| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(#96563)
Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)
The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.
The justification for the current check. The C code check is:
```c
max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10
```
In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:
$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$
From this it follows that
$$\frac{M}{3L} < \frac{s-1}{10}$$
hence that
$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
So
$$2^{L(s-1)} > 10^M.$$
But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.
<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
(cherry picked from commit b126196838bbaf5f4d35120e0e6bcde435b0b480)
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(GH-96557)
* gh-68163: Correct conversion of Rational instances to float
Also document that numerator/denominator properties are instances of Integral.
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
(cherry picked from commit 8464b754c4168586b99e2135ccd2567e025625a9)
Co-authored-by: Sergey B Kirpichev <skirpichev@gmail.com>
|
| |
|
|
| |
(GH-96533)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.
This PR comes fresh from a pile of work done in our private PSRT security response team repo.
This backports https://github.com/python/cpython/pull/96499 aka 511ca9452033ef95bc7d7fc404b8161068226002
Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).
<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->
I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#).
|
| |
|
|
|
| |
(cherry picked from commit 1c01bd28a0ec7e46e570a07d970c590b1809f8f1)
Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
|
| |
|
|
| |
(GH-96340) (GH-96342)
|
| |
|
|
|
|
|
|
|
|
|
| |
find_unused_port() has an inherent race condition, but we can't use
bind_port() as that uses .getsockname() which this test is exercising.
Try binding to unused ports a few times before failing.
Signed-off-by: Ross Burton <ross.burton@arm.com>
(cherry picked from commit df110126971d0271a977ce10779083b3e335b4da)
Co-authored-by: Ross Burton <ross.burton@arm.com>
|
| |
|
| |
Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
| |
(GH-96176)
X-Ref: https://github.com/python/typeshed/pull/8590GH-discussion_r951473977
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
(cherry picked from commit 58f6953d6d3fe20d972bfa2f6e982206adcf1353)
Co-authored-by: Kevin Kirsche <Kev.Kirsche+GitHub@gmail.com>
|
| |
|
|
| |
(GH-95207)
|
| |
|
|
|
|
|
|
|
| |
8) (GH-95934) (GH-95938)
(cherry picked from commit a965db37f27ffb232312bc13d9a509f0d93fcd20)
Co-authored-by: Shantanu <12621235+hauntsaninja@users.noreply.github.com>
Automerge-Triggered-By: GH:lysnikolaou
|
| |
|
|
|
|
|
|
|
| |
8) (GH-95935)
(cherry picked from commit https://github.com/python/cpython/commit/b5e3ea286289fcad12be78480daf3756e350f69f)
Co-authored-by: Shantanu <12621235+hauntsaninja@users.noreply.github.com>
Automerge-Triggered-By: GH:lysnikolaou
|
| |
|
|
|
|
| |
Under certain build conditions, test_check_c_globals fails. This fix takes the same approach as we took for gh-84236 (via gh-20095). We'll be removing use of distutils in the c-analyzer at some point. Until then we'll hide the warning filter.
(cherry picked from commit 3ff6d9affb351292ad8530802e7c06f651520706)
Co-authored-by: Eric Snow <ericsnowcurrently@gmail.com>
|
| |
|
|
|
|
|
|
| |
(GH-95665) (GH-95859)
This PR fixes the error message from float(s) in the case where s contains only whitespace.
(cherry picked from commit 97e9cfa75a80b54a0630b7371f35e368a12749d1)
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
|
| |
|
|
|
|
|
| |
(GH-95786)
(cherry picked from commit cc9160a29bc3356ced92348bcd8e6668c67167c9)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
| |
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@protonmail.com>
(cherry picked from commit a17cd47b614f8bc660788647a009a25e121221d7)
Co-authored-by: Sion Kang <31057849+Yaminyam@users.noreply.github.com>
|
| |
|
|
|
| |
(cherry picked from commit 4703c158116bd157e20938bbf5356b79422470bb)
Co-authored-by: Sion Kang <31057849+Yaminyam@users.noreply.github.com>
|
| |
|
|
|
|
| |
`dataclass` was called as a function when it was almost certainly intended to be a decorator.
(cherry picked from commit 59e09efe888affe549e9249f188797c1325edecc)
Co-authored-by: da-woods <dw-git@d-woods.co.uk>
|
| |
|
|
|
|
|
| |
It updates links which redirect to HTTPS with different authority or
path.
(cherry picked from commit d0d0154443cafb2f0a2cdfb6a1267d80cce8388e)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit b53aed76d26419fc7449c358c6035c9afe055e16)
Co-authored-by: Jo, Yunjin <black33jo@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit 0956b6d9c44f66cc152c6afe22a3793e5b157cfd)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
| |
Co-authored-by: Thomas Grainger <tagrain@gmail.com>
Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-94999) (GH-95354)
When keyword argument name is an instance of a str subclass with
overloaded methods __eq__ and __hash__, the former code could not find
the name of an extraneous keyword argument to report an error, and
_PyArg_UnpackKeywords() returned success without setting the
corresponding cell in the linearized arguments array. But since the number
of expected initialized cells is determined as the total number of passed
arguments, this lead to reading NULL as a keyword parameter value, that
caused SystemError or crash or other undesired behavior..
(cherry picked from commit ebad53a4dc1bb591820724a22cef9b8459185b5f)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit 565403038b75eb64ea483b2757ba30769246d853)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
| |
Now the tests are correctly reported as skipped if sqlite3 is not available.
