summaryrefslogtreecommitdiffstats
path: root/Lib
Commit message (Collapse)AuthorAgeFilesLines
* PyDoc and blurb updates for 3.4.9rc1.Larry Hastings2018-07-191-1/+1
|
* [3.4] bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) (#5992)Steve Dower2018-05-141-0/+40
| | | | | | | | * bpo-33001: Minimal fix to prevent buffer overrun in os.symlink * Skips test to avoid crashing during the test suite * Remove invalid test
* [3.4] bpo-32981: Fix catastrophic backtracking vulns (GH-5955) (#6035)Ned Deily2018-03-114-4/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Prevent low-grade poplib REDOS (CVE-2018-1060) The regex to test a mail server's timestamp is susceptible to catastrophic backtracking on long evil responses from the server. Happily, the maximum length of malicious inputs is 2K thanks to a limit introduced in the fix for CVE-2013-1752. A 2KB evil response from the mail server would result in small slowdowns (milliseconds vs. microseconds) accumulated over many apop calls. This is a potential DOS vector via accumulated slowdowns. Replace it with a similar non-vulnerable regex. The new regex is RFC compliant. The old regex was non-compliant in edge cases. * Prevent difflib REDOS (CVE-2018-1061) The default regex for IS_LINE_JUNK is susceptible to catastrophic backtracking. This is a potential DOS vector. Replace it with an equivalent non-vulnerable regex. Also introduce unit and REDOS tests for difflib. Co-authored-by: Tim Peters <tim.peters@gmail.com> Co-authored-by: Christian Heimes <christian@python.org>.
* [3.4] [3.5] bpo-32620: Remove failing pyenv call from CI config (GH-5274) ↵larryhastings2018-02-041-0/+1
| | | | | | | | | | | | | | (#5533) * [3.5] Remove failing pyenv call from CI config * Backport XML RPC test skip to 3.5 The buildbot service upgrade removed the XML-RPC interface, so this test no longer works (through no fault of the standard library). (cherry picked from commit 4a4c2743133e195cc3725b78a895d85d69e50089) Co-authored-by: Nick Coghlan <ncoghlan@gmail.com>
* blurb release and pydoc topics for 3.4.8rc1.Larry Hastings2018-01-231-78/+12863
|
* [3.4] bpo-32072: Fix issues with binary plists. (GH-4455) (#4658)Serhiy Storchaka2018-01-222-37/+107
| | | | | | | | | | | | | | * [3.4] bpo-32072: Fix issues with binary plists. (GH-4455) * Fixed saving bytearrays. * Identical objects will be saved only once. * Equal references will be load as identical objects. * Added support for saving and loading recursive data structures.. (cherry picked from commit a897aeeef647259a938a36cb5eb6680c86021c6a) * Fix implementation dependent assertion in test_plistlib. (#4813) It is failed with an advanced optimizer.
* Blurb release and pydoc topics for 3.4.7 final.Larry Hastings2017-08-091-12863/+78
|
* [3.4] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal ↵Dong-hee Na2017-07-272-1/+7
| | | | command (#1214) (#2893)
* Update pydoc topics and susp-ignored for 3.4.7rc1.Larry Hastings2017-07-241-78/+12863
|
* [3.4] Backport CI config from master (#2475)Victor Stinner2017-07-223-15/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Issues #23808, #25911: Trying to fix walk tests on Windows. On Windows a symlink can has the FILE_ATTRIBUTE_DIRECTORY flag. (cherry picked from commit 388b90f28e029daaf06aae8026b596e2f20a1cd3) * bpo-30231: Remove skipped test_imaplib tests (#1419) (#2193) The public cyrus.andrew.cmu.edu IMAP server (port 993) doesn't accept TLS connection using our self-signed x509 certificate. Remove the two tests which are already skipped. (cherry picked from commit 7895a0585b4b6a1c8082d17227307c6ce2c8bb8b) * Backport CI config from master * Add .travis.yml for Travis CI * Add .github/ for AppVeyor and CodeCov. * Travis CI: remove "make regen-all" check The regen-all Makefile rule doesn't exist in Python 3.4, only since Python 3.5 and newer (and 2.7). * appveyor: replace --slowest with --slow * Travis CI: remove the GCC coverage job * Travis CI: remove tzdata resource from regrtest tzdata resource doesn't exist in Python 3.4. * Travis CI: remove the doc job Fixing Sphinx warnings requires to backport huge intrusive changes like: - commit d97b7dc94b19063f0589d401bdc4aaadc7030762 - commit 5c6793394066b012b9674681b0815667938ce4d9 * appveyor: set version to 3.4.6+ * bpo-30730: Fix test_os tests. Fix test_invalid_cmd() and test_invalid_env(), TypeError is raised on Python 3.4. (cherry picked from commit 5e22721e586344b547194f0f7ea67fd425f94e72)
* [3.4] bpo-26617: Ensure gc tracking is off when invoking weakref callbacks. ↵Serhiy Storchaka2017-07-221-0/+8
| | | | | | | | | (#2695) * [3.4] bpo-26617: Ensure gc tracking is off when invoking weakref callbacks. (cherry picked from commit 8f657c35b978b681e6e919f08358992e1aed7dc1) * Rewrite a NEWS entry as a NEWS.d entry.
