| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-21033) (#21233)
CVE-2020-14422: The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation.
(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
Co-authored-by: Ravi Teja P <rvteja92@gmail.com>
Signed-off-by: Tapas Kundu <tkundu@vmware.com>
|
| |
|
|
|
|
|
| |
Avoid infinite loop when reading specially crafted TAR files using the tarfile module
(CVE-2019-20907).
(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
Co-authored-by: Rishi <rishi_devan@mail.com>
|
| |
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
| |
Manual backport of bpo-34542, GH-8997 and commit
1da2b23504a68ed0432aa74a17ec2533933f5af8 to Python 3.5.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
| |
http.client. (#19300)
Add host validation for control characters for more
CVE-2019-18348 protection.
(cherry picked from commit 83fc70159b24)
|
| |
|
|
|
|
|
|
|
|
|
| |
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.
AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.
|
| |
|
|
|
| |
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f17211c5fc0e5b828be1d3320661d1038fe8f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).
LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.
The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to
\d+-\w+-\d+(\s*\s*\s*)$
Therefore, a long sequence of spaces can trigger bad performance.
Matching a malicious string such as
LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")
caused catastrophic backtracking.
The fix removes ambiguity about which \s* should match a particular
space.
You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.
from http.server import BaseHTTPRequestHandler, HTTPServer
def make_set_cookie_value(n_spaces):
spaces = " " * n_spaces
expiry = f"1-c-1{spaces}!"
return f"b;Expires={expiry}"
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
self.log_request(204)
self.send_response_only(204) # Don't bother sending Server and Date
n_spaces = (
int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences
if len(self.path) > 1 else
65506 # Max header line length 65536
)
value = make_set_cookie_value(n_spaces)
for i in range(99): # Not necessary, but we can have up to 100 header lines
self.send_header("Set-Cookie", value)
self.end_headers()
if __name__ == "__main__":
HTTPServer(("", 44020), Handler).serve_forever()
This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.
Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :
import http.cookiejar, urllib.request
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
r = opener.open("http://localhost:44020/")
The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):
import requests
requests.get("http://localhost:44020/")
* Regression test for http.cookiejar REDoS
If we regress, this test will take a very long time.
* Improve performance of http.cookiejar.ISO_DATE_RE
A string like
"444444" + (" " * 2000) + "A"
could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
(cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e)
Co-authored-by: bcaller <bcaller@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
format (GH-17418) (GH-17444) (#17445)
(cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a)
Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
|
| |
|
|
| |
(cherry picked from commit 70af06cdc4e8fbee0b9d7d46bdc193097d4bc71f)
|
| |
|
|
|
|
| |
Escape the server title of xmlrpc.server.DocXMLRPCServer
when rendering the document page as HTML.
(cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa)
|
| |
|
|
|
|
| |
validation and encoding behavior (GH-16448) (#16475)
* [3.5] bpo-38216, bpo-36274: Allow subclasses to separately override validation and encoding behavior (GH-16448)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
headers (GH-14794) (#15446)
* [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)
Some crafted email header would cause the get_parameter method to run in an
infinite loop causing a DoS attack surface when parsing those headers. This
patch fixes that by making sure the DQUOTE character is handled to prevent
going into an infinite loop.
(cherry picked from commit a4a994bd3e619cbaff97610a1cee8ffa87c672f5)
Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
Co-Authored-By: Ashwin Ramaswami <aramaswamis@gmail.com>
|
| |
|
|
|
|
|
|
| |
(GH-13814) (#14772)
(cherry picked from commit 8d0ef0b5edeae52960c7ed05ae8a12388324f87e)
Co-authored-by: Steve Dower <steve.dower@python.org>
(cherry picked from commit fd1771dbdd28709716bd531580c40ae5ed814468)
|
| |
|
|
|
| |
(#12694)
Some test_ssl and test_asyncio tests were written for OpenSSL 1.0 and TLS 1.0, but fail with OpenSSL 1.1.1 and TLS 1.3. Fixing these requires backporting new ssl flags like ssl.OP_NO_TLSv1_3 or ssl.OP_NO_COMPRESSION, which is inappropriate at this stage in Python 3.5's lifetime. Moreover, it's not really worth it: the code works fine, the problem is just in the tests. This patch disables those problematic tests when Python 3.5 is built using newer versions of OpenSSL.
