| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Catalina (GH-17636)
(cherry picked from commit bf3aa1060a29a05813abbe877193af16e3e7131e)
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
|
| |
Co-authored-by: tirkarthi
(cherry picked from commit 1988344a6bff253f017e053f69318ecf03587294)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
| |
|
|
|
|
|
| |
(GH-17311) (GH-17570)
(cherry picked from commit ab513a38c98695f271e448fe2cb7c5e39eeaaaaf)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
| |
|
|
|
|
|
| |
(GH-9518) (#17532)
(cherry picked from commit d219cc4180e7589807ebbef7421879f095e72a98)
Co-authored-by: Yury Selivanov <yury@magic.io>
|
| |
|
|
|
|
|
|
| |
Fix test_pty: if the process is the session leader, closing the
master file descriptor raises a SIGHUP signal: simply ignore SIGHUP
when running the tests.
(cherry picked from commit a1838ec2592e5082c75c77888f2a7a3eb21133e5)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
| |
now contextvars.ContextVar "__class_getitem__" method returns ContextVar class, not None.
https://bugs.python.org/issue38979
Automerge-Triggered-By: @asvetlov
(cherry picked from commit 28c91631c24e53713ad0e8a2bbae716373f5e53d)
Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
test_openssl_version now accepts version 3.0.0.
getpeercert() no longer returns IPv6 addresses with a trailing new line.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38820
(cherry picked from commit 2b7de6696bf2f924cd2cd9ff0a539c8aa37c6244)
Co-authored-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38820
Automerge-Triggered-By: @tiran
|
| |
|
|
|
| |
(cherry picked from commit 808769f3a4cbdc47cf1a5708dd61b1787bb192d4)
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
|
| |
|
|
|
|
|
| |
format (GH-17418)
(cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a)
Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
| |
Make ssl tests less strict and also accept TLSv3 as the default maximum
version. This change unbreaks test_min_max_version on Fedora 32.
https://bugs.python.org/issue38815
(cherry picked from commit 34864d1cffdbfc620f8517dab9a68ae9a37b8c53)
Co-authored-by: torsava <torsava@redhat.com>
|
| |
|
|
|
|
|
|
| |
* bpo-38449: Add tricky test cases
* bpo-38449: Reflect codereview
(cherry picked from commit 2fe4c48917c2d1b40cf063c6ed22ae2e71f4cb62)
Co-authored-by: Dong-hee Na <donghee.na92@gmail.com>
|
| |
|
|
|
|
|
| |
SpooledTemporaryFile.rollback() might cause data corruption
when it is in text mode.
Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>.
(cherry picked from commit ea9835c5d154ab6a54eed627958473b6768b28cc)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).
LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.
The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to
\d+-\w+-\d+(\s*\s*\s*)$
Therefore, a long sequence of spaces can trigger bad performance.
Matching a malicious string such as
LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")
caused catastrophic backtracking.
The fix removes ambiguity about which \s* should match a particular
space.
You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.
from http.server import BaseHTTPRequestHandler, HTTPServer
def make_set_cookie_value(n_spaces):
spaces = " " * n_spaces
expiry = f"1-c-1{spaces}!"
return f"b;Expires={expiry}"
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
self.log_request(204)
self.send_response_only(204) GH- Don't bother sending Server and Date
n_spaces = (
int(self.path[1:]) GH- Can GET e.g. /100 to test shorter sequences
if len(self.path) > 1 else
65506 GH- Max header line length 65536
)
value = make_set_cookie_value(n_spaces)
for i in range(99): GH- Not necessary, but we can have up to 100 header lines
self.send_header("Set-Cookie", value)
self.end_headers()
if __name__ == "__main__":
HTTPServer(("", 44020), Handler).serve_forever()
This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.
Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :
import http.cookiejar, urllib.request
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
r = opener.open("http://localhost:44020/")
The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):
import requests
requests.get("http://localhost:44020/")
* Regression test for http.cookiejar REDoS
If we regress, this test will take a very long time.
