| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
email.parseaddr() (GH-111116) (#123770)
Detect email address parsing errors and return empty tuple to
indicate the parsing error (old API). Add an optional 'strict'
parameter to getaddresses() and parseaddr() functions. Patch by
Thomas Dwyer.
(cherry picked from commit 4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19)
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-Authored-By: Thomas Dwyer <github@tomd.tel>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-122233) (#122611)
Per RFC 2047:
> [...] these encoding schemes allow the
> encoding of arbitrary octet values, mail readers that implement this
> decoding should also ensure that display of the decoded data on the
> recipient's terminal will not cause unwanted side-effects
It seems that the "quoted-word" scheme is a valid way to include
a newline character in a header value, just like we already allow
undecodable bytes or control characters.
They do need to be properly quoted when serialized to text, though.
This should fail for custom fold() implementations that aren't careful
about newlines.
(cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
| |
(GH-122121)
|
| |
|
| |
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-113179) (GH-113186) (GH-118177) (GH-118479)
The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).
This patch updates the ranges with what was missing or otherwise
incorrect.
100.64.0.0/10 is left alone, for now, as it's been made special in [1].
The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.
[1] https://github.com/python/cpython/issues/61602
In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.
For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").
---------
Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
|
| |
|
|
|
|
|
| |
(GH-117996) (GH-118006)
(cherry picked from commit a4b44d39cd6941cc03590fee7538776728bdfd0a)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-115623) (GH-116275)
Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:
- `xml.etree.ElementTree.XMLParser.flush`
- `xml.etree.ElementTree.XMLPullParser.flush`
- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`
- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`
- `xml.sax.expatreader.ExpatParser.flush`
Based on the "flush" idea from https://github.com/python/cpython/pull/115138#issuecomment-1932444270 .
Includes code suggested-by: Snild Dolkow <snild@sony.com>
and by core dev Serhiy Storchaka.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
| |
(GH-115400) (GH-115764)
Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
(cherry picked from commit fbd40ce46e7335a5dbaf48a3aa841be22d7302ba)
Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
|
| |
|
|
|
|
|
|
|
|
| |
(#108279)
(cherry picked from commit acbd3f9c5c5f23e95267714e41236140d84fe962)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-102508) (GH-104575) (GH-104592) (#104593) (#104895)
`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport. (people will see
that in the mainline /3/ docs)
(cherry picked from commit d7f8a5fe07b0ff3a419ccec434cc405b21a5a304)
(cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10)
(cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941)
(cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946)
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
|
| | |
|
| |
|
|
|
|
| |
(GH-102953) (#104548)
Backport of c8c3956d905e019101038b018129a4c90c9c9b8f
|
| |
|
|
|
|
|
|
|
| |
(GH-102630) (GH-102667)
(cherry picked from commit 61479d46848bc7a7f9b571b0b09c4a4b4436d839)
Co-authored-by: Blind4Basics <32236948+Blind4Basics@users.noreply.github.com>
Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM>
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
|
| |
|
|
|
|
| |
Windows (GH-101286) (#101710)
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Steve Dower <steve.dower@microsoft.com>
|
| |
|
|
|
| |
(cherry picked from commit ea232716d3de1675478db3a302629ba43194c967)
Co-authored-by: Owain Davies <116417456+OTheDev@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
(cherry picked from commit 1cf3d78c92eb07dc09d15cc2e773b0b1b9436825)
(cherry picked from commit 88fe8d701af3316c8869ea18ea1c7acec6f68c04)
Co-authored-by: Jeremy Paige <ucodery@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-100002) (#100033)
* gh-100001: Omit control characters in http.server stderr logs. (GH-100002)
Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
(cherry picked from commit d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
* also escape \s (backport of PR #100038).
* add versionadded and remove extraneous 'to'
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
| |
(GH-91993) (#98192)
gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
(cherry picked from commit b9509ba7a9c668b984dab876c7926fe1dc5aa0ba)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-96874) (GH-96877) (GH-97835)
[3.9] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877)
When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.
(cherry picked from commit e841ffc915e82e5ea6e3b473205417d63494808d)
Co-authored-by: Ned Deily <nad@python.org>
(cherry picked from commit 41188134bd2120f0cedd681ed88743c11c7f3742)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Correctly pre-check for int-to-str conversion
Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)
The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.
The justification for the current check. The C code check is:
```c
max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10
```
In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:
$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$
From this it follows that
$$\frac{M}{3L} < \frac{s-1}{10}$$
hence that
$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
So
$$2^{L(s-1)} > 10^M.$$
But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.
