| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Correctly pre-check for int-to-str conversion
Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)
The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.
The justification for the current check. The C code check is:
```c
max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10
```
In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:
$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$
From this it follows that
$$\frac{M}{3L} < \frac{s-1}{10}$$
hence that
$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
So
$$2^{L(s-1)} > 10^M.$$
But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.
<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
|
| |
|
|
|
|
|
|
| |
(GH-95313)
Three test cases were failing on FreeBSD with latest OpenSSL.
(cherry picked from commit 1bc86c26253befa006c0f52eebb6ed633c7d1e5c)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-94094)
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).
Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
| |
(cherry picked from commit 2985feac4e02d590bb78bcce9e30864be53280ac)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(GH-93066) (#93148)
Also while there, clarify a few things about why we reduce the hash to 32 bits.
Co-authored-by: Eli Libman <eli@hyro.ai>
Co-authored-by: Yury Selivanov <yury@edgedb.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c1f5c903a7e4ed27190488f4e33b00d3c3d952e5)
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which
allowed to bypass authorization. For example, access to URI "example.org/foobar"
was allowed if the user was authorized for URI "example.org/foo".
(cherry picked from commit e2e72567a1c94c548868f6ee5329363e6036057a)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Curly brackets were never allowed in namespace URIs
according to RFC 3986, and so-called namespace-validating
XML parsers have the right to reject them a invalid URIs.
libexpat >=2.4.5 has become strcter in that regard due to
related security issues; with ET.XML instantiating a
namespace-aware parser under the hood, this test has no
future in CPython.
References:
- https://datatracker.ietf.org/doc/html/rfc3968
- https://www.w3.org/TR/xml-names/
Also, test_minidom.py: Support Expat >=2.4.5
(cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e)
Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
|
| |
|
|
|
| |
(cherry picked from commit 6fb62b42f4db56ed5efe0ca4c1059049276c1083)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
| |
POST requests to http://www.example.com/ fail randomly.
(cherry picked from commit 1578de2fcd685c71f9c84e09bac32901dea192c1)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
| |
(GH-29691) (GH-29710)
(cherry picked from commit 4fad314246399b69ef0c57ba8527d9efade99069)
Co-authored-by: Carl Friedrich Bolz-Tereick <cfbolz@gmx.de>
|
| |
|
|
|
|
|
|
|
| |
Add a PID to names of POSIX shared memory objects to allow
running multiprocessing tests (test_multiprocessing_fork,
test_multiprocessing_spawn, etc) in parallel.
(cherry picked from commit eb4495e8e275c83d691add116c4f2b74e73e3cc8)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
| |
Fix test_readline.test_nonascii(): sometimes, the newline character
is not written at the end, so don't expect it in the output.
(cherry picked from commit 797c8eb9ef511f0c25f10a453b35c4d2fe383c30)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
| |
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 0897253f426068ea6a6fbe0ada01689af9ef1019)
Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-27946) (GH-27974)
Various date parsing utilities in the email module, such as
email.utils.parsedate(), are supposed to gracefully handle invalid
input, typically by raising an appropriate exception or by returning
None.
The internal email._parseaddr._parsedate_tz() helper used by some of
these date parsing routines tries to be robust against malformed input,
but unfortunately it can still crash ungracefully when a non-empty but
whitespace-only input is passed. This manifests as an unexpected
IndexError.
In practice, this can happen when parsing an email with only a newline
inside a ‘Date:’ header, which unfortunately happens occasionally in the
real world.
Here's a minimal example:
$ python
Python 3.9.6 (default, Jun 30 2021, 10:22:16)
[GCC 11.1.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import email.utils
>>> email.utils.parsedate('foo')
>>> email.utils.parsedate(' ')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.9/email/_parseaddr.py", line 176, in parsedate
t = parsedate_tz(data)
File "/usr/lib/python3.9/email/_parseaddr.py", line 50, in parsedate_tz
res = _parsedate_tz(data)
File "/usr/lib/python3.9/email/_parseaddr.py", line 72, in _parsedate_tz
if data[0].endswith(',') or data[0].lower() in _daynames:
IndexError: list index out of range
The fix is rather straight-forward: guard against empty lists, after
splitting on whitespace, but before accessing the first element.
(cherry picked from commit 989f6a3800f06b2bd31cfef7c3269a443ad94fac)
Co-authored-by: wouter bolsterlee <wouter@bolsterl.ee>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(GH-25099) (GH-27801)
Reverts commit e653d4d8e820a7a004ad399530af0135b45db27a and makes
parsing even more strict. Like socket.inet_pton() any leading zero
is now treated as invalid input.
Signed-off-by: Christian Heimes <christian@python.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
| |
|
|
|
|
|
|
| |
bpo-33930: Fix typo in the test name. (GH-27733)
(cherry picked from commit f08e6d1bb3c5655f184af88c6793e90908bb6338)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
Co-authored-by: Benjamin Peterson <benjamin@python.org>
|
| |
|
|
|
|
|
| |
objects (GH-27678) (GH-27721)
(cherry picked from commit bfc2d5a5c4550ab3a2fadeb9459b4bd948ff61a2)
Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
|
| |
|
|
|
|
| |
It wasn't actually detecting the regression due to the assertion being too lenient.
