summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Python 3.9.23v3.9.23Łukasz Langa2025-06-0312-29/+100
|
* Reword 3.9.23 notable changes to reflect status of backportsŁukasz Langa2025-06-031-3/+4
|
* [3.9] gh-135034: Normalize link targets in tarfile, add ↵T. Wouters2025-06-0311-134/+946
| | | | | | | | | | | | | `os.path.realpath(strict='allow_missing')` (GH-135037) (GH-135084) Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517. (cherry picked from commit 3612d8f51741b11f36f8fb0494d79086bac9390a) Co-authored-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.9] gh-128840: Fix parsing long IPv6 addresses with embedded IPv4 address ↵Miss Islington (bot)2025-06-033-6/+24
| | | | | | | (GH-134836) (GH-135090) (cherry picked from commit d83576bf48d07d5e29d5d171c4e25afb048622aa) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.9] gh-123409: fix `IPv6Address.reverse_pointer` for IPv4-mapped addresses ↵Miss Islington (bot)2025-06-033-12/+53
| | | | | | | | (GH-123419) (GH-135085) Fix functionality that was broken with better textual representation for IPv4-mapped addresses (gh-87799) (cherry picked from commit 77a2fb4bf1a1b160d6ce105508288fc77f636943) Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
* [3.9] gh-128840: Limit the number of parts in IPv6 address parsing ↵Miss Islington (bot)2025-06-033-2/+22
| | | | | | | | | | | | (GH-128841) (GH-134615) Limit length of IP address string to 39 (cherry picked from commit 47f1161d3a2bec52b5b5e952150141709c247da2) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.9] gh-87799: Improve the textual representation of IPv4-mapped IPv6 ↵Miss Islington (bot)2025-06-033-1/+45
| | | | | | | | | | | | | | | | addresses (GH-29345) (GH-135078) Represent IPv4-mapped IPv6 address as x:x:x:x:x:x:d.d.d.d, where the 'x's are the hexadecimal values of the six high-order 16-bit pieces of the address, and the 'd's are the decimal values of the four low-order 8-bit pieces of the address (standard IPv4 representation). (cherry picked from commit f22bf8e3cf899896cf587099d29290cb43aa9724) Co-authored-by: opavliuk <40970635+opavlyuk@users.noreply.github.com> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
* [3.9] bpo-43757: Make pathlib use os.path.realpath() to resolve symlinks in ↵Łukasz Langa2025-06-027-124/+192
| | | | | | | | | a path (GH-25264) (GH-135035) Also adds a new "strict" argument to realpath() to avoid changing the default behaviour of pathlib while sharing the implementation. (cherry-picked from commit baecfbd849dbf42360d3a84af6cc13160838f24d) Co-authored-by: Barney Gale <barney.gale@gmail.com>
* [3.9] gh-134062: Fix hash collisions in IPv4Network and IPv6Network ↵Miss Islington (bot)2025-06-023-1/+32
| | | | | | | (GH-134063) (GH-134481) (cherry picked from commit f3fc0c16e08b317cb201cf1073e934e6909f1251) Co-authored-by: Mike Salvatore <mike.s.salvatore@gmail.com>
* [3.9] gh-133767: Fix use-after-free in the unicode-escape decoder with an ↵Serhiy Storchaka2025-06-028-41/+164
| | | | | | | | | | | | | | | | | | | | | | | error handler (GH-129648) (GH-133944) (#134346) * [3.9] gh-133767: Fix use-after-free in the unicode-escape decoder with an error handler (GH-129648) (GH-133944) If the error handler is used, a new bytes object is created to set as the object attribute of UnicodeDecodeError, and that bytes object then replaces the original data. A pointer to the decoded data will became invalid after destroying that temporary bytes object. So we need other way to return the first invalid escape from _PyUnicode_DecodeUnicodeEscapeInternal(). _PyBytes_DecodeEscape() does not have such issue, because it does not use the error handlers registry, but it should be changed for compatibility with _PyUnicode_DecodeUnicodeEscapeInternal(). (cherry picked from commit 9f69a58623bd01349a18ba0c7a9cb1dad6a51e8e) (cherry picked from commit 6279eb8c076d89d3739a6edb393e43c7929b429d) (cherry picked from commit a75953b347716fff694aa59a7c7c2489fa50d1f5) (cherry picked from commit 0c33e5baedf18ebcb04bc41dff7cfc614d5ea5fe) (cherry picked from commit 8b528cacbbde60504f6ac62784d04889d285f18b) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.9] gh-80222: Fix email address header folding with long quoted-string ↵Brian Schubert2025-06-023-1/+51
