| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
(cherry picked from commit ed367815eeb9329c48a86a8a7fa3186e27a10f2c)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| |
|
|
|
| |
(cherry picked from commit 2e6a8efa837410327b593dc83c57492253b1201e)
Co-authored-by: Dong-hee Na <donghee.na92@gmail.com>
|
| |
|
|
|
|
| |
https://bugs.python.org/issue39191.
(cherry picked from commit 10ac0cded26d91c3468e5e5a87cecad7fc0bcebd)
Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit 5ec91f78d59d9c39b984f284e00cd04b96ddb5db)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit b121a4a45ff4bab8812a9b26ceffe5ad642f5d5a)
Co-authored-by: Anthony Sottile <asottile@umich.edu>
|
| |
|
|
|
|
|
| |
(GH-17616)
(cherry picked from commit b19c0d77e6f25ea831ab608c71f15d0d9266c8c4)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
| |
No longer import the re module if it is not needed.
(cherry picked from commit 41ec17e45d54473d32f543396293256f1581e44d)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
| |
Ignore leading dots and no longer ignore a trailing newline.
(cherry picked from commit 6a265f0d0c0a4b3b8fecf4275d49187a384167f4)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
| |
argument (GH-17826)
(cherry picked from commit ec007cb43faf5f33d06efbc28152c7fdcb2edb9c)
Co-authored-by: Anthony Sottile <asottile@umich.edu>
|
| |
|
|
|
|
| |
(GH-17773) (GH-17785)
(cherry picked from commit 46abfc1416ff8e450999611ef8f231ff871ab133)
|
| |
|
|
|
|
|
|
| |
(cherry picked from commit 37143a8e3b2e9245d52f4ddebbdd1c6121c96884)
Co-authored-by: Ned Batchelder <ned@nedbatchelder.com>
Co-authored-by: Ned Batchelder <ned@nedbatchelder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-17764)
* [3.8] bpo-38588: Fix possible crashes in dict and list when calling PyObject_RichCompareBool (GH-17734)
Take strong references before calling PyObject_RichCompareBool to protect against the case
where the object dies during the call.
(cherry picked from commit 2d5bf568eaa5059402ccce9ba5a366986ba27c8a)
Co-authored-by: Dong-hee Na <donghee.na92@gmail.com>
* Update Objects/listobject.c
@methane's suggestion
Co-Authored-By: Inada Naoki <songofacandy@gmail.com>
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
|
| |
|
|
|
|
| |
Hold strong references to list elements while calling PyObject_RichCompareBool().
(cherry picked from commit d9e561d23d994e3ed15f4fcbd7ee5c8fe50f190b)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
|
| |
|
|
| |
https://bugs.python.org/issue38878
|
| |
|
|
|
|
|
|
|
| |
(GH-17652) (GH-17655)
Fix test_ressources_gced_in_workers() of test_concurrent_futures:
explicitly stop the manager to prevent leaking a child process
running in the background after the test completes.
(cherry picked from commit 673c39331f844a80c465efd7cff88ac55c432bfb)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Multiprocessing and concurrent.futures tests now stop the resource
tracker process when tests complete.
Add ResourceTracker._stop() method to
multiprocessing.resource_tracker.
Add _cleanup_tests() helper function to multiprocessing.util: share
code between multiprocessing and concurrent.futures tests.
(cherry picked from commit 9707e8e22d80ca97bf7a9812816701cecde6d226)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-17645) (GH-17649)
…
Co-Authored-By: Pablo Galindo <Pablogsal@gmail.com>
(cherry picked from commit 50d4f12958bf806a4e1a1021d70cfd5d448c5cba)
Co-authored-by: Lysandros Nikolaou <lisandrosnik@gmail.com>
https://bugs.python.org/issue39080
|
| |
|
|
| |
Catalina (GH-17636)
|
| |
|
|
|
|
| |
Co-authored-by: tirkarthi
(cherry picked from commit 1988344a6bff253f017e053f69318ecf03587294)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 6b5b013bcc22 ("bpo-26978: Implement pathlib.Path.link_to (Using
os.link) (GH-12990)") introduced a new link_to method in pathlib. However,
this makes pathlib crash when the 'os' module is missing a 'link' method.
Fix this by checking for the presence of the 'link' method on pathlib
module import, and if it's not present, turn it into a runtime error like
those emitted when there is no lchmod() or symlink().