(cherry picked from commit e60ab843cbb016fb6ff8b4f418641ac05a9b2fcc)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
| |
(cherry picked from commit b5a52eef67997246b4235b5407e52a01e822ce56)
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@innova.no>
|
| |
|
|
|
|
|
| |
suite (GH-26542) (GH-26670)
(cherry picked from commit f171877ebe276749f31386baed5841ce37cbee2e)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
|
| |
|
|
|
|
|
| |
pathlib.Path object (GH-25964). (GH-26056)
(cherry picked from commit e9d7f88d5643f7e6387bf994c130503766d7eb92)
Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com>
|
| |
|
|
| |
extension modules (GH-26025) (#26028)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The address tuple for CAN_RAW no longer returns the address family
after the introduction of CAN ISO-TP support in a30f6d45ac3. However,
updating test_socket.CANTest.testSendFrame was missed as part of the
change, so the test incorrectly attempts to index past the last tuple
item to retrieve the address family.
This removes the now-redundant check for equality against socket.AF_CAN,
as the tuple will not contain the address family.
(cherry picked from commit 355bae88822bee4de6092b63d69c5a5dad393a16)
Co-authored-by: karl ding <karlding@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
| |
Continue (GH-25916) (#25933)
Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e31b6f626bc6ce47d175fe9d43c1098909d)
Co-authored-by: Gen Xu <xgbarry@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
and tabs. (GH-25595) (#25726)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4)
Co-authored-by: Senthil Kumaran <senthil@uthcode.com>
Co-authored-by: Senthil Kumaran <skumaran@gatech.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-41100: Support macOS 11 and Apple Silicon on Python 3.8
This is a partial backport of bpo-41100 changes `e8b1c038b14b5fc8120aab62c9bf5fb840274cb6` and `96d906b144e6e6aa96c5ffebecbcc5d38034bbda` for Python 3.8. We introduce the ability to build Python from source for `arm64` on macOS, but we do not make a promise of support. This allows us to omit support for Universal2 binaries as well as weak-linking of symbols from the macOS SDK based on the deployment target, which are larger changes much more difficult to merge.
This also includes a backport of subsequent bpo-42688 change `7e729978fa08a360cbf936dc215ba7dd25a06a08` to fix build errors with external `libffi`.
* bpo-41116: Ensure system supplied libraries are found on macOS 11 (GH-23301) (GH-23455)
On macOS system provided libraries are in a shared library cache
and not at their usual location. This PR teaches distutils to search
in the SDK, even if there was no "-sysroot" argument in
the compiler flags.
(cherry picked from commit 404a719b5127602c1a948f8e189ab61cd3f147d8)
* bpo-42504: fix for MACOSX_DEPLOYMENT_TARGET=11 (GH-23556)
macOS releases numbering has changed as of macOS 11 Big Sur. Previously, major releases were of the form 10.x, 10.x+1, 10.x+2, etc; as of Big Sur, they are now x, x+1, etc, so, for example, 10.15, 10.15.1, ..., 10.15.7, 11, 11.0.1, 11.1, ..., 12, 12.1, etc. Allow Python to build with single-digit deployment target values. Patch provided by FX Coudert.
(cherry picked from commit 5291639e611dc3f55a34666036f2c3424648ba50)
* bpo-42504: Ensure that get_config_var('MACOSX_DEPLOYMENT_TARGET') is a string (GH-24341) (GH-24410)
* bpo-42504: Ensure that get_config_var('MACOSX_DEPLOYMENT_TARGET') is a string
(cherry picked from commit 49926cf2bcc8b44d9b8f148d81979ada191dd9d5)
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
Co-authored-by: FX Coudert <fxcoudert@gmail.com>
Co-authored-by: Max Bélanger <aeromax@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
(GH-25691) (GH-25692)
(cherry picked from commit 2dc6b1789ec86dc80ea290fe33edd61140e47f6f)
Co-authored-by: Irit Katriel <iritkatriel@yahoo.com>
Co-authored-by: Irit Katriel <iritkatriel@yahoo.com>
|
| |
|
|
|
|
|
|
| |
networks (GH-18757) (#25536)
The `.hosts()` method now returns the single address present in a /32 or /128 network..
(cherry picked from commit 8e9c47a947954c997d4b725f4551d50a1d896722)
Co-authored-by: Pete Wicken <2273100+JamoBox@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* [3.8] bpo-34463: Make python tracebacks identical to C tracebacks for
SyntaxErrors without a lineno (GH-23427)
(cherry picked from commit 069560b1171eb6385121ff3b6331e8814a4e7454)
Co-authored-by: Irit Katriel <iritkatriel@yahoo.com>
* 📜🤖 Added by blurb_it.
