| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 0897253f426068ea6a6fbe0ada01689af9ef1019)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-27946) (GH-27976)
Various date parsing utilities in the email module, such as
email.utils.parsedate(), are supposed to gracefully handle invalid
input, typically by raising an appropriate exception or by returning
None.
The internal email._parseaddr._parsedate_tz() helper used by some of
these date parsing routines tries to be robust against malformed input,
but unfortunately it can still crash ungracefully when a non-empty but
whitespace-only input is passed. This manifests as an unexpected
IndexError.
In practice, this can happen when parsing an email with only a newline
inside a ‘Date:’ header, which unfortunately happens occasionally in the
real world.
Here's a minimal example:
$ python
Python 3.9.6 (default, Jun 30 2021, 10:22:16)
[GCC 11.1.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import email.utils
>>> email.utils.parsedate('foo')
>>> email.utils.parsedate(' ')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.9/email/_parseaddr.py", line 176, in parsedate
t = parsedate_tz(data)
File "/usr/lib/python3.9/email/_parseaddr.py", line 50, in parsedate_tz
res = _parsedate_tz(data)
File "/usr/lib/python3.9/email/_parseaddr.py", line 72, in _parsedate_tz
if data[0].endswith(',') or data[0].lower() in _daynames:
IndexError: list index out of range
The fix is rather straight-forward: guard against empty lists, after
splitting on whitespace, but before accessing the first element.
(cherry picked from commit 989f6a3800f06b2bd31cfef7c3269a443ad94fac)
Co-authored-by: wouter bolsterlee <wouter@bolsterl.ee>
|
| |
|
|
|
|
|
|
| |
It wasn't actually detecting the regression due to the
assertion being too lenient.
(cherry picked from commit e60ab843cbb016fb6ff8b4f418641ac05a9b2fcc)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Continue (GH-25916) (GH-25935)
Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e31b6f626bc6ce47d175fe9d43c1098909d)
Co-authored-by: Gen Xu <xgbarry@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
and tabs (GH-25924)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4)
Co-authored-by: Senthil Kumaran <senthil@uthcode.com>
(cherry picked from commit 515a7bc4e13645d0945b46a8e1d9102b918cd407)
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-24881) (GH-24882)
The IPv4 address value returned from the server in response to the PASV command
should not be trusted. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the client network.
Instead of using the returned address, we use the IP address we're
already connected to. This is the strategy other ftp clients adopted,
and matches the only strategy available for the modern IPv6 EPSV command
where the server response must return a port number and nothing else.
For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
attribute on your `ftplib.FTP` instance to True..
(cherry picked from commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 664d1d16274b47eea6ec92572e1ebf3939a6fa0c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
bpo-42967: [security] Address a web cache-poisoning issue reported in
urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default
instead of both ";" and "&" as allowed in earlier versions. An optional
argument seperator with default value "&" is added to specify the
separator.
Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
|
| |
|
|
|
|
|
| |
(GH-24037) (GH-24042)
(cherry picked from commit ec3165320e81ac87edcb85c86c452528ddbaec1c)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
|
| |
|
|
|
|
|
|
|
| |
Fix an assertion error in format() in debug build for floating point
formatting with "n" format, zero padding and small width. Release build is
not impacted. Patch by Karthikeyan Singaravelan.
(cherry picked from commit 3f7983a25a3d19779283c707fbdd5bc91b1587ef)
Co-authored-by: Xtreak <tir.karthi@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
* Prevent some possible DoS attacks via providing invalid Plist files
with extremely large number of objects or collection sizes.
* Raise InvalidFileException for too large bytes and string size instead of returning garbage.
* Raise InvalidFileException instead of ValueError for specific invalid datetime (NaN).
* Raise InvalidFileException instead of TypeError for non-hashable dict keys.
* Add more tests for invalid Plist files..
(cherry picked from commit 34637a0ce21e7261b952fbd9d006474cc29b681f)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
| |
codec tests (GH-22566) (GH-22579)
(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
(GH-22801) (GH-22804)
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
(cherry picked from commit e512bc799e3864fe3b1351757261762d63471efc)
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
|
| |
reject control chars in http method in http.client.putrequest to prevent http header injection
(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
Avoid infinite loop when reading specially crafted TAR files using the tarfile module
(CVE-2019-20907).
(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
Co-authored-by: Rishi <rishi_devan@mail.com>
|
| |
|
|
|
|
| |
Automerge-Triggered-By: @tiran
(cherry picked from commit 4f309abf55f0e6f8950ac13d6ec83c22b8d47bf8)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-21033) (GH-21232)
CVE-2020-14422
The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation
(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
Co-authored-by: Ravi Teja P <rvteja92@gmail.com>
Signed-off-by: Tapas Kundu <tkundu@vmware.com>
|
| |
|
|
|
|
|
|
| |
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f17211c5fc0e5b828be1d3320661d1038fe8f)
Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.
AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.
Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
|
| |
|
|
|
|
|
|
| |
(GH-18995) (GH-19002)
Add host validation for control characters for more CVE-2019-18348 protection.
(cherry picked from commit 9165addc22d05e776a54319a8531ebd0b2fe01ef)
Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When called on a closed object, readinto() segfaults on account
of a write to a freed buffer:
==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==220553== Access not within mapped region at address 0x2A
==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272)
==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972)
==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053)
==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253)
Reproducer:
reader = open ("/dev/zero", "rb")
_void = reader.read (42)
reader.close ()
reader.readinto (bytearray (42)) GH-GH-GH- BANG!
The problem exists since 2012 when commit dc469454ec added code
to free the read buffer on close().
Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
(cherry picked from commit cb1c0746f277052e45a60d6c436a765e34722821)
Co-authored-by: Philipp Gesang <phg@phi-gamma.net>
Co-authored-by: Philipp Gesang <phg@phi-gamma.net>
|
| |
|
|
|
|
|
|
| |
(GH-18118) (GH-18146)
(cherry picked from commit 79f89e6e5a659846d1068e8b1bd8e491ccdef861)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
|
| |
|
|
|
|
|
| |
Catalina (GH-17636) (GH-17638)
(cherry picked from commit bf3aa1060a29a05813abbe877193af16e3e7131e)
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
|
| |
Co-authored-by: tirkarthi
(cherry picked from commit 1988344a6bff253f017e053f69318ecf03587294)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
| |
|
|
|
|
|
|
| |
(GH-17311). (GH-17571)
(cherry picked from commit ab513a38c98695f271e448fe2cb7c5e39eeaaaaf)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
| |
|
|
|
|
|
| |
format (GH-17418) (GH-17444)
(cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a)
Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).
LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.
The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to
\d+-\w+-\d+(\s*\s*\s*)$
Therefore, a long sequence of spaces can trigger bad performance.
Matching a malicious string such as
LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")
caused catastrophic backtracking.
The fix removes ambiguity about which \s* should match a particular
space.
You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.
from http.server import BaseHTTPRequestHandler, HTTPServer
def make_set_cookie_value(n_spaces):
spaces = " " * n_spaces
expiry = f"1-c-1{spaces}!"
return f"b;Expires={expiry}"
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
self.log_request(204)
self.send_response_only(204) GH- Don't bother sending Server and Date
n_spaces = (
int(self.path[1:]) GH- Can GET e.g. /100 to test shorter sequences
if len(self.path) > 1 else
65506 GH- Max header line length 65536
)
value = make_set_cookie_value(n_spaces)
for i in range(99): GH- Not necessary, but we can have up to 100 header lines
self.send_header("Set-Cookie", value)
self.end_headers()
if __name__ == "__main__":
HTTPServer(("", 44020), Handler).serve_forever()
This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.
Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :
import http.cookiejar, urllib.request
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
r = opener.open("http://localhost:44020/")
The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):
import requests
requests.get("http://localhost:44020/")
* Regression test for http.cookiejar REDoS
If we regress, this test will take a very long time.
* Improve performance of http.cookiejar.ISO_DATE_RE
A string like
"444444" + (" " * 2000) + "A"
could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
(cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e)
Co-authored-by: bcaller <bcaller@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
validation and encoding behavior (GH-16448) (GH-16462)
(cherry picked from commit 7774d7831e8809795c64ce27f7df52674581d298)
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
|
| |
|
|
|
|
| |
Escape the server title of xmlrpc.server.DocXMLRPCServer
when rendering the document page as HTML.
(cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
>>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses
(Address(display_name='', username='a', domain='malicious.org'),)
>>> parseaddr('a@malicious.org@important.com')
('', 'a@malicious.org')
After:
>>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses
(Address(display_name='', username='', domain=''),)
>>> parseaddr('a@malicious.org@important.com')
('', 'a@')
https://bugs.python.org/issue34155
(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
Co-authored-by: jpic <jpic@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
(GH-14794) (GH-14817)
Some crafted email header would cause the get_parameter method to run in an
infinite loop causing a DoS attack surface when parsing those headers. This
patch fixes that by making sure the DQUOTE character is handled to prevent
going into an infinite loop.
