by: Zachary Ware <zach@python.org>
* [3.8] gh-107888: Fix test_mmap.test_access_parameter() on macOS 14 ↵Miss Islington (bot)2024-01-171-4/+9
| | | | | | | (GH-109928) (GH-114183) (cherry picked from commit 9dbfe2dc8e7bba25e52f9470ae6969821a365297) Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.8] gh-109991: Update Windows build to use OpenSSL 1.1.1w (GH-111266)Zachary Ware2024-01-173-4/+8
| | | | | (cherry picked from commit dcb16c98be61630369227f0d893f8d9262d25cac) Co-authored-by: Steve Dower <steve.dower@python.org>
* [3.8] gh-91133: tempfile.TemporaryDirectory: fix symlink bug in cleanup ↵Serhiy Storchaka2024-01-173-10/+136
| | | | | | | (GH-99930) (GH-112843) (cherry picked from commit 81c16cd94ec38d61aa478b9a452436dc3b1b524d) Co-authored-by: Søren Løvborg <sorenl@unity3d.com>
* [3.8] bpo-37013: Fix the error handling in socket.if_indextoname() ↵Miss Islington (bot)2024-01-173-5/+27
| | | | | | | | | (GH-13503) (GH-113474) * Fix a crash when pass UINT_MAX. * Fix an integer overflow on 64-bit non-Windows platforms. (cherry picked from commit 0daf555c6fb3feba77989382135a58215e1d70a5) Co-authored-by: Zackery Spytz <zspytz@gmail.com>
* [3.8] gh-108310: Fix TestPreHandshakeClose tests in test_ssl (#110718)Lumír 'Frenzy' Balhar2024-01-172-6/+11
| | | | | | | | | The new class is part of the fix for CVE-2023-40217: https://github.com/python/cpython/commit/b4bcc06a9cfe13d96d5270809d963f8ba278f89b but it's not in the lists of tests so they're not executed. The new tests also need `SHORT_TIMEOUT` constant not available in test.support in 3.8. Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.8] gh-113659: Skip hidden .pth files (GH-113660) (GH-114147)Serhiy Storchaka2024-01-173-1/+50
| | | | Skip .pth files with names starting with a dot or hidden file attribute. (cherry picked from commit 74208ed0c440244fb809d8acc97cb9ef51e888e3)
* [3.8] gh-114021: Pin various sphinxcontrib extensions to older versions ↵Adam Turner2024-01-172-0/+26
| | | | | | | (GH-114022) (GH-114040) (cherry picked from commit 94b1d1fa38ada8cf7d196184a04a195c152eed75) Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
* [3.8] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) ↵Serhiy Storchaka2024-01-173-0/+75
| | | | | | | (GH-113916) Raise BadZipFile when try to read an entry that overlaps with other entry or central directory. (cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba)
* [3.8] Fix documentation build by pinning Alabaster version to 0.7.13 ↵Miss Islington (bot)2024-01-101-0/+2
| | | | | | | | | | | (GH-113815) (#113899) Alabaster is Sphinx's dependency. Alabaster 0.7.14 released on 2024-01-08 dropped support for Sphinx 3.3 and earlier. (cherry picked from commit f86e20e4a86de4a06c04200c55e6f639f6795257) https://alabaster.readthedocs.io/en/latest/changelog.html Co-authored-by: Maciej Olko <maciej.olko@affirm.com>
* [3.8] gh-112160: Add 'regen-configure' make target (#112167)Seth Michael Larson2023-12-065-5/+42
|
* [3.8] gh-101180: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs ↵Łukasz Langa2023-11-063-3/+53
| | | | | | | read out of bounds (gh-111695) (gh-111781) (cherry picked from commit c8faa3568afd255708096f6aa8df0afa80cf7697) Co-authored-by: Masayuki Moriyama <masayuki.moriyama@miraclelinux.com>
* [3.8] CI: Bump GitHub Actions (GH-108879) (#108894)Hugo van Kemenade2023-09-075-16/+16
| | | Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.8] gh-109002: Ensure only one wheel for each vendored package (GH-109003) ↵Miss Islington (bot)2023-09-061-4/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | (#109009) Output with one wheel: ``` ❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py Verifying checksum for /Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl. Expected digest: 7ccf472345f20d35bdc9d1841ff5f313260c2c33fe417f48c30ac46cccabf5be Actual digest: 7ccf472345f20d35bdc9d1841ff5f313260c2c33fe417f48c30ac46cccabf5be ::notice file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl::Successfully verified the checksum of the pip wheel. ``` Output with two wheels: ``` ❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py ::error file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-22.0.4-py3-none-any.whl::Found more than one wheel for package pip. ::error file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl::Found more than one wheel for package pip. ``` Output without wheels: ``` ❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py ::error file=::Could not find a pip wheel on disk. ``` (cherry picked from commit f8a047941f2e4a1848700c21d58a08c9ec6a9c68) Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.8] gh-101997: Remove stale pip-22.0.4-py3-none-any.whl from the 3.8 ↵Łukasz Langa2023-09-061-0/+0
| | | | | branch (#108998) This was left over in gh-102244.
