summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* [3.9] [3.11] Add single value `agen.athrow(value)` signature to the 3.11 ↵Miss Islington (bot)2023-07-051-1/+2
| | | | | | | docs gh-105269 (GH-105468) (#105477) (cherry picked from commit acf3916e84158308660ed07c474a564e045d6884) Co-authored-by: Federico Caselli <CaselIT@users.noreply.github.com>
* Post 3.9.17Łukasz Langa2023-06-061-1/+1
|
* Python 3.9.17v3.9.17Łukasz Langa2023-06-0616-29/+134
|
* [3.9] gh-105184: document that marshal functions can fail and need to be ↵Miss Islington (bot)2023-06-052-0/+8
| | | | | | | checked with PyErr_Occurred (GH-105185) (#105221) (cherry picked from commit ee26ca13a129da8cf549409d0a1b2e892ff2b4ec) Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>
* [3.9] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174) ↵Gregory P. Smith2023-06-0512-18/+186
| | | | | | | | | | | | | | | (GH-105200) (#105205) Upgrade builds to OpenSSL 1.1.1u. Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9. Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting). (cherry picked from commit ede89af) Co-authored-by: Ned Deily <nad@python.org>
* [3.9] Update GitHub CI workflow for macOS. (GH-105303)Ned Deily2023-06-051-1/+13
|
* [3.9] gh-68966: fix versionchanged in docs (GH-105298)Ned Deily2023-06-051-1/+1
|
* [3.9] gh-102153: Start stripping C0 control and space chars in `urlsplit` ↵Miss Islington (bot)2023-05-224-3/+111
| | | | | | | | | | | | | | | | | | | | | (GH-102508) (GH-104575) (GH-104592) (#104593) gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). I simplified the docs by eliding the state of the world explanatory paragraph in this security release only backport. (people will see that in the mainline /3/ docs) (cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10) (cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941) (cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946) Co-authored-by: Illia Volochii <illia.volochii@gmail.com> Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
* [3.9] gh-99889: Fix directory traversal security flaw in uu.decode() ↵Miss Islington (bot)2023-05-223-1/+38
| | | | | | | (GH-104096) (#104331) (cherry picked from commit 0aeda297931820436a50b78f4f7f0597274b5df4) Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
* [3.9] gh-104049: do not expose on-disk location from ↵Miss Islington (bot)2023-05-223-1/+11
| | | | | | | | | | | SimpleHTTPRequestHandler (GH-104067) (#104120) Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure) (cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a) Co-authored-by: Ethan Furman <ethan@stoneleaf.us> Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
* [3.9] gh-103935: Use `io.open_code()` when executing code in trace and ↵Steve Dower2023-05-224-3/+7
| | | | | profile modules (GH-103947) (#103953) Co-authored-by: Tian Gao <gaogaotiantian@hotmail.com>
* [3.9] gh-102950: Implement PEP 706 – Filter for tarfile.extractall ↵Petr Viktorin2023-05-158-78/+1761
| | | | | | (GH-102953) (#104382) Backport of c8c3956d905e019101038b018129a4c90c9c9b8f
* [3.9] GH-102126: fix deadlock at shutdown when clearing thread states ↵Kumar Aditya2023-03-282-2/+11
| | | | | (GH-102222) (#102236) (cherry picked from commit 5f11478ce7fda826d399530af4c5ca96c592f144)
* [3.9] gh-101997: Update bundled pip version to 23.0.1 (GH-101998). (#102243)Pradyun Gedam2023-03-284-1/+2
| | | (cherry picked from commit 89d9ff0f48c51a85920c7372a7df4a2204e32ea5)
* [3.9] gh-102627: Replace address pointing toward malicious web page ↵Miss Islington (bot)2023-03-131-1/+1
| | | | | | | | | (GH-102630) (GH-102666) (cherry picked from commit 61479d46848bc7a7f9b571b0b09c4a4b4436d839) Co-authored-by: Blind4Basics <32236948+Blind4Basics@users.noreply.github.com> Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM> Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
* [3.9] gh-101726: Update the OpenSSL version to 1.1.1t (GH-101727) (GH-101751)Steve Dower2023-03-079-26/+37
| | | | | | | Fixes CVE-2023-0286 (High) and a couple of Medium security issues. https://www.openssl.org/news/secadv/20230207.txt Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Ned Deily <nad@python.org>
* [3.9] gh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI i… ↵Dong-hee Na2023-02-211-2/+2
| | | | | (#102094) [3.9] gh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI issue (gh-102079)
* [3.9] gh-101283: Improved fallback logic for subprocess with shell=True on ↵Miss Islington (bot)2023-02-093-1/+60
| | | | | | Windows (GH-101286) (#101709) Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net> Co-authored-by: Steve Dower <steve.dower@microsoft.com>
* gh-101422: (docs) TarFile default errorlevel argument is 1, not 0 (GH-101424)Miss Islington (bot)2023-01-301-1/+1
| | | | | (cherry picked from commit ea232716d3de1675478db3a302629ba43194c967) Co-authored-by: Owain Davies <116417456+OTheDev@users.noreply.github.com>
* [3.9] Bump Azure Pipelines to ubuntu-22.04 (GH-101089) (#101214)Miss Islington (bot)2023-01-212-8/+8
| | | | | (cherry picked from commit c22a55c8b4f142ff679880ec954691d5920b7845) Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
* [3.9] gh-100180: Update Windows installer to OpenSSL 1.1.1s (GH-100903) ↵Steve Dower2023-01-203-4/+5
| | | | (#100904)
* [3.9] GH-100892: Fix race in clearing `threading.local` (GH-100922) (#100939)Kumar Aditya2023-01-204-13/+75