|
| |
|
|
|
|
| |
https://bugs.python.org/issue34155
(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
Co-authored-by: jpic <jpic@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
| |
Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
Disable https related urllib tests on a build without ssl (GH-13032)
These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.
Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)
Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
|
| |
|
|
| |
(GH-13017) (#13042)
|
| |
|
|
|
|
|
|
|
| |
(GH-13505) (#13510)
CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
Co-Authored-By: SH <push0ebp@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* [3.5] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192)
We updated the server, our testsuite must match.
https://bugs.python.org/issue36816
✈️ CLE -> DEN ✈️ GH-pycon2019
(cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
| |
(GH-10258) (#12281)
Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
Co-authored-by: Xtreak <tir.karthi@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Refactor cookie path check as per RFC 6265
* Add tests for prefix match of path
* Add news entry
* Fix set_ok_path and refactor tests
* Use slice for last letter
(cherry picked from commit 0e1f1f01058bd4a9b98cfe443214adecc019a38c)
|
| |
|
|
| |
(GH-12201) (#12223)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.
Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas
Edet of Cisco.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
|
| |
|
|
|
|
| |
On Travis CI, FTP tests of test_urllib2net randomly fail with "425
Security: Bad IP connecting".
(cherry picked from commit c11b3b19a5b022c6c229043d37f9a9fd06f22500)
|
| |
|
|
|
|
| |
* bpo-33001: Minimal fix to prevent buffer overrun in os.symlink
* Remove invalid test
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Prevent low-grade poplib REDOS (CVE-2018-1060)
The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.
Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.
A 2KB evil response from the mail server would result in small slowdowns
(milliseconds vs. microseconds) accumulated over many apop calls.
This is a potential DOS vector via accumulated slowdowns.
Replace it with a similar non-vulnerable regex.
The new regex is RFC compliant.
The old regex was non-compliant in edge cases.
* Prevent difflib REDOS (CVE-2018-1061)
The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.
Replace it with an equivalent non-vulnerable regex.
Also introduce unit and REDOS tests for difflib.
Co-authored-by: Tim Peters <tim.peters@gmail.com>
Co-authored-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* [3.5] bpo-32072: Fix issues with binary plists. (GH-4455)
* Fixed saving bytearrays.
* Identical objects will be saved only once.
* Equal references will be load as identical objects.
* Added support for saving and loading recursive data structures.
(cherry picked from commit a897aee)
* Fix implementation dependent assertion in test_plistlib. (#4813)
It is failed with an advanced optimizer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Directory and zipfile execution previously added
the parent directory of the directory or zipfile
as sys.path[0] and then subsequently overwrote
it with the directory or zipfile itself.
This caused problems in isolated mode, as it
overwrote the "stdlib as a zip archive" entry
in sys.path, as the parent directory was
never added.
The attempted fix to that issue in bpo-29319
created the opposite problem in *non*-isolated
mode, by potentially leaving the parent
directory on sys.path instead of overwriting it.
This change fixes the root cause of the problem
by removing the whole "add-and-overwrite" dance
for sys.path[0], and instead simply never adds
the parent directory to sys.path in the first
place.
(cherry picked from commit d2977a3ae2cc6802921b1e3b6e9d13fcfbda872d)
|
| |
|
|
|
|
|
|
|
|
| |
* [3.5] Remove failing pyenv call from CI config
* Backport XML RPC test skip to 3.5
The buildbot service upgrade removed the XML-RPC
interface, so this test no longer works (through no
fault of the standard library).
|
| |
|
|
| |
illegal command (#1214) (#2887)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
tearDown() now clears explicitly the self.server variable to make
sure that the thread is completely cleared when tearDownClass()
checks if all threads have been cleaned up.