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
(cherry picked from commit 092435e932dee1802784ec28f39454f50fdd879a)
Co-authored-by: Toke Høiland-Jørgensen <toke@redhat.com>
|
| |
|
|
|
|
|
| |
(GH-17600)
(cherry picked from commit 5936a4ce914d42af97b9238e5090dedc8d5b0bd2)
Co-authored-by: Lysandros Nikolaou <lisandrosnik@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit 8289e27393395ee903bd096d42e07c112d7f15c6)
Co-authored-by: Xtreak <tir.karthi@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
if_stmt (GH-17582) (GH-17589)
When parsing an "elif" node, lineno and col_offset of the node now point to the "elif" keyword and not to its condition, making it consistent with the "if" node.
https://bugs.python.org/issue39031
Automerge-Triggered-By: @pablogsal
(cherry picked from commit 025a602af7ee284d8db6955c26016f3f27d35536)
Co-authored-by: Lysandros Nikolaou <lisandrosnik@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
* bpo-39022, bpo-38594: Sync with importlib_metadata 1.3 including improved docs for custom finders and better serialization support in EntryPoints.
* 📜🤖 Added by blurb_it.
* Correct module reference
(cherry picked from commit b7a0109cd2bafaa21a4d50aad307e901c68f9156)
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
|
| |
|
|
|
| |
(cherry picked from commit c18b805ac6a2d22176240ca93982fa1fb6559ec7)
Co-authored-by: Tim Gates <tim.gates@iress.com>
|
| |
|
|
|
|
| |
Also allows winreg.CloseKey() to accept same types as other functions.
(cherry picked from commit ee17e3735634c5fe15a43f897707de8011618627)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| |
|
|
|
|
|
|
| |
* Issue 38992: avoid fsum test failure
* Add NEWS entry
(cherry picked from commit bba873e633f0f1e88ea12fb935cbd58faa77f976)
Co-authored-by: Mark Dickinson <mdickinson@enthought.com>
|
| |
|
|
|
|
|
| |
(GH-9518) (#17531)
(cherry picked from commit d219cc4180e7589807ebbef7421879f095e72a98)
Co-authored-by: Yury Selivanov <yury@magic.io>
|
| |
|
|
|
|
|
| |
(GH-17311) (#17529)
(cherry picked from commit ab513a38c98695f271e448fe2cb7c5e39eeaaaaf)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
| |
|
|
|
|
|
|
| |
Fix test_pty: if the process is the session leader, closing the
master file descriptor raises a SIGHUP signal: simply ignore SIGHUP
when running the tests.
(cherry picked from commit a1838ec2592e5082c75c77888f2a7a3eb21133e5)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
| |
Fix a potential IndexError when passing an empty value to the message-id
parser. Instead, HeaderParseError should be raised.
(cherry picked from commit 3ae4ea1931361dd2743e464790e739d9285501bf)
Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
This adds a new InvalidMessageID token to the email header parser which can be
used to represent invalid message-id headers in the parse tree.
(cherry picked from commit 68157da8b42b26408af5d157d2dba4fcf29c6320)
Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
| |
now contextvars.ContextVar "__class_getitem__" method returns ContextVar class, not None.
https://bugs.python.org/issue38979
Automerge-Triggered-By: @asvetlov
(cherry picked from commit 28c91631c24e53713ad0e8a2bbae716373f5e53d)
Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
test_openssl_version now accepts version 3.0.0.
getpeercert() no longer returns IPv6 addresses with a trailing new line.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38820
(cherry picked from commit 2b7de6696bf2f924cd2cd9ff0a539c8aa37c6244)
Co-authored-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38820
Automerge-Triggered-By: @tiran
|
| |
|
|
|
| |
(cherry picked from commit 7ddcd0caa4c2e6b43265df144f59c5aa508a94f2)
Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
parse_message_id() was improperly using a token defined inside an exception
handler, which was raising `UnboundLocalError` on parsing an invalid value.
https://bugs.python.org/issue38698
(cherry picked from commit bb815499af855b1759c02535f8d7a9d0358e74e8)
Co-authored-by: Claudiu Popa <pcmanticore@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since https://github.com/python/cpython/commit/c64a1a61e6fc542cada40eb069a239317e1af36e two assertions were indented and thus ignored when running test_hmac.