* Improve performance of http.cookiejar.ISO_DATE_RE
A string like
"444444" + (" " * 2000) + "A"
could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
(cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e)
Co-authored-by: bcaller <bcaller@users.noreply.github.com>
|
| |
|
|
|
| |
(cherry picked from commit 9960230f76eb555d6dfbe8a324efed35610c85f9)
Co-authored-by: Dong-hee Na <donghee.na92@gmail.com>
|
| |
|
|
|
|
|
|
| |
(GH-17126)
https://bugs.python.org/issue37838
(cherry picked from commit 0aca3a3a1e68b4ca2d334ab5255dfc267719096e)
Co-authored-by: benedwards14 <53377856+benedwards14@users.noreply.github.com>
|
| |
|
|
|
|
|
|
| |
Ignore `GeneratorExit` exceptions when throwing an exception into the `aclose` coroutine of an asynchronous generator.
https://bugs.python.org/issue35409
(cherry picked from commit 8e0de2a4808d7c2f4adedabff89ee64e0338790a)
Co-authored-by: Vincent Michel <vxgmichel@gmail.com>
|
| |
|
|
|
|
|
|
| |
if parent `__init__` is not called from a constructor of object derived from `asyncio.Future`
https://bugs.python.org/issue38785
(cherry picked from commit dad6be5ffe48beb74fad78cf758b886afddc7aed)
Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
|
| |
|
|
|
|
| |
files. (GH-17137)
This change, which follows the behavior of C stdio's fdopen and Python 2's file object, allows pipes to be opened in append mode..
(cherry picked from commit 74fa9f723f700a342e582b5ad4b51a2c4801cd1c)
|
| |
|
|
|
| |
(cherry picked from commit befa032d8869e0fab4732d910f3887642879d644)
Co-authored-by: Dong-hee Na <donghee.na92@gmail.com>
|
| |
|
|
|
|
|
| |
(GH-14656)
(cherry picked from commit da6ce58dd5ac109485af45878fca6bfd265b43e9)
Co-authored-by: Daniel Hillier <daniel.hillier@gmail.com>
|
| |
|
|
|
|
| |
Test by Daniel Hillier.
(cherry picked from commit 5c32af7522d908e8c7da0243af37618433289cc5)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
| |
decorators. (GH-16861). (GH-16930)
(cherry picked from commit 26ae9f6d3d755734c9f371b9356325afe5764813)
|
| |
|
|
|
| |
(cherry picked from commit 10ecbadb799ddf3393d1fc80119a3db14724d381)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* bpo-27657: Fix urlparse() with numeric paths
Revert parsing decision from bpo-754016 in favor of the documented
consensus in bpo-16932 of how to treat strings without a // to
designate the netloc.
* bpo-22891: Remove urlsplit() optimization for 'http' prefixed inputs.
(cherry picked from commit 5a88d50ff013a64fbdb25b877c87644a9034c969)
Co-authored-by: Tim Graham <timograham@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
main() is now responsible to send the ANSWER, rather than
ServerProto. main() now waits until it got the HELLO before sending
the ANSWER over the new transport.
Previously, there was a race condition between main() replacing the
protocol and the protocol sending the ANSWER once it gets the HELLO.
TLSv1.3 was disabled for the test: reenable it.
(cherry picked from commit fab4ef2df0857ab0c97f3058ac5ec3280c4eb891)
|
| |
|
|
|
|
|
|
|
|
| |
oper parsing of URLs (GH-15685)" (GH-16724) (GH-16727)
Reverts GH-15687 which caused the issue.
https://bugs.python.org/issue22347
https://bugs.python.org/issue38449
|
| |
|
|
|
|
| |
KeyError should cause a failure in parsing the encoded word and should be caught and raised as a _InvalidEWError instead.
(cherry picked from commit 65dcc8a8dc41d3453fd6b987073a5f1b30c5c0fd)
Co-authored-by: Andrei Troie <andreitroie90@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The implementation of weakref.proxy's methods call back into the Python
API using a borrowed references of the weakly referenced object
(acquired via PyWeakref_GET_OBJECT). This API call may delete the last
reference to the object (either directly or via GC), leaving a dangling
pointer, which can be subsequently dereferenced.
To fix this, claim a temporary ownership of the referenced object when
calling the appropriate method. Some functions because at the moment they
do not need to access the borrowed referent, but to protect against
future changes to these functions, ownership need to be fixed in
all potentially affected methods..