<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
|
| |
|
|
|
|
|
| |
links (GH-94416) (GH-94495)
(cherry picked from commit 80aaeabb8bd1e6b49598a7e23e0f8d99b3fcecaf)
Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-31827)
As per the comments, this mirrors the [datetime documentation](https://docs.python.org/3/library/datetime.htmlGH-datetime.datetime.fromtimestamp).
```
>>> import time
>>> time.localtime(999999999999999999999)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OverflowError: timestamp out of range for platform time_t
>>> time.localtime(-3600)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: [Errno 22] Invalid argument
```
(cherry picked from commit c83fc9c02c9846ec3a2d0123999c98e02f00b3f5)
Co-authored-by: slateny <46876382+slateny@users.noreply.github.com>
|
| |
|
|
|
|
| |
Since `.. module:: contextvars` sets the module using `.. class:: contextvars.Token`, intersphinx records it as `contextvars.contextvars.Token`.
(cherry picked from commit e501d70b347c5093018d12482c30a7a98aab86d0)
Co-authored-by: Hynek Schlawack <hs@ox.cx>
|
| |
|
|
|
|
|
| |
(GH-18170) (GH-28535)
(cherry picked from commit af90b5498b8c6acd67b50fdad007d26dfd1c5823)
Co-authored-by: Sam Sneddon <me@gsnedders.com>
|
| |
|
|
|
|
|
|
|
|
| |
Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the
fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy
is most used on Windows and macOS.
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 3fc5d84046ddbd66abac5b598956ea34605a4e5d)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(GH-25099) (GH-27801)
Reverts commit e653d4d8e820a7a004ad399530af0135b45db27a and makes
parsing even more strict. Like socket.inet_pton() any leading zero
is now treated as invalid input.
Signed-off-by: Christian Heimes <christian@python.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
| |
|
|
|
| |
(cherry picked from commit 2ff5bb4908975976031ba738866de619cafadc4d)
Co-authored-by: Dennis Sweeney <36520290+sweeneyde@users.noreply.github.com>
|
| |
|
|
|
|
|
|
| |
(#27276)
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 64f54b7ccd49764b0304e076bfd79b5482988f53)
Co-authored-by: andrei kulakov <andrei.avk@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
and tabs. (GH-25595) (#25726)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4)
Co-authored-by: Senthil Kumaran <senthil@uthcode.com>
Co-authored-by: Senthil Kumaran <skumaran@gatech.edu>
|
| |
|
|
|
|
|
|
|
|
|
| |
Accessing the following attributes will now fire PEP 578 style audit hooks as (object.__getattr__, obj, name):
* PyTracebackObject: tb_frame
* PyFrameObject: f_code
* PyGenObject: gi_code, gi_frame
* PyCoroObject: cr_code, cr_frame
* PyAsyncGenObject: ag_code, ag_frame
(cherry picked from commit bb2f3ff7a8f0c3565ccc1946dba7e09a3f7dc209)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| |
|
|
|
|
|
| |
(cherry picked from commit 779232413a367cd3357482e675a5518de102a90e)
Co-authored-by: Shreyash Sharma <shreyash.sharma@philips.com>
Co-authored-by: Shreyash Sharma <shreyash.sharma@philips.com>
|
| |
|
|
|
|
|
|
| |
Fixing callback for lambda when no return value is provided
(cherry picked from commit 50c21ad35372983680b44130be560d856c5f27ca)
Co-authored-by: Shreyash Sharma <shreyash.sharma@philips.com>
Co-authored-by: Shreyash Sharma <shreyash.sharma@philips.com>
|
| |
|
|
|
|
|
|
| |
Result: "quantity_on_hand: int = 0".
(cherry picked from commit e726a902b7c73a7056b7421d801e47ffff255873)
Co-authored-by: Mohamed Moselhy <look4d@gmail.com>
Co-authored-by: Mohamed Moselhy <look4d@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-25755)
…eption (GH-23872)
Links for 'raise Exception from x' target to 'The raise statement' (7.8) section instead of 'The import statement' (7.11) section.
There are more modified links than in the bug report because I searched some other ones which can get the same improvement..
(cherry picked from commit 2fd928c8c1328424130cb9c51fc02ad5f9a66328)
This PR is a cherry pick to python 3.8 from https://github.com/python/cpython/pull/23872. The fix was the removal of the change in the other file because the fixed section was introduced in 3.9. So the file does not need to be fixed in 3.8.