This PR fixes it. As the change is quite trivial I didn't add a NEWS entry.
https://bugs.python.org/issue38270
(cherry picked from commit 894331838b256412c95d54051ec46a1cb96f52e7)
Co-authored-by: stratakis <cstratak@redhat.com>
https://bugs.python.org/issue38270
Automerge-Triggered-By: @tiran
|
| |
|
|
|
| |
(cherry picked from commit 808769f3a4cbdc47cf1a5708dd61b1787bb192d4)
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
|
| |
|
|
|
|
|
| |
format (GH-17418)
(cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a)
Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
| |
Make ssl tests less strict and also accept TLSv3 as the default maximum
version. This change unbreaks test_min_max_version on Fedora 32.
https://bugs.python.org/issue38815
(cherry picked from commit 34864d1cffdbfc620f8517dab9a68ae9a37b8c53)
Co-authored-by: torsava <torsava@redhat.com>
|
| |
|
|
|
|
|
|
| |
* bpo-38449: Add tricky test cases
* bpo-38449: Reflect codereview
(cherry picked from commit 2fe4c48917c2d1b40cf063c6ed22ae2e71f4cb62)
Co-authored-by: Dong-hee Na <donghee.na92@gmail.com>
|
| |
|
|
|
| |
are invoked (GH-17392)
Also fixes some potential segfaults in unraisable hook handling.
|
| |
|
|
|
|
|
|
|
| |
SpooledTemporaryFile.rollback() might cause data corruption
when it is in text mode.
Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit ea9835c5d154ab6a54eed627958473b6768b28cc)
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
|
| |
|
|
|
|
|
| |
entries to prevent infinite recursion (GH-17397)
(cherry picked from commit 9bbcbc9f6dfe1368fe7330b117707f828e6a2c18)
Co-authored-by: Bruno P. Kinoshita <kinow@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).
LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.
The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to
\d+-\w+-\d+(\s*\s*\s*)$
Therefore, a long sequence of spaces can trigger bad performance.
Matching a malicious string such as
LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")
caused catastrophic backtracking.
The fix removes ambiguity about which \s* should match a particular
space.
You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.
from http.server import BaseHTTPRequestHandler, HTTPServer
def make_set_cookie_value(n_spaces):
spaces = " " * n_spaces
expiry = f"1-c-1{spaces}!"
return f"b;Expires={expiry}"
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
self.log_request(204)
self.send_response_only(204) GH- Don't bother sending Server and Date
n_spaces = (
int(self.path[1:]) GH- Can GET e.g. /100 to test shorter sequences
if len(self.path) > 1 else
65506 GH- Max header line length 65536
)
value = make_set_cookie_value(n_spaces)
for i in range(99): GH- Not necessary, but we can have up to 100 header lines
self.send_header("Set-Cookie", value)
self.end_headers()
if __name__ == "__main__":
HTTPServer(("", 44020), Handler).serve_forever()
This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.
Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :
import http.cookiejar, urllib.request
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
r = opener.open("http://localhost:44020/")
The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):
import requests
requests.get("http://localhost:44020/")
* Regression test for http.cookiejar REDoS
If we regress, this test will take a very long time.
* Improve performance of http.cookiejar.ISO_DATE_RE
A string like
"444444" + (" " * 2000) + "A"
could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
(cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e)
Co-authored-by: bcaller <bcaller@users.noreply.github.com>
|
| |
|
|
|
| |
(cherry picked from commit 9960230f76eb555d6dfbe8a324efed35610c85f9)
Co-authored-by: Dong-hee Na <donghee.na92@gmail.com>
|
| |
|
|
|
|
|
|
| |
(GH-17126)
https://bugs.python.org/issue37838
(cherry picked from commit 0aca3a3a1e68b4ca2d334ab5255dfc267719096e)
Co-authored-by: benedwards14 <53377856+benedwards14@users.noreply.github.com>
|
| |
|
|
|
|
| |
test_capi: trashcan tests now require the test "cpu" resource.
(cherry picked from commit 0127bb1c5c3286f87e284ff6083133bfdcfd5a4f)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(GH-17294)
on platforms lacking a functional bind() for named unix domain sockets
https://bugs.python.org/issue38841
Automerge-Triggered-By: @asvetlov
(cherry picked from commit 559bad1a70ed50cc9caa7cb303b6ac1fe6a34af3)
Co-authored-by: xdegaye <xdegaye@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This PR implements a fix for `multiprocessing.Process` objects; the error occurs when Processes are created using either `fork` or `forkserver` as the `start_method`.
In these instances, the `MainThread` of the newly created `Process` object retains all attributes from its parent's `MainThread` object, including the `native_id` attribute. The resulting behavior is such that the new process' `MainThread` captures an incorrect/outdated `native_id` (the parent's instead of its own).
This change forces the Process object to update its `native_id` attribute during the bootstrap process.
cc @vstinner
https://bugs.python.org/issue38707
Automerge-Triggered-By: @pitrou
(cherry picked from commit c6b20be85c0de6f2355c67ae6e7e578941275cc0)
Co-authored-by: Jake Tesler <jake.tesler@gmail.com>
|