(cherry picked from commit 10cd00a9e3c22af37c748ea5a417f6fb66601e21)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
https://bugs.python.org/issue38395
|
| |
|
|
|
|
|
|
| |
Add missing stat.S_IFDOOR, stat.S_IFPORT, stat.S_IFWHT,
stat.S_ISDOOR, stat.S_ISPORT, and stat.S_ISWHT values to
the Python implementation of the stat module.
(cherry picked from commit 7bb14316b8ceddb813f31040a299af94a57ab339)
Co-authored-by: Ronan Lamy <ronan.lamy@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-16658) (GH-16685)
* [bpo-38379](https://bugs.python.org/issue38379): when a finalizer resurrects an object,
nothing is actually collected in this run of gc.
Change the stats to relect that truth..
(cherry picked from commit ecbf35f9335b0420cb8adfda6f299d6747a16515)
Co-authored-by: Tim Peters <tim.peters@gmail.com>
https://bugs.python.org/issue38379
Automerge-Triggered-By: @pablogsal
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
bpo-37531, bpo-38207: On timeout, regrtest no longer attempts to call
`popen.communicate() again: it can hang until all child processes
using stdout and stderr pipes completes. Kill the worker process and
ignores its output.
Reenable test_regrtest.test_multiprocessing_timeout().
bpo-37531: Change also the faulthandler timeout of the main process
from 1 minute to 5 minutes, for Python slowest buildbots.
(cherry picked from commit 0ec618af98ac250a91ee9c91f8569e6df6772758)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
| |
(GH-16641). (GH-16674)
(cherry picked from commit 13abda41003daf599587991d8291f0dacf6e9519)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-16545)
On Windows use UTF-16 (or UTF-32 for 32-bit Tcl_UniChar) with the
"surrogatepass" error handler for converting to/from Tcl Unicode objects.
On Linux use UTF-8 with the "surrogateescape" error handler for converting
to/from Tcl String objects.
Converting strings from Tcl to Python and back now never fails
(except MemoryError).
(cherry picked from commit 06cb94bc8419b9a24df6b0d724fcd8e40c6971d6)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-16550) (GH-16560)
* bpo-36670, regrtest: Fix WindowsLoadTracker() for partial line (GH-16550)
WindowsLoadTracker.read_output() now uses a short buffer for
incomplete line.
(cherry picked from commit 3e04cd268ee9a57f95dc78d8974b21a6fac3f666)
* bpo-36670: Enhance regrtest WindowsLoadTracker (GH-16553)
The last line is now passed to the parser even if it does not end
with a newline, but only if it's a valid value.
(cherry picked from commit c65119d5bfded03f80a9805889391b66fa7bf551)
* bpo-36670: Enhance regrtest (GH-16556)
* Add log() method: add timestamp and load average prefixes
to main messages.
* WindowsLoadTracker:
* LOAD_FACTOR_1 is now computed using SAMPLING_INTERVAL
* Initialize the load to the arithmetic mean of the first 5 values
of the Processor Queue Length value (so over 5 seconds), rather
than 0.0.
* Handle BrokenPipeError and when typeperf exit.
* format_duration(1.5) now returns '1.5 sec', rather than
'1 sec 500 ms'
(cherry picked from commit 098e25672f1c3578855d5ded4f5147795c9ed956)
(cherry picked from commit de3195c937d5fca0d79cc93dbafa76c0f89ca5b8)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
| |
test.pythoninfo now logs environment variables used by OpenSSL and
Python ssl modules, and logs attributes of 3 SSL contexts
(SSLContext, default HTTPS context, stdlib context).
(cherry picked from commit b3e7045f8314e7b62cd95861d207fe2f97e47198)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Windows: Fix counter name in WindowsLoadTracker. Counter names are
localized: use the registry to get the counter name. Original
change written by Lorenz Mende.
* Regrtest.main() now ensures that the Windows load tracker is also
killed if an exception is raised
* TestWorkerProcess now ensures that worker processes are no longer
running before exiting: kill also worker processes when an
exception is raised.
* Enhance regrtest messages and warnings: include test name,
duration, add a worker identifier, etc.
* Rename MultiprocessRunner to TestWorkerProcess
* Use print_warning() to display warnings.