* [3.8] Add a dummy .rtfd.yml file to silence invalid failing webhooks ↵Miss Islington (bot)2023-09-051-0/+12
| | | | | | | | (GH-108908) (#108926) (cherry picked from commit 5970435b26fc85c83490bc915c894ea7dd0fbf21) Co-authored-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>
* Post 3.8.18Łukasz Langa2023-08-241-1/+1
|
* Fix invalid string escapeŁukasz Langa2023-08-241-2/+2
|
* Python 3.8.18v3.8.18Łukasz Langa2023-08-246-15/+37
|
* [3.8] gh-108342: Make ssl TestPreHandshakeClose more reliable (GH-108370) ↵Łukasz Langa2023-08-242-31/+79
| | | | | | | | | | | | | | | | | | | | | (#108408) * In preauth tests of test_ssl, explicitly break reference cycles invoving SingleConnectionTestServerThread to make sure that the thread is deleted. Otherwise, the test marks the environment as altered because the threading module sees a "dangling thread" (SingleConnectionTestServerThread). This test leak was introduced by the test added for the fix of issue gh-108310. * Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds timeout. * SingleConnectionTestServerThread.run() catchs TimeoutError * Fix a race condition (missing synchronization) in test_preauth_data_to_tls_client(): the server now waits until the client connect() completed in call_after_accept(). * test_https_client_non_tls_response_ignored() calls server.join() explicitly. * Replace "localhost" with server.listener.getsockname()[0]. (cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47)
* [3.8] gh-108342: Break ref cycle in SSLSocket._create() exc (GH-108344) ↵Miss Islington (bot)2023-08-231-1/+5
| | | | | | | | | | | | | (#108352) Explicitly break a reference cycle when SSLSocket._create() raises an exception. Clear the variable storing the exception, since the exception traceback contains the variables and so creates a reference cycle. This test leak was introduced by the test added for the fix of GH-108310. (cherry picked from commit 64f99350351bc46e016b2286f36ba7cd669b79e3) Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.8] gh-107845: Fix symlink handling for tarfile.data_filter (GH-107846) ↵Petr Viktorin2023-08-224-9/+154
| | | | | | | | | | (#108279) (cherry picked from commit acbd3f9c5c5f23e95267714e41236140d84fe962) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>
* [3.8] gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL ↵Ned Deily2023-08-223-4/+6
| | | | | 1.1.1v, 3.0.10, and 3.1.2. (#108124) (cherry picked from commit 441797d4ffb12acda257370b9e5e19ed8d6e8a71)
* [3.8] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close ↵Łukasz Langa2023-08-223-1/+252
| | | | | | | | | | | | | | | | | | flaw (#108321) gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
* [3.8] CI: Bump macOS build to use OpenSSL v3.0 (GH-105538) (#105872)Erlend E. Aasland2023-07-051-2/+3
| | | | | | (cherry picked from commit 34e93d3998bab8acd651c50724eb1977f4860a08) Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
* [3.8] [3.11] Add single value `agen.athrow(value)` signature to the 3.11 ↵Miss Islington (bot)2023-07-051-1/+2
| | | | | | | docs gh-105269 (GH-105468) (#105478) (cherry picked from commit acf3916e84158308660ed07c474a564e045d6884) Co-authored-by: Federico Caselli <CaselIT@users.noreply.github.com>
* Post 3.8.17Łukasz Langa2023-06-061-1/+1
|
* Python 3.8.17v3.8.17Łukasz Langa2023-06-0615-29/+124
|
* [3.8] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174) ↵Łukasz Langa2023-06-0612-18/+186