Fix the following warning:
$ ./python -m test --fail-env-changed -m test.test_os.TestSendfile.test_keywords -R 3:1 test_os
(...)
Warning -- threading_cleanup() failed to cleanup 0 threads after 3 sec (count: 0, dangling: 2)
(...)
Tests result: ENV CHANGED
(cherry picked from commit d1cc037d1442cc35d1b194ec8e50901514360949)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-30876: Relative import from unloaded package now reimports the package
instead of failing with SystemError.
Relative import from non-package now fails with ImportError rather than
SystemError.
(cherry picked from commit 8a9cd20edca7d01b68292036029ae3735ce65edd)
* bpo-18018: Import raises ImportError instead of SystemError if a relative
import is attempted without a known parent package.
* bpo-26367: importlib.__init__() raises ImportError like
builtins.__import__() when ``level`` is specified but without an accompanying
package specified.
|
| |
|
|
|
| |
* Oops, tzdata was introduced in Python 3.6: remove it from regrtest
* Remove also Lib/test/libregrtest/__init__.py file: add by mistake
on a backport.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running the test suite using --use=all / -u all, exclude tzdata
since it makes test_datetime too slow (15-20 min on some buildbots)
which then times out on some buildbots.
-u tzdata must now be enabled explicitly, -u tzdata or -u all,tzdata,
to run all test_datetime tests.
Fix also regrtest command line parser to allow passing -u
extralargefile to run test_zipfile64.
Travis CI: remove -tzdata. Replace -u all,-tzdata,-cpu with -u all,-cpu since tzdata is now excluded from -u all.
(cherry picked from commit 5b392bbaeb9d9b1db961ecfc7315d8c8662c27f6)
|
| |
|
|
| |
(GH-2755)
|
| |
|
|
|
| |
(GH-2712). (#2728)
(cherry picked from commit 49f6449ef4b81537c19b82329caaf60596c516c2)
|
| |
|
|
|
|
| |
(GH-2690) (#2693)
encoder and decoder.
(cherry picked from commit d3aaa2f)
|
| |
|
|
|
|
|
| |
(GH-2634) (#2657)
called with bytes-like argument.
(cherry picked from commit 1180e5a51871fa53ca6892e83fd2e69dc2600447)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If history-length is set in .inputrc, and the history file is double the
history size (or more), history_get(N) returns NULL, and python
segfaults. Fix that by checking for NULL return value.
It seems that the root cause is incorrect handling of bigger history in
readline, but Python should not segfault even if readline returns
unexpected value.
This issue affects only GNU readline. When using libedit emulation
system history size option does not work.
|
| |
|
| |
Leading whitespace was incorrectly dropped during folding of certain lines in the _header_value_parser's folding algorithm. This makes the whitespace handling code consistent.
|
| |
|
|
|
| |
(GH-2409). (#2557)
(cherry picked from commit 8a8d28501fc8ce25926d168f1c657656c809fd4c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
3.6 to 3.5 (#2540)
* [3.6] bpo-29512, bpo-30776: Backport regrtest enhancements from master to 3.6 (#2513)
* bpo-29512: Add test.bisect, bisect failing tests (#2452)
Add a new "python3 -m test.bisect" tool to bisect failing tests.
It can be used to find which test method(s) leak references, leak
files, etc.
(cherry picked from commit 84d9d14a1fa395fbd21262ba195490be25a7b3bc)
* bpo-30776: regrtest: reduce memleak false positive (#2484)
Only report a leak if each run leaks at least one memory block.