| | | | | | | | | | | | | | | | (GH-122753) (GH-129111) (GH-132371) Email generators using email.policy.default could incorrectly omit the quote ('"') characters from a quoted-string during header refolding, leading to invalid address headers and enabling header spoofing. This change restores the quote characters on a bare-quoted-string as the header is refolded, and escapes backslash and quote chars in the string. (cherry picked from commit 5aaf4168583) (cherry picked from commit a4ef689ce670684ec132204b1cd03720c8e0a03d) Co-authored-by: R. David Murray <rdmurray@bitdance.com> Co-authored-by: Mike Edmunds <medmunds@gmail.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* Post 3.9.22Łukasz Langa2025-04-081-1/+1
|
* Python 3.9.22v3.9.22Łukasz Langa2025-04-089-26/+74
|
* [3.9] gh-131809: Upgrade vendored expat to 2.7.1 (GH-132192) (#132242)Seth Michael Larson2025-04-085-10/+20
| | | | | (cherry picked from commit c0de6500249469e6fc5b458d6afb6bad1b6755cd) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.9] gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176) (GH-131272) ↵Seth Michael Larson2025-04-034-160/+425
| | | | | | | | | (GH-131364) (cherry picked from commit bb0268f60dfe903a9bdb8d84104247a9318c6b18) (cherry picked from commit 6af54d298d5135302037cdda7a1f5535e48cb1b6) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.9] gh-121284: Fix email address header folding with parsed encoded-word ↵Petr Viktorin2025-04-033-5/+37
| | | | | | | | | | | | | | | | | (GH-122754) (GH-131412) Email generators using email.policy.default may convert an RFC 2047 encoded-word to unencoded form during header refolding. In a structured header, this could allow 'specials' chars outside a quoted-string, leading to invalid address headers and enabling spoofing. This change ensures a parsed encoded-word that contains specials is kept as an encoded-word while the header is refolded. [Better fix from @bitdancer.] (cherry picked from commit 295b53df2aa18deb625a7da41f7e4babfe6ef34b) Co-authored-by: Mike Edmunds <medmunds@gmail.com> Co-authored-by: R David Murray <rdmurray@bitdance.com>
* [3.9] gh-105704: Disallow square brackets (`[` and `]`) in domain names for ↵Miss Islington (bot)2025-02-193-3/+58
| | | | | | | | | parsed URLs (GH-129418) (#129530) (cherry picked from commit d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Peter Bierma <zintensitydev@gmail.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.9] gh-119511: Fix a potential denial of service in imaplib (GH-119514) ↵Hugo van Kemenade2025-02-193-1/+32
| | | | | | | | | | | | | | (#130248) The IMAP4 client could consume an arbitrary amount of memory when trying to connect to a malicious server, because it read a "literal" data with a single read(size) call, and BufferedReader.read() allocates the bytes object of the specified size before reading. Now the IMAP4 client reads data by chunks, therefore the amount of used memory is limited by the amount of the data actually been sent by the server. (cherry picked from commit 735f25c5e3a0f74438c86468ec4dfbe219d93c91) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.9] gh-119461: Fix ThreadedVSOCKSocketStreamTest (GH-129171) (GH-129440) ↵Miss Islington (bot)2025-02-191-5/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (#130075) Fix ThreadedVSOCKSocketStreamTest: if get_cid() returns the host address or the "any" address, use the local communication address (loopback): VMADDR_CID_LOCAL. On Linux 6.9, apparently, the /dev/vsock device is now available but get_cid() returns VMADDR_CID_ANY (-1). (cherry picked from commit 45db419c3104a14007ea9efbc4bff03aef8ed10c) (cherry picked from commit e94dbe4ed83460f18bd72563c5f09f6cdc71f604) (cherry picked from commit c750061047ee520d8299334df4b112fd983d7e48) (cherry picked from commit cbfe3023e46b544b80ea1a38a8c900c6fb881554) --- Restore the skipUnless removed by GH-119465. This test can only pass on virtual machines, not actual machines. Actual machines see: ``` self.cli.connect((cid, VSOCKPORT)) ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^ OSError: [Errno 19] No such device ``` Reproduced on (Linux) Ubuntu 24.04.1 running 6.8.0-52-generic. (cherry picked from commit 2bd9f9b0547f6ffe40cd1dd964459ce11b58144d) Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Petr Viktorin <encukou@gmail.com>
* [3.9] gh-122544: Change OS image in GitHub Actions to Ubuntu 22.04 (#122566) ↵Hugo van Kemenade2025-02-192-14178/+14659
| | | | | (#130295) Co-authored-by: Damien <81557462+Damien-Chen@users.noreply.github.com>
* [3.9] gh-107262: Update Tkinter tests for Tcl/Tk 8.6.14 (GH-119322) (#130275)Miss Islington (bot)2025-02-193-11/+24
| | | | | | Co-authored-by: James De Bias <81095953+DBJim@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
* [3.9] gh-129641: Docs GHA build: use upload-artifact@v4 (GH-129642) (#130114)Petr Viktorin2025-02-182-2/+4
| | | | | Co-authored-by: shallow-beach <96891913+shallow-beach@users.noreply.github.com> fix (#128077)
* [3.9] gh-129509: Add required key to the dummy Read the Docs config file ↵Miss Islington (bot)2025-02-181-0/+2
| | | | | | (GH-129510) (#130249) Co-authored-by: Petr Viktorin <encukou@gmail.com>
* [3.9] gh-121277: Allow .. versionadded:: next in docs (GH-121278) (#128117)Petr Viktorin2025-01-232-5/+33
| | | | | | | | | | | | | | | | | | Make `versionchanged:: next`` expand to current (unreleased) version. When a new CPython release is cut, the release manager will replace all such occurences of "next" with the just-released version. (See the issue for release-tools and devguide PRs.) Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> (cherry picked from commit 7d24ea9db3e8fdca52058629c9ba577aba3d8e5c) gh-121277: Raise nice error on `next` as second argument to deprecated-removed (GH-124623) (cherry-picked from e349f73a5ad2856b0a7cbe4aef7cc081c7aed777) (cherry-picked from 3.11: f0895aa9c1d40d0add673cc51bd143556e22100a) (cherry-picked from 3.10: 8773554b717cfb08b4bd11a927813f4ed74762c7)
* Post 3.9.21Łukasz Langa2024-12-031-1/+1
|
* Python 3.9.21v3.9.21Łukasz Langa2024-12-0311-23/+86
|
* [3.9] gh-122792: Make IPv4-mapped IPv6 address properties consistent with ↵Łukasz Langa2024-12-033-5/+55
| | | | | | | | | IPv4 (GH-122793) (GH-123819) (GH-127571) Make IPv4-mapped IPv6 address properties consistent with IPv4. (cherry picked from commit 76a1c5d18312712baed4699fe7333abb050ec9b7) (cherry picked from commit b58da409aac90123c1159916908a4c49144925ee) Co-authored-by: Seth Michael Larson <seth@python.org>
* [3.9] gh-95588: Drop the safety claim from `ast.literal_eval` docs. ↵Miss Islington (bot)2024-12-033-9/+25
| | | | | | | | (GH-95919) (GH-126729) It was never really safe and this claim conflicts directly with the big warning in the docs about it being able to crash the interpreter. (cherry picked from commit 8baef8ae367041a5cfefb40b19c7b87e9bcb56a2) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.9] gh-126623: Update libexpat to 2.6.4, make future updates easier ↵Seth Michael Larson2024-12-025-11/+80