* added missing newline in test
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
Before, using the * operator to repeat a bytearray would copy data from the start of
the internal buffer (ob_bytes) and not from the start of the actual data (ob_start).
(cherry picked from commit 61d8c54f43a7871d016f98b38f86858817d927d5)
Co-authored-by: Tobias Holl <TobiasHoll@users.noreply.github.com>
|
| |
|
|
|
| |
(cherry picked from commit 3513d55a617012002c3f82dbf3cec7ec1abd7090)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| |
|
|
|
|
|
|
| |
(GH-25554) (GH-25556)
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit b9ad88be0304136c3fe5959c65a5d2c75490cd80)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
| |
(GH-25452)
Fix problem with ssl.SSLContext.hostname_checks_common_name. OpenSSL does not
copy hostflags from *struct SSL_CTX* to *struct SSL*.
(cherry picked from commit 330b49e397168df789fd0dd20cfe7e81b8e47258)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(#25345)
* coerce bytes separator to string
* Add news
* Update Misc/NEWS.d/next/Library/2021-03-11-00-31-41.bpo-42967.2PeQRw.rst
(cherry picked from commit b38601d49675d90e1ee6faa47f7adaeca992d02d)
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
| |
(GH-25437) (GH-25440)
Fix a race condition in the SMTP test of test_logging. Don't close a
file descriptor (socket) from a different thread while
asyncore.loop() is polling the file descriptor.
(cherry picked from commit 75ec103b3adbb7c619a0e22fa60f3d34c5a9e603)
(cherry picked from commit e1903e11a3d42512effe336026e0c67f602e5848)
|
| |
|
|
|
|
|
| |
released (GH-25350). (GH-25369)
(cherry picked from commit 8c14f5a787b21d5a1eae5d5ee981431d1c0e055f)
Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
|
| |
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 3447750073aff229b049e4ccd6217db2811dcfd1)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
| |
objects from file locations (GH-25121)
|
| |
|
|
|
|
| |
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 6f37ebc61e9e0d13bcb1a2ddb7fc9723c04b6372)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
(GH-25308)
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 5151d642004c59cce58d669be85d9a5e987f51d3)
Co-authored-by: Christian Heimes <christian@python.org>
Automerge-Triggered-By: GH:tiran
|
| | |
|
| |
|
|
|
|
|
|
| |
When a dataclass inherits from an empty base, all immutability checks are omitted. This PR fixes this and adds tests for it.
Automerge-Triggered-By: GH:ericvsmith
(cherry picked from commit 376ffc6ac491da74920aed1b8e35bc371cb766ac)
Co-authored-by: Iurii Kemaev <6885137+hbq1@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
values (GH-20867) (GH-25201)
Co-Authored-By: Claudiu Popa <pcmanticore@gmail.com>
Automerge-Triggered-By: GH:ericvsmith
(cherry picked from commit 75220674c07abfc90c2cd7862d04cfa2e2354450)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* bpo-26053: Fix args echoed by pdb run command (GH-22033)
(cherry picked from commit 652bfdee9495dca241d48278742fe035b7a82bdb)
* bpo-26053: Fix test_pdb.test_issue26053() (GH-25139)
(cherry picked from commit bd4ab8e73906a4f12d5353f567228b7c7497baf7)
(cherry picked from commit 7ad56e254519047aeb9c669b9ea2f2bf0acfd401)
Co-authored-by: Irit Katriel <iritkatriel@yahoo.com>
|
| |
|
|
|
|
| |
Skip the test if setlocale() fails.
(cherry picked from commit f3ab670fea75ebe177e3412a5ebe39263cd428e3)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
| |
(cherry picked from commit 51a85ddce8b336addcb61b96f04c9c5edef07296)
Co-authored-by: Alex Prengère <2138730+alexprengere@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
sys.stderr (GH-25075)
(cherry picked from commit 09b90a037d18f5d4acdf1b14082e57bda78e85d3)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
|
| |
|
|
|
|
|
|
| |
This test checks result code of the connection directly, so it never raises an exception that can be suppressed by `support.transient_internet`. Directly support skipping the test in case of unreachable network.
(cherry picked from commit 29c451c6989c3c94fa0a9facf187c24f3cbf2420)
Co-authored-by: Carl Meyer <carl@oddbird.net>
Co-authored-by: Carl Meyer <carl@oddbird.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-24906)
Python no longer fails at startup with a fatal error if a command
line argument contains an invalid Unicode character.
The Py_DecodeLocale() function now escapes byte sequences which would
be decoded as Unicode characters outside the [U+0000; U+10ffff]
range.
Use MAX_UNICODE constant in unicodeobject.c.
(cherry picked from commit 9976834f807ea63ca51bc4f89be457d734148682)
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
| |
curses.update_lines_cols() is only defined when the curses library
provides either resizeterm() or resize_term() functions which are optional
and are not provided on AIX.
(cherry picked from commit c8b5738810516df5722caf049003e9b319427bec)
Co-authored-by: Michael Felt <aixtools@users.noreply.github.com>
|