(cherry picked from commit beeca6e1e5fd01531b1db7059498b13d07dca525)
(cherry picked from commit a3ca94d0504157a112a1f89bfe8be1307116fc73)
* bpo-30764: Fix regrtest --fail-env-changed --forever (#2536) (#2539)
--forever now stops if a fail changes the environment.
(cherry picked from commit 5e87592fd12e0b7c41edc11d4885ed7298d5063b)
(cherry picked from commit 4132adb4b8f90893d8f19ff46edff56f189faca0)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-30280: asyncio now cleans up threads
asyncio base TestCase now uses threading_setup() and
threading_cleanup() of test.support to cleanup threads.
* asyncio: Fix TestBaseSelectorEventLoop cleanup
bpo-30280: TestBaseSelectorEventLoop of
test.test_asyncio.test_selector_events now correctly closes the event
loop: cleanup its executor to not leak threads.
Don't override the close() method of the event loop, only override
the_close_self_pipe() method.
(cherry picked from commit b9030674624c181d6e9047cdb14ad65bb6c84c66)
|
| |
|
|
|
|
|
|
| |
(GH-2493) (#2498)
* bpo-30807: signal.setitimer() may disable the timer by mistake
* Add NEWS blurb
(cherry picked from commit 729780a810bbcb12b245a1b652302a601fc9f6fd)
|
| |
|
|
|
|
|
|
|
|
|
| |
(#2472)
* Clear potential ref cycle between Process and Process target
Besides Process.join() not being called, this was an indirect cause of bpo-30775.
The threading module already does this.
* Add issue reference.
(cherry picked from commit 79d37ae979a65ada0b2ac820279ccc3b1cd41ba6)
|
| |
|
|
| |
Forgetting to call Process.join() can keep some resources alive.
(cherry picked from commit a79f8faccf5e26f55e8b9496ad49d2071b5e299c)
|
| |
|
|
|
|
|
|
|
|
| |
(GH-2302) (#2463)
Based on patch by Victor Stinner.
Add private C API function _PyUnicode_AsUnicode() which is similar to
PyUnicode_AsUnicode(), but checks for null characters..
(cherry picked from commit f7eae0adfcd4c50034281b2c69f461b43b68db84)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-30523: regrtest --list-cases --match (#2401)
* regrtest --list-cases now supports --match and --match-file options.
Example: ./python -m test --list-cases -m FileTests test_os
* --list-cases now also sets support.verbose to False to prevent
messages to stdout when loading test modules.
* Add support._match_test() private function.
(cherry picked from commit ace56d583664f855d89d1219ece7c21c2fddcf30)
* bpo-30764: regrtest: add --fail-env-changed option (#2402)
* bpo-30764: regrtest: change exit code on failure
* Exit code 2 if failed tests ("bad")
* Exit code 3 if interrupted
* bpo-30764: regrtest: add --fail-env-changed option
If the option is set, mark a test as failed if it alters the
environment, for example if it creates a file without removing it.
(cherry picked from commit 63f54c68936d648c70ca411661e4208329edcf26)
* bpo-30776: reduce regrtest -R false positives (#2422)
* Change the regrtest --huntrleaks checker to decide if a test file
leaks or not. Require that each run leaks at least 1 reference.
* Warmup runs are now completely ignored: ignored in the checker test
and not used anymore to compute the sum.
* Add an unit test for a reference leak.
Example of reference differences previously considered a failure
(leak) and now considered as success (success, no leak):
[3, 0, 0]
[0, 1, 0]
[8, -8, 1]
(cherry picked from commit 48b5c422ffb03affb00c184b9a99e5537be92732)
|
| |
|
|
|
|
| |
bpo-30764, bpo-29335: test_child_terminated_in_stopped_state() of
test_subprocess now uses support.SuppressCrashReport() to prevent the
creation of a core dump on FreeBSD.
(cherry picked from commit cdee3f14f7f4c995e7eedb0bf6a67e260c739f7d)
|