| | | | | (GH-126792) (GH-126800) (cherry picked from commit 3c9996909402fadc98e6ca2a64e75a71a7427352)
* [3.9] gh-103848: Adds checks to ensure that bracketed hosts found by ↵Victor Stinner2024-12-023-1/+43
| | | | | | | | urlsplit are of IPv6 or IPvFuture format (#103849) (#126976) Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 29f348e232e82938ba2165843c448c2b291504c5) Co-authored-by: JohnJamesUtley <81572567+JohnJamesUtley@users.noreply.github.com>
* [3.9] gh-127359: Pin Tcl/Tk to 8 (8.6) for testing macOS (GH-127365) (#127409)Hugo van Kemenade2024-11-301-1/+4
|
* [3.9] gh-113027: Fix test_variable_tzname in test_email (GH-113821) (GH-126477)Petr Viktorin2024-11-121-0/+2
| | | | | | | Determine the support of the Kyiv timezone by checking the result of astimezone() which uses the system tz database and not the one populated by zoneinfo. (cherry picked from commit 931d7e052e22aa01e18fcc67ed71b6ea305aff71)
* [3.9] gh-109396: Fix test_socket.test_hmac_sha1() in FIPS mode (GH-109423) ↵Miss Islington (bot)2024-11-042-3/+10
| | | | | | | | | | | | (GH-125107) Use a longer key: FIPS mode requires at least of at least 112 bits. The previous key was only 32 bits. (cherry picked from commit e091b9f20fa8e409003af79f3c468b8225e6dcd3) (cherry picked from commit f7bfac4b3dd30920f97a542fd78c355ce62aa267) Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Petr Viktorin <encukou@gmail.com>
* [3.9] gh-124651: Quote template strings in `venv` activation scripts ↵Victor Stinner2024-11-047-16/+130
| | | | | (GH-124712) (GH-126185) (GH-126269) (GH-126301) (cherry picked from commit ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97)
* [3.9] gh-125041: gh-90781: test_zlib: For s390x HW acceleration, skip ↵Petr Viktorin2024-10-282-2/+22
| | | | | | | | | | checking the compressed bytes (GH-125042) (#125587) This backports two commits: - GH-31096 skipped the tests unconditionally - GH-125042 skips only the possibly-failing assertion (cherry picked from commit d522856)
* [3.9] gh-107902: gh-108948: Don't test setting suid/sgid/sticky on systems ↵Petr Viktorin2024-10-281-15/+39
| | | | | | | | that don't support them (GH-108368) (GH-109697) (#125576) On FreeBSD, regular users cannot set the sticky bit. Skip the test if chmod() fails with EFTYPE error. Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.9] gh-89452: GHA: Set --with-dbmliborder to avoid issues with homebrew's ↵Petr Viktorin2024-10-091-1/+3
| | | | | | | | | | | | | | | gdbm 1.24 (GH-125112) (#125176) Per https://github.com/python/cpython/issues/89452GH-issuecomment-1116329316, the issue is fixed in configure for 3.11+, and > For older Python versions, the workaround is to build with: > > ./configure --with-dbmliborder=gdbm:ndbm We need this workaround in GitHub Actions, otherwise the tests fail. (cherry picked from commit 850189a64e7f0b920fe48cb12a5da3e648435680) Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.9] gh-100454: Fix running SSL tests with OpenSSL 3.1+ (GH-100456) (GH-125186)Miss Islington (bot)2024-10-092-4/+5
| | | | | | | | This fixes Ubuntu pipeline with OpenSSL 3.1+ (cherry picked from commit 333c7dccd87c637d0b15cf81f9bbec28e39664fd) Co-authored-by: Dimitri John Ledkov <19779+xnox@users.noreply.github.com> Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
* Post 3.9.20.Łukasz Langa2024-09-061-1/+1
|
* Python 3.9.20v3.9.20Łukasz Langa2024-09-0621-61/+206
|
* [3.9] [CVE-2023-27043] gh-102988: Reject malformed addresses in ↵Petr Viktorin2024-09-065-21/+371