Co-Authored-By: Lorenz Mende <Lorenz.mende@gmail.com>
(cherry picked from commit 982bfa4da07b2e5749a0f4e68f99e972bcc3a549)
Co-authored-by: Victor Stinner <vstinner@redhat.com>
|
| |
|
|
|
|
|
| |
(GH-16472)
(cherry picked from commit 58498bc7178608b1ab031994ca09c43889ce3e76)
Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
validation and encoding behavior (GH-16448) (GH-16461)
* bpo-38216: Allow bypassing input validation
* bpo-36274: Also allow the URL encoding to be overridden.
* bpo-38216, bpo-36274: Add tests demonstrating a hook for overriding validation, test demonstrating override encoding, and a test to capture expectation of the interface for the URL.
* Call with skip_host to avoid tripping on the host checking in the URL.
* Remove obsolete comment.
* Make _prepare_path_encoding its own attr.
This makes overriding just that simpler.
Also, don't use the := operator to make backporting easier.
* Add a news entry.
* _prepare_path_encoding -> _encode_prepared_path()
* Once again separate the path validation and request encoding, drastically simplifying the behavior. Drop the guarantee that all processing happens in _prepare_path..
(cherry picked from commit 7774d7831e8809795c64ce27f7df52674581d298)
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
|
| |
|
|
|
|
|
| |
Escape the server title of xmlrpc.server.DocXMLRPCServer
when rendering the document page as HTML.
(cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa)
Co-authored-by: Dong-hee Na <donghee.na92@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
test_ssl now handles disabled TLS/SSL versions better. OpenSSL's crypto
policy and run-time settings are recognized and tests for disabled versions
are skipped.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38275
(cherry picked from commit df6ac7e2b82d921a6e9ff5571b40c6dbcf635581)
|
| |
|
| |
(cherry picked from commit 64b4a3a2deabcd4103fac2759a311fe94159b4d1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The private keys for test_ssl were encrypted with 3DES in traditional
PKCSGH-5 format. 3DES and the digest algorithm of PKCSGH-5 are blocked by
some strict crypto policies. Use PKCSGH-8 format with AES256 encryption
instead.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38271
Automerge-Triggered-By: @tiran
(cherry picked from commit bfd0c963d88f3df69489ee250655e2b8f3d235bd)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Multiprocessing test test_mymanager() now also expects -SIGTERM, not
only exitcode 0.
bpo-30356: BaseManager._finalize_manager() sends SIGTERM to the
manager process if it takes longer than 1 second to stop, which
happens on slow buildbots.
(cherry picked from commit b0e1ae5f5430433766e023c1a6936aeba0f2b84e)
Co-authored-by: Victor Stinner <vstinner@redhat.com>
|
| |
|
|
|
|
|
| |
Multiprocessing tests: increase test_queue_feeder_donot_stop_onexc()
timeout from 1 to 60 seconds.
(cherry picked from commit 99799c722065d0524f3ab0bc455e1938bb8dc60f)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
| |
(cherry picked from commit 1d094af716e8ce5e5710e1dfbce7832ba333be55)
|
| |
|
| |
(cherry picked from commit fb7746d5d10ec4a34198da672018ba15f5667079)
|
| |
|
|
|
|
|
| |
(GH-16239)
This includes such names as "cls", "self", "typename" and "fields".
(cherry picked from commit 2bf31ccab3d17f3f35b42dca97f99576dfe2fc7d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
exceptions (GH-16070)
Even when the helper is not started yet.
This behavior follows conventional generator one.
There is no reason for `async_generator_athrow` to handle `gen.throw()` differently.
https://bugs.python.org/issue38013
(cherry picked from commit c275312a6284bd319ea33c9abd7e15c230eca43f)
Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
When using multiprocesss (-jN), the main process now uses a timeout
of 60 seconds instead of the double of the --timeout value. The
buildbot server stops a job which does not produce any output in 1200
seconds.
(cherry picked from commit 46b0b81220a23bc4aee5ba3ba67e8cf1b5df7960)
Co-authored-by: Victor Stinner <vstinner@redhat.com>
|
| |
|
|
|
| |
(cherry picked from commit 0bc17ea2f5966f429b5b8d6b4ccb9c01f1f610d0)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
|