* bpo-26657: Fix Windows directory traversal vulnerability with http.server (#782)Victor Stinner2017-07-122-3/+22
| | | | | | Based on patch by Philipp Hagemeister. This fixes a regression caused by revision f4377699fd47. (cherry picked from commit d274b3f1f1e2d8811733fb952c9f18d7da3a376a)
* bpo-30500: urllib: Simplify splithost by calling into urlparse. (#1849) (#2291)Victor Stinner2017-07-122-13/+40
| | | | | | | | | The current regex based splitting produces a wrong result. For example:: http://abc#@def Web browsers parse that URL as ``http://abc/#@def``, that is, the host is ``abc``, the path is ``/``, and the fragment is ``#@def``. (cherry picked from commit 90e01e50ef8a9e6c91f30d965563c378a4ad26de)
* [3.4] [3.5] bpo-27945: Fixed various segfaults with dict. (GH-1657) ↵Serhiy Storchaka2017-07-111-0/+86
| | | | | | | (GH-1678) (#2248) Based on patches by Duane Griffin and Tim Mitchell. (cherry picked from commit 753bca3934a7618a4fa96e107ad1c5c18633a683). (cherry picked from commit 2f7f533cf6fb57fcedcbc7bd454ac59fbaf2c655)
* [security][3.4] bpo-30730: Prevent environment variables injection in ↵Serhiy Storchaka2017-07-112-2/+46
| | | | | | | | | | | subprocess on Windows. (GH-2325) (#2362) * [3.4] bpo-30730: Prevent environment variables injection in subprocess on Windows. (GH-2325) Prevent passing other invalid environment variables and command arguments.. (cherry picked from commit d174d24a5d37d1516b885dc7c82f71ecd5930700) * Update NEWS
* Issues #27850 and #27766: Remove 3DES from ssl default cipher list and add ↵Victor Stinner2017-03-101-15/+21
| | | | | | | ChaCha20 Poly1305. (#224) Backport: replace 3.5.3 with 3.4.7 in the doc versionchanged. (cherry picked from commit 03d13c0cbfe912eb0f9b9a02987b9e569f25fe19)
* Regenerated pydoc topics for 3.4.6rc1. (Also fixed doc error, improved build.)Larry Hastings2017-01-021-1/+1
|
* Fix test failure so it's no longer dependent on example.com.Larry Hastings2017-01-021-1/+1
|
* Upgrade pip to 9.0.1 and setuptools to 28.8.0Donald Stufft2016-11-163-2/+2
|
* Issue #28563: Make plural form selection more lenient and acceptingSerhiy Storchaka2016-11-142-8/+20
|\ | | | | | | non-integer numbers. Django tests depend on this.
| * Issue #28563: Make plural form selection more lenient and acceptingSerhiy Storchaka2016-11-142-8/+20
| | | | | | | | non-integer numbers. Django tests depend on this.