| | | | | | | | | | | | | | | | | (GH-105200) (GH-105205) (#105370) Upgrade builds to OpenSSL 1.1.1u. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af) (cherry picked from commit e15de14c16ce98e773c31607bd70ee911e4ac073) Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Ned Deily <nad@python.org>
* [3.8] gh-102153: Start stripping C0 control and space chars in `urlsplit` ↵stratakis2023-06-054-3/+111
| | | | | | | | | | | | | | | | | | | | (GH-102508) (GH-104575) (GH-104592) (#104593) (#104895) `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). I simplified the docs by eliding the state of the world explanatory paragraph in this security release only backport. (people will see that in the mainline /3/ docs) (cherry picked from commit d7f8a5fe07b0ff3a419ccec434cc405b21a5a304) (cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10) (cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941) (cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Illia Volochii <illia.volochii@gmail.com> Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
* [3.8] gh-105184: document that marshal functions can fail and need to be ↵Miss Islington (bot)2023-06-052-0/+8
| | | | | | | checked with PyErr_Occurred (GH-105185) (#105222) (cherry picked from commit ee26ca13a129da8cf549409d0a1b2e892ff2b4ec) Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>
* [3.8] Update GitHub CI workflow for macOS. (GH-105302)Ned Deily2023-06-051-1/+15
|
* [3.8] gh-68966: fix versionchanged in docs (GH-105299)Ned Deily2023-06-051-1/+1
|
* [3.8] gh-103935: Use `io.open_code()` when executing code in trace and ↵Steve Dower2023-05-224-3/+7
| | | | | profile modules (GH-103947) (#103954) Co-authored-by: Tian Gao <gaogaotiantian@hotmail.com>
* [3.8] gh-104049: do not expose on-disk location from ↵Miss Islington (bot)2023-05-223-1/+11
| | | | | | | | | | | SimpleHTTPRequestHandler (GH-104067) (#104121) Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure) (cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a) Co-authored-by: Ethan Furman <ethan@stoneleaf.us> Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
* [3.8] gh-99889: Fix directory traversal security flaw in uu.decode() ↵Miss Islington (bot)2023-05-223-1/+38
| | | | | | | (GH-104096) (#104332) (cherry picked from commit 0aeda297931820436a50b78f4f7f0597274b5df4) Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
* [3.8] gh-102950: Implement PEP 706 – Filter for tarfile.extractall ↵Petr Viktorin2023-05-178-78/+1777
| | | | | | (GH-102953) (#104548) Backport of c8c3956d905e019101038b018129a4c90c9c9b8f
* [3.8] gh-101997: Update bundled pip version to 23.0.1 (GH-101998). (#102244)Pradyun Gedam2023-03-283-1/+2
| | | (cherry picked from commit 89d9ff0f48c51a85920c7372a7df4a2204e32ea5)
* [3.8] gh-102627: Replace address pointing toward malicious web page ↵Miss Islington (bot)2023-03-131-1/+1
| | | | | | | | | (GH-102630) (GH-102667) (cherry picked from commit 61479d46848bc7a7f9b571b0b09c4a4b4436d839) Co-authored-by: Blind4Basics <32236948+Blind4Basics@users.noreply.github.com> Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM> Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
* [3.8] gh-101726: Update the OpenSSL version to 1.1.1t (GH-101727) (GH-101752)Steve Dower2023-03-079-26/+37
| | | | | | | Fixes CVE-2023-0286 (High) and a couple of Medium security issues. https://www.openssl.org/news/secadv/20230207.txt Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Ned Deily <nad@python.org>
generated by cgit v0.12 at 2026-02-23 02:26:56 (GMT)