(cherry picked from commit 152eb90311fdf294510b5d077332580ba18c0ee4)
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@protonmail.com>
|
| |
|
|
|
|
| |
Co-authored-by: wouter bolsterlee <wouter@bolsterl.ee>
(cherry picked from commit ea5ed0ba51c10cfdde7651a475438551964dfdfc)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit 5956de16cd00e7e1cf5cbf3d7b4a930eaa928321)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
(cherry picked from commit 5c7f3bcdafedd60a385e8ca5403bc6b0b7a862b3)
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
|
| |
|
|
|
|
|
|
| |
(GH-94931) (GH-94963)
(cherry picked from commit 067f0da33506f70c36a67d5f3d8d011c8dae10c9)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
| |
directory (#95016)
|
| |
|
|
|
|
|
| |
(GH-94891)
(cherry picked from commit f36589510b8708fa224d799d5b328deab558aa4e)
Co-authored-by: Brandt Bucher <brandtbucher@microsoft.com>
|
| |
|
|
|
|
|
| |
feature_version (GH-94950) (#94990)
(cherry picked from commit 0daba822212cd5d6c63384a27f390f0945330c2b)
Co-authored-by: Shantanu <12621235+hauntsaninja@users.noreply.github.com>
|
| |
|
|
|
|
| |
Added in 339fd46cb764277cbbdc3e78dcc5b45b156bb6ae - but as noted in a comment, the test only tests ThreadPoolExecutor.
(cherry picked from commit 3f2dd0a7c0b1a5112f2164dce78fcfaa0c4b39c7)
Co-authored-by: Florian Bruhin <me@the-compiler.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-94948) (#94969)
* gh-94947: Disallow parsing walrus with feature_version < (3, 8)
* oops, commit the parser
* 📜🤖 Added by blurb_it.
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>.
(cherry picked from commit ae0be5a53bb4caee3de4888341addd9c94133f2d)
Co-authored-by: Shantanu <12621235+hauntsaninja@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When binding a unix socket to an empty address on Linux, the socket is
automatically bound to an available address in the abstract namespace.
>>> s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
>>> s.bind("")
>>> s.getsockname()
b'\x0075499'
Since python 3.9, the socket is bound to the one address:
>>> s.getsockname()
b'\x00'
And trying to bind multiple sockets will fail with:
Traceback (most recent call last):
File "/home/nsoffer/src/cpython/Lib/test/test_socket.py", line 5553, in testAutobind
s2.bind("")
OSError: [Errno 98] Address already in use
Added 2 tests:
- Auto binding empty address on Linux
- Failing to bind an empty address on other platforms
Fixes f6b3a07b7df6 (bpo-44493: Add missing terminated NUL in sockaddr_un's length (GH-26866)
(cherry picked from commit c22f134211743cd5ad14cec1dd4f527bee542b4c)
Co-authored-by: Nir Soffer <nsoffer@redhat.com>
|
| |
|
|
|
|
| |
It returned 1 (success) when warnings are turned into exceptions.
(cherry picked from commit 107c21c5d56682320b38c01b5575c1604a429239)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
nodes (GH-94895) (#94911)
(cherry picked from commit 2e9da8e3522764d09f1d6054a2be567e91a30812)
Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
|
| |
|
| |
Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
| |
multiple times (GH-30274) (#94748)
(cherry picked from commit 86c1df18727568758cc329baddc1836e45664023)
Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* fix allocator and deallocator
* 📜🤖 Added by blurb_it.
* code review
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
(cherry picked from commit f5b76330cfb93e1ad1a77c71dafe719f6a808cec)
Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
|
| | |
|
| |
|
|
|
|
|
| |
in AC (GH-94431) (#94650)
(cherry picked from commit 8bbd70b4d130f060f87e3f53810dc747a49fa369)
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@protonmail.com>
|
| |
|
|
|
|
| |
(GH-94511) (#94579)
Co-authored-by: Łukasz Langa <lukasz@langa.pl>.
Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
|
| |
|
|
|
|
|
|
| |
(GH-94424) (GH-94577)
Co-authored-by: Erik De Bonte <erikd@microsoft.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 5f319308a820f49fec66fc3ade50bbaa9fe2105d)
|
| |
|
|
|
| |
(GH-94565)
Co-authored-by: Erik Montnemery <erik@montnemery.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
test_venv.EnsurePipTest.test_with_pip (GH-93959) (GH-94004)
This change does three things:
1. Extract a function for trapping output in subprocesses.
2. Emit both stdout and stderr when encountering an error.
3. Apply the change to `ensurepip._uninstall` check.
(cherry picked from commit 6066f450b91f1cbebf33a245c14e660052ccd90a)
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-94461)
The inspect version was not working with unittest.mock.AsyncMock.
The fix introduces special-casing of AsyncMock in
`inspect.iscoroutinefunction` equivalent to the one
performed in `asyncio.iscoroutinefunction`.
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 4261b6bffc0b8bb5c6d4d80578a81b7520f4aefc)
Co-authored-by: Mehdi ABAAKOUK <sileht@sileht.net>
|
| |
|
|
|
|
|
|
|
|
| |
(GH-93917) (GH-93970)
(cherry picked from commit b1ae4af5e82e7275cebcfb383690b816a388a785)
Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>
Automerge-Triggered-By: GH:iritkatriel
|
| |
|
|
|
|
|
| |
(GH-94410)
(cherry picked from commit 21cbdae90ffdac047d27d1b83a5442fabcf89f7c)
Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>
|
| |
|
|
| |
(GH-94298) (#94385)
|