| | | | | | | | | | | | | | email.parseaddr() (GH-111116) (#123769) Detect email address parsing errors and return empty tuple to indicate the parsing error (old API). Add an optional 'strict' parameter to getaddresses() and parseaddr() functions. Patch by Thomas Dwyer. (cherry picked from commit 4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19) Co-authored-by: Victor Stinner <vstinner@python.org> Co-Authored-By: Thomas Dwyer <github@tomd.tel>
* [3.9] gh-123678: Upgrade libexpat 2.6.3 (#123711)Seth Michael Larson2024-09-054-15/+36
| | | (cherry picked from commit fdc04ad75a410ed3af99edfc32c38b5fc3375f52)
* [3.9] gh-67693: Fix urlunparse() and urlunsplit() for URIs with path ↵Serhiy Storchaka2024-09-053-4/+70
| | | | | | | | starting with multiple slashes and no authority (GH-113563) (#119027) (cherry picked from commit e237b25a4fa5626fcd1b1848aa03f725f892e40e) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl>
* [3.9] gh-112275: Fix HEAD_LOCK deadlock in child process after fork ↵Łukasz Langa2024-09-042-1/+4
| | | | | | | | | (GH-112336) (#123688) HEAD_LOCK is called from _PyEval_ReInitThreads->_PyThreadState_DeleteExcept before _PyRuntimeState_ReInitThreads reinit runtime->interpreters.mutex which might be locked before fork. (cherry picked from commit 522799a05e3e820339718151ac055af6d864d463) Co-authored-by: ChuBoning <102216855+ChuBoning@users.noreply.github.com>
* [3.9] gh-119690: Fixes buffer type confusion in _winapi.CreateFile and ↵Miss Islington (bot)2024-09-042-2/+4
| | | | | | | _winapi.CreateNamedPipe audit events (GH-119735) (#123679) (cherry picked from commit 2e861ac1cd4359463f6a13efd3d3578fce71e5ab) Co-authored-by: Steve Dower <steve.dower@python.org>
* [3.9] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values ↵Miss Islington (bot)2024-09-043-26/+47
| | | | | | | | with backslashes (GH-123075) (#123107) This fixes CVE-2024-7592. (cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.9] gh-123270: Replaced SanitizedNames with a more surgical fix. ↵Jason R. Coombs2024-09-043-2/+87
| | | | | | | | | | (GH-123354) (#123432) Applies changes from zipp 3.20.1 and jaraco/zippGH-124 (cherry picked from commit 2231286d78d328c2f575e0b05b16fe447d1656d6) (cherry picked from commit 17b77bb41409259bad1cd6c74761c18b6ab1e860) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
* [3.9] gh-121285: Remove backtracking when parsing tarfile headers ↵Seth Michael Larson2024-09-043-38/+111
| | | | | | | | | | | | | | (GH-121286) (#123641) * Remove backtracking when parsing tarfile headers * Rewrite PAX header parsing to be stricter * Optimize parsing of GNU extended sparse headers v0.0 (cherry picked from commit 34ddb64d088dd7ccc321f6103d23153256caa5d4) Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.9] gh-121650: Encode newlines in headers, and verify headers are sound ↵Łukasz Langa2024-09-0410-4/+162
| | | | | | | | | | | | | | | | | | | | | | | | (GH-122233) (#122610) Per RFC 2047: > [...] these encoding schemes allow the > encoding of arbitrary octet values, mail readers that implement this > decoding should also ensure that display of the decoded data on the > recipient's terminal will not cause unwanted side-effects It seems that the "quoted-word" scheme is a valid way to include a newline character in a header value, just like we already allow undecodable bytes or control characters. They do need to be properly quoted when serialized to text, though. This should fail for custom fold() implementations that aren't careful about newlines. (cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.9] gh-122133: Rework pure Python socketpair tests to avoid use of ↵Miss Islington (bot)2024-08-022-77/+64
| | | | | | | | importlib.reload. (GH-122493) (GH-122508) (cherry picked from commit f071f01b7b7e19d7d6b3a4b0ec62f820ecb14660) Co-authored-by: Russell Keith-Magee <russell@keith-magee.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
generated by cgit v0.12 at 2026-01-07 06:36:03 (GMT)