| | | | | | | | | [3.9] [3.10] GH-100892: Fix race in clearing `threading.local` (GH-100922). (cherry picked from commit 762745a124cbc297cf2fe6f3ec9ca1840bb2e873) Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>. (cherry picked from commit 683e9fe30ecd024f5508b2a33316752870100a96) Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
* [3.9] gh-95778: add doc missing in some places (GH-100627). (#101066)Éric2023-01-201-0/+10
| | | | | (cherry picked from commit 46521826cb1883e29e4640f94089dd92c57efc5b) Co-authored-by: Éric <earaujo@caravan.coop>
* [3.9] Correct CVE-2020-10735 documentation (GH-100306). (#100697)Gregory P. Smith2023-01-203-7/+7
| | | | | | | (cherry picked from commit 1cf3d78c92eb07dc09d15cc2e773b0b1b9436825) (cherry picked from commit 88fe8d701af3316c8869ea18ea1c7acec6f68c04) Co-authored-by: Jeremy Paige <ucodery@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.9] Update copyright year in README (GH-100863) (GH-100865) (GH-100866)Miss Islington (bot)2023-01-091-4/+4
| | | | | | (cherry picked from commit 30a6cc418a60fccb91ba574b552203425e594c47) Co-authored-by: Ned Deily <nad@python.org> Co-authored-by: HARSHA VARDHAN <75431678+Thunder-007@users.noreply.github.com>
* [3.9] Update copyright years to 2023. (gh-100851)Benjamin Peterson2023-01-0810-14/+14
| | | | | | | | | | * [3.9] Update copyright years to 2023. (gh-100848). (cherry picked from commit 11f99323c2ae0ec428c370a335695e3d8d4afc1d) Co-authored-by: Benjamin Peterson <benjamin@python.org> * Update additional copyright years to 2023. Co-authored-by: Ned Deily <nad@python.org>
* Clarify that every thread has its own default context in contextvars (GH-99246)Miss Islington (bot)2022-12-201-0/+5
| | | | | (cherry picked from commit cb60b6131bc2bb11c48a15f808914d8b242b9fc5) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
* Post 3.9.16Łukasz Langa2022-12-061-1/+1
|
* Python 3.9.16v3.9.16Łukasz Langa2022-12-0610-38/+93
|
* [3.9] gh-100001: Omit control characters in http.server stderr logs. ↵Miss Islington (bot)2022-12-064-2/+46
| | | | | | | | | | | | | | | | (GH-100002) (#100032) * gh-100001: Omit control characters in http.server stderr logs. (GH-100002) Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828) Co-authored-by: Gregory P. Smith <greg@krypto.org> * also escape \s (backport of PR #100038). * add versionadded and remove extra 'to' Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.9] gh-87604: Avoid publishing list of active per-interpreter audit hooks ↵Steve Dower2022-11-214-0/+20
| | | | via the gc module (GH-99373) (GH-99493)
* [3.9] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) (#99230)Miss Islington (bot)2022-11-103-17/+27
| | | | | | | | | | There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d) (cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.9] gh-97514: Don't use Linux abstract sockets for multiprocessing ↵Miss Islington (bot)2022-10-282-5/+15
| | | | | | | | | | | | | | | | | | | (GH-98501) (#98504) Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via https://github.com/python/cpython/pull/18866 while fixing https://github.com/python/cpython/issues/84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches. (cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.9] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) (#98526)Miss Islington (bot)2022-10-283-7/+18
| | | | | | | | | | | | | This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> (cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3) Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
* [3.9] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98786)Miss Islington (bot)2022-10-284-18/+36
| | | | | | | Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680. Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com> (cherry picked from commit 3e07f827b359617664ad0880f218f17ae4483299)
* [3.9] gh-96710: Make the test timing more lenient for the int/str DoS ↵Miss Islington (bot)2022-10-111-6/+8
| | | | | | | | | | | | | | regression test. (GH-96717) (#98196) gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717) A regression would still absolutely fail and even a flaky pass isn't harmful as it'd fail most of the time across our N system test runs. Windows has a low resolution timer and CI systems are prone to odd timing so this just gives more leeway to avoid flakiness. (cherry picked from commit 11e3548fd1d3445ccde971d613633b58d73c3016) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.9] gh-68966: Make mailcap refuse to match unsafe filenames/types/params ↵Miss Islington (bot)2022-10-114-4/+46
| | | | | | | | (GH-91993) (#98190) gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (cherry picked from commit b9509ba7a9c668b984dab876c7926fe1dc5aa0ba) Co-authored-by: Petr Viktorin <encukou@gmail.com>
* Post 3.9.15Łukasz Langa2022-10-111-1/+1
|
* Python 3.9.15v3.9.15Łukasz Langa2022-10-1111-24/+79
|
* [3.9] gh-91708: Revert params note in urllib.parse.urlparse table (GH-96699) ↵Miss Islington (bot)2022-10-071-1/+2
| | | | | | | | (#98054) Revert params note in urllib.parse.urlparse table (cherry picked from commit eed80458e8e776d15fa862da71dcce58c47e2ca7) Co-authored-by: Stanley <46876382+slateny@users.noreply.github.com>
* [3.9] gh-94208: Add even more TLS version/protocol checks for FreeBSD (#98037)Łukasz Langa2022-10-072-10/+18
| | | Otherwise, buildbot builds would fail since there's no TLS 1.0/1.1 support.