(cherry picked from commit a4a994bd3e619cbaff97610a1cee8ffa87c672f5)
Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As far as I can tell, this infinite loop would be triggered if:
1. The value being folded contains a single word (no spaces) longer than
max_line_length
2. The max_line_length is shorter than the encoding's name + 9
characters.
bpo-36564: https://bugs.python.org/issue36564
(cherry picked from commit f69d5c61981ea97d251db515c7ff280fcc17182d)
Co-authored-by: Paul Ganssle <pganssle@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-14549)
Under some conditions the earlier fix for bpo-18075, "Infinite recursion
tests triggering a segfault on Mac OS X", now causes failures on macOS
when attempting to change stack limit with resource.setrlimit
resource.RLIMIT_STACK, like regrtest does when running the test suite.
The reverted change had specified a non-default stack size when linking
the python executable on macOS. As of macOS 10.14.4, the previous
code causes a hard failure when running tests, although similar
failures had been seen under some conditions under some earlier
systems. Reverting the change to the interpreter stack size at link
time helped for release builds but caused some tests to fail when
built --with-pydebug. Try the opposite approach: continue to build
the interpreter with an increased stack size on macOS and remove
the failing setrlimit call in regrtest initialization. This will
definitely avoid the resource.RLIMIT_STACK error and should have
no, or fewer, side effects.
(cherry picked from commit 5bbbc733e6cc0804f19b071944af8d4719e26ae6)
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
| |
(GH-14162)
(cherry picked from commit c1f5667be1e3ec5871560c677402c1252c6018a6)
|
| |
|
|
|
|
|
| |
(GH-13814)
(cherry picked from commit 8d0ef0b5edeae52960c7ed05ae8a12388324f87e)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| |
|
|
|
|
|
|
|
| |
CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
Co-Authored-By: SH <push0ebp@gmail.com>
(cherry picked from commit 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587)
(cherry picked from commit 34bab215596671d0dec2066ae7d7450cd73f638b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TLS (GH-13124) (GH-13252)
* [3.6] bpo-35925: Skip SSL tests that fail due to weak external certs. (GH-13124)
Modern Linux distros such as Debian Buster have default OpenSSL system
configurations that reject connections to servers with weak certificates
by default. This causes our test suite run with external networking
resources enabled to skip these tests when they encounter such a failure.
Fixing the network servers is a separate issue..
(cherry picked from commit 2cc0223f43a1ffd59c887a73e2b0ce5202f3be90)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
* Also skip ssl tests that fail when the system rejects TLSv1.
* Remove the test_httplib change; server was updated.
self-signed.pythontest.net was updated so the test_httplib change is
no longer necessary.
|
| |
|
|
|
|
|
| |
Backport partially commit 529525fb5a8fd9b96ab4021311a598c77588b918:
complete the previous partial backport (commit
2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826.
Co-Authored-By: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(GH-13198)
We updated the server, our testsuite must match.
https://bugs.python.org/issue36816
✈️ CLE -> DEN ✈️ GH-pycon2019
(cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
| |
Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
Disable https related urllib tests on a build without ssl (GH-13032)
These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.
Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)
Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
|
| |
|
|
|
|
|
| |
(GH-13017) (GH-13024)
(cherry picked from commit d537ab0ff9767ef024f26246899728f0116b1ec3)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| |
|
|
| |
separators (GH-12201) (GH-12215)
|
| |
|
| |
Co-authored-by: Xtreak <tir.karthi@gmail.com>
|
| |
|
|
|
|
|
|
| |
(GH-12260)
Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
Co-authored-by: Xtreak <tir.karthi@gmail.com>
|
| |
|
|
|
|
|
|
| |
(GH-11351)
The problem affects _testWithTimeoutTriggeredSend in test_socket.py.
(cherry picked from commit 1f511e1af060e98fb789319a96076c06e7f98135)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
(GH-11337) (GH-11348)
There is a race condition regarding signal delivery in test_signal_handling_args for
test_asyncio.test_events.KqueueEventLoopTests. The signal can be received at any moment outside the time window provided in the test. The fix is to wait for the signal to be received instead with a bigger timeout.
(cherry picked from commit 5471420faa84519530f29b08f2b042b2288e3e96)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue35746
(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
| |
(GH-10639) (GH-11477)" (GH-11509)
This reverts commit 5d9ae8b9df8371dd65514e0d60b561fd37056986 which was merged to 3.6 in error.
|
| |
|
|
|
|
|
| |
(GH-10639) (#11477)
(cherry picked from commit cbb16459934eaf29c7c7d362939cd05550b2f21f)
Co-authored-by: Sanyam Khurana <8039608+CuriousLearner@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
(GH-11265)
When compiling 3rd party C extensions, the linker flags used by the
compiler for the interpreter and the stdlib modules, will get
leaked into distutils. In order to avoid that, the PY_CORE_LDFLAGS
and PY_LDFLAGS_NODIST are introduced to keep those flags separated.
(cherry picked from commit cf10a750f4b50b6775719cfb17bee00bc3a9c60b)
|