* | Issue #28563: Fixed possible DoS and arbitrary code execution when handleSerhiy Storchaka2016-11-082-45/+212
|\ \ | |/ | | | | | | plural form selections in the gettext module. The expression parser now supports exact syntax supported by GNU gettext.
| * Issue #28563: Fixed possible DoS and arbitrary code execution when handleSerhiy Storchaka2016-11-082-45/+212
| | | | | | | | | | plural form selections in the gettext module. The expression parser now supports exact syntax supported by GNU gettext.
* | Upgrade pip to 9.0 and setuptools to 28.7.1Donald Stufft2016-11-024-2/+2
| |
* | Issue #27759: Fix selectors incorrectly retain invalid file descriptors.Yury Selivanov2016-10-062-9/+40
| | | | | | | | (Backported to 3.4 as this bug might be exploited to for DoS)
* | Upgrade setuptools to 27.1.2Donald Stufft2016-09-092-1/+1
| |
* | Upgrade setuptools to 27.1.1Donald Stufft2016-09-092-1/+1
| |
* | Issue #27960: Revert state to 675e20c38fdac6, backing out all changes by ↵Jason R. Coombs2016-09-061-2/+5
| | | | | | | | developed for Issue #12885.
* | Issue #12885: Revert commits in 3.4 branch which is security-only fixes.Jason R. Coombs2016-09-022-67/+29
| |
* | Backed out changeset cc86e9e102e8Jason R. Coombs2016-09-021-2/+9
| |
* | Issue #12285: Replace implementation of findall with implementation from ↵Jason R. Coombs2015-09-191-27/+21
| | | | | | | | Setuptools 7ce820d524db.
* | Sort result to avoid spurious errors due to order.Jason R. Coombs2015-08-301-2/+2
| |
* | Add docstring and additional test revealing nuances of the implementation as ↵Jason R. Coombs2015-09-191-0/+16
| | | | | | | | found in setuptools.
* | Add another test capturing the basic discovery expectation.Jason R. Coombs2015-08-301-0/+11
| |
* | Issue #12285: Add test capturing failure.Jason R. Coombs2015-08-301-0/+10
| |
* | Use modern mechanism for test discoveryJason R. Coombs2015-08-301-5/+2
| |
* | fail when negative values are passed to instr()Benjamin Peterson2016-08-161-0/+2
| |
* | Update setuptools/pip to 25.2.0/8.1.2Donald Stufft2016-08-143-2/+2
| |
* | do not allow reading negative values with getstr()Benjamin Peterson2016-08-141-0/+3
| |
* | Issue #20160: Merged fix from 3.3.Vinay Sajip2016-08-051-0/+35
|\ \ | |/
| * Issue #20160: Handled passing of large structs to callbacks correctly.Vinay Sajip2016-08-051-0/+35
| |
* | Merge 3.3Donald Stufft2016-08-033-5/+5
|\ \ | |/
| * Switch upload.pypi.io to upload.pypi.orgDonald Stufft2016-08-033-4/+4
| |
* | [merge from 3.3] Prevent HTTPoxy attack (CVE-2016-1000110)Senthil Kumaran2016-07-312-0/+20
|\ \ | |/ | | | | | | | | | | Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode. Issue #27568 Reported and patch contributed by Rémi Rampin.
| * Prevent HTTPoxy attack (CVE-2016-1000110)Senthil Kumaran2016-07-312-0/+20
| | | | | | | | | | | | | | Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode. Issue #27568 Reported and patch contributed by Rémi Rampin.
* | Issue #27369: Merge test_pyexpat from 3.3 into 3.4Martin Panter2016-07-141-4/+2
|\ \ | |/
| * Issue #27369: Merge test_pyexpat from 3.2 into 3.3Martin Panter2016-07-141-4/+2
| |\
| | * Issue #27369: Don’t test error message detail that changed in Expat 2.2.03.2Martin Panter2016-07-141-4/+2
| | |
| | * #22758: fix regression in handling of secure cookies.R David Murray2016-07-102-11/+58
| | | | | | | | | | | | | | | This backports the fix from #16611, per discussion with the release manager.
| * | Switch to the new upload url for PyPIDonald Stufft2016-07-063-4/+4
| | |
generated by cgit v0.12 at 2026-02-12 16:16:08 (GMT)