Co-authored-by: sblondon <sblondon@users.noreply.github.com>
Automerge-Triggered-By: GH:Mariatta
|
| |
|
|
|
|
|
|
|
| |
(GH-21789) (GH-25707)
(cherry picked from commit 69a733bda34d413d3ad545ef3132240e5d2a7c0c)
Co-authored-by: Andre Delfino <adelfino@gmail.com>
Co-authored-by: Andre Delfino <adelfino@gmail.com>
|
| |
|
|
|
|
|
| |
* Remove duplicated itemgetter example
* Add spaces
(cherry picked from commit 743e2bae10d2010fd1e29b772c9da64efc7c9c47)
Co-authored-by: Andre Delfino <adelfino@gmail.com>
|
| |
|
|
|
|
|
| |
(GH-22314) (GH-25639)
(cherry picked from commit 52cd6d5e1b2bece0d8efb58b1af41071c914ebe6)
Co-authored-by: Andre Delfino <adelfino@gmail.com>
|
| |
|
|
|
|
|
|
| |
networks (GH-18757) (#25536)
The `.hosts()` method now returns the single address present in a /32 or /128 network..
(cherry picked from commit 8e9c47a947954c997d4b725f4551d50a1d896722)
Co-authored-by: Pete Wicken <2273100+JamoBox@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
drives (GH-25346) (#25367)
(cherry picked from commit 67c0b3d89c4da9750fdb43fc66d3924681b22d2e)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
|
| |
|
|
|
|
| |
So long as we don't have idna2008 in the standard library, we should at least point people to the third-party solution.
(cherry picked from commit 1d023e374cf96d143b065242131ddc9b889f9a1e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
| |
(GH-25636)
(cherry picked from commit 8a307e488d596914a7a5df6b2fdd945f8ce81e69)
Co-authored-by: Llandy Riveron Del Risco <llandy3d@gmail.com>
Co-authored-by: Llandy Riveron Del Risco <llandy3d@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The check about the f argument type was removed in this commit:
https://github.com/python/cpython/commit/2c94aa567e525c82041ad68a3174d8c3acbf37e2
Thanks for Pedro Arthur Duarte (pedroarthur.jedi at gmail.com) by the help with
this bug.
(cherry picked from commit bd25bcd37a3a41a0e08208e969f0c02287850c61)
Co-authored-by: Adorilson Bezerra <adorilson@gmail.com>
Co-authored-by: Adorilson Bezerra <adorilson@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit 3c4850e222388889426e250ff43308e4802dc582)
Co-authored-by: Gabriel R F <github@gabrf.com>
|
| |
|
|
|
|
|
| |
(GH-19024) (GH-25618)
(cherry picked from commit b6daab2f676de1773d8f35fb362fe4c57449301d)
Co-authored-by: Etienne Gautier <etienne.gautier@outlook.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previous ID (5233) refers to "Sieve Email Filtering: Subaddress
Extension". It seems that the actual reference should be "Internet
Message Format" RFC 5322 (https://tools.ietf.org/html/rfc5322).
(The typo probably comes from commit 29d1bc0842 in which the ID of
this RFC got updated from the obsolete 2822.)
Co-authored-by: Ambrose Chua <ambrose@hey.com>
(cherry picked from commit cb5c802dcf8851663c4eac5d73f968f626a3a1dc)
Co-authored-by: Denis Laxalde <denis@laxalde.org>
|
| |
|
|
|
| |
(cherry picked from commit 0d930f108cb8ba66f54197175c1fba0c38253e4a)
Co-authored-by: Andre Delfino <adelfino@gmail.com>
|
| |
|
|
|
|
|
| |
It looks like it was accidentally copy-pasted in
6fa7aada9bd3616e0beeb266e818497b2ec1c859.
(cherry picked from commit 7f8e072c6dc88d6973d81f8fd572c04c88e7e3d7)
Co-authored-by: Sergey Fedoseev <fedoseev.sergey@gmail.com>
|
| |
|
|
|
|
|
|
| |
* Clarify, for BaseHTTPRequestHandler, that path includes query
Co-authored-by: David Jones <drj@pobox.com>
(cherry picked from commit a89d8a94a0dd0bd45349efad6d5ad68641f4ff9a)
Co-authored-by: Senthil Kumaran <senthil@uthcode.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
(GH-25445)
Use a versionadded directive to generate the text "New in version
3.8." (to match with the documentation of other modules).
Automerge-Triggered-By: GH:jaraco
(cherry picked from commit adf24bd835)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
sys.getwindowsversion() (GH-25500)
The sys module uses the kernel32.dll version number, which can vary from the "actual" Windows version.
Since the best option for getting the version is WMI (which is expensive), we switch back to launching cmd.exe (which is also expensive, but a lot less code on our part).
sys.getwindowsversion() is not updated to avoid launching executables from that module.
(cherry picked from commit 2a3f4899c63806439e5bcea0c30f7e6a6295a763)
Co-authored-by: Shreyan Avigyan <shreyan.avigyan@gmail.com>
|