* [3.9] gh-97897: Prevent os.mkfifo and os.mknod segfaults with macOS 13 SDK ↵Miss Islington (bot)2022-10-063-8/+80
| | | | | | | | | | | | | (GH-97944) (#97968) The macOS 13 SDK includes support for the `mkfifoat` and `mknodat` system calls. Using the `dir_fd` option with either `os.mkfifo` or `os.mknod` could result in a segfault if cpython is built with the macOS 13 SDK but run on an earlier version of macOS. Prevent this by adding runtime support for detection of these system calls ("weaklinking") as is done for other newer syscalls on macOS. (cherry picked from commit 6d0a0191a4e5477bd843e62c24d7f3bcad4fd5fc) Co-authored-by: Ned Deily <nad@python.org>
* [3.9] gh-96848: Fix -X int_max_str_digits option parsing (GH-96988) (GH-97574)Miss Islington (bot)2022-10-043-1/+7
| | | | | | | | | | gh-96848: Fix -X int_max_str_digits option parsing (GH-96988) Fix command line parsing: reject "-X int_max_str_digits" option with no value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a valid limit. (cherry picked from commit 41351662bcd21672d8ccfa62fe44d72027e6bcf8) Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.9] gh-96577: Fixes buffer overrun in _msi module (GH-96633) (GH-96657)Miss Islington (bot)2022-10-042-2/+3
| | | | | | gh-96577: Fixes buffer overrun in _msi module (GH-96633) (cherry picked from commit 4114bcc9ef7595a07196bcecf9c7d6d39f57f64d) Co-authored-by: Steve Dower <steve.dower@python.org>
* [3.9] gh-95778: Mention sys.set_int_max_str_digits() in error message ↵Victor Stinner2022-10-043-4/+7
| | | | | | | | | | (#96874) (#96877) When ValueError is raised if an integer is larger than the limit, mention sys.set_int_max_str_digits() in the error message. (cherry picked from commit e841ffc915e82e5ea6e3b473205417d63494808d) Co-authored-by: Ned Deily <nad@python.org>
* [3.9] gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) (gh-97012)Miss Islington (bot)2022-10-048-17/+28
| | | | | | | | | gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org> (cherry picked from commit 10e3d398c31cc1695752fc52bc6ca2ce9ef6237e) Co-authored-by: Dong-hee Na <donghee.na@python.org> Co-authored-by: Ned Deily <nad@python.org>
* [3.9] gh-97616: list_resize() checks for integer overflow (GH-97617) (GH-97627)Miss Islington (bot)2022-10-043-2/+24
| | | | | | | | | | | | | gh-97616: list_resize() checks for integer overflow (GH-97617) Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. list_resize() now checks for integer overflow before multiplying the new allocated length by the list item size (sizeof(PyObject*)). (cherry picked from commit a5f092f3c469b674b8d9ccbd4e4377230c9ac7cf) Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.9] gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613) ↵Miss Islington (bot)2022-10-042-18/+10
| | | | | | | | | | | | | | | | | | (GH-97632) gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613) Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run "openssl" commands. Issue reported and initial fix by Caleb Shortt. Remove the Windows code path to send "quit" on stdin to the "openssl s_client" command: use DEVNULL on all platforms instead. Co-authored-by: Caleb Shortt <caleb@rgauge.com> (cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341) Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.9] gh-87597: Document TimeoutExpired.stdout & .stderr types (GH-97685) ↵Miss Islington (bot)2022-10-041-2/+7
| | | | | | | | | (GH-97688) This documents the behavior that has always been the case since timeout support was introduced in Python 3.3. (cherry picked from commit b05dd796492160c37c9e15e3882f699f411b3461) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.9] gh-96845: Fix docs around importlib.abc.Traversable (GH-97515) (GH-97761)Jason R. Coombs2022-10-041-2/+6
| | | Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
generated by cgit v0.12 at 2025-03-02 08:23:28 (GMT)