summaryrefslogtreecommitdiffstats
path: root/Lib
Commit message (Collapse)AuthorAgeFilesLines
* 3.7.13v3.7.13Ned Deily2022-03-161-1/+1
|
* Revert "bpo-46986: Upgrade bundled setuptools to 60.9.3 (GH-31820)" (GH-31882)Ned Deily2022-03-143-1/+1
| | | | This reverts commit 0fbab8a593dcd94cfc788700dd9bf67a73f85920 as it breaks test_bdb and test_distutils with installed Pythons.
* bpo-46986: Upgrade bundled setuptools to 60.9.3 (GH-31820) (GH-31861)Ned Deily2022-03-133-1/+1
| | | | | (cherry picked from commit c99ac3c364ee21be72263791b71ee8b55f64de08) Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net>
* bpo-46985: Upgrade bundled pip to 22.0.4 (GH-31819) (GH-31852)Ned Deily2022-03-133-6/+3
| | | | | (cherry picked from commit d87f1b787ed38dfd307d82452f2efe9dc5b93942) Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net>
* bpo-46756: Fix authorization check in urllib.request (GH-31353) (GH-31573)Miss Islington (bot)2022-02-252-8/+25
| | | | | | | | | Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e72567a1c94c548868f6ee5329363e6036057a) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453) (GH-31471)Miss Islington (bot)2022-02-212-8/+15
| | | | | | | | | | | | | | | | | | | | Curly brackets were never allowed in namespace URIs according to RFC 3986, and so-called namespace-validating XML parsers have the right to reject them a invalid URIs. libexpat >=2.4.5 has become strcter in that regard due to related security issues; with ET.XML instantiating a namespace-aware parser under the hood, this test has no future in CPython. References: - https://datatracker.ietf.org/doc/html/rfc3968 - https://www.w3.org/TR/xml-names/ Also, test_minidom.py: Support Expat >=2.4.5 (cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e) Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
* 3.7.12v3.7.12Ned Deily2021-09-041-1/+1
|
* [3.7] bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) (GH-28037)Miss Islington (bot)2021-08-302-3/+63
| | | | | | | Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl> (cherry picked from commit 0897253f426068ea6a6fbe0ada01689af9ef1019)
* bpo-45001: Make email date parsing more robust against malformed input ↵Miss Islington (bot)2021-08-302-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (GH-27946) (GH-27975) Various date parsing utilities in the email module, such as email.utils.parsedate(), are supposed to gracefully handle invalid input, typically by raising an appropriate exception or by returning None. The internal email._parseaddr._parsedate_tz() helper used by some of these date parsing routines tries to be robust against malformed input, but unfortunately it can still crash ungracefully when a non-empty but whitespace-only input is passed. This manifests as an unexpected IndexError. In practice, this can happen when parsing an email with only a newline inside a ‘Date:’ header, which unfortunately happens occasionally in the real world. Here's a minimal example: $ python Python 3.9.6 (default, Jun 30 2021, 10:22:16) [GCC 11.1.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import email.utils >>> email.utils.parsedate('foo') >>> email.utils.parsedate(' ') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.9/email/_parseaddr.py", line 176, in parsedate t = parsedate_tz(data) File "/usr/lib/python3.9/email/_parseaddr.py", line 50, in parsedate_tz res = _parsedate_tz(data) File "/usr/lib/python3.9/email/_parseaddr.py", line 72, in _parsedate_tz if data[0].endswith(',') or data[0].lower() in _daynames: IndexError: list index out of range The fix is rather straight-forward: guard against empty lists, after splitting on whitespace, but before accessing the first element. (cherry picked from commit 989f6a3800f06b2bd31cfef7c3269a443ad94fac) Co-authored-by: wouter bolsterlee <wouter@bolsterl.ee>
* 3.7.11v3.7.11Ned Deily2021-06-281-3/+3
|
* bpo-44022: Improve the regression test. (GH-26503) (GH-26507)Miss Islington (bot)2021-06-031-1/+6
| | | | | | | | It wasn't actually detecting the regression due to the assertion being too lenient. (cherry picked from commit e60ab843cbb016fb6ff8b4f418641ac05a9b2fcc) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.7] bpo-40297: Fix test_socket.CANTest.testSendFrame (GH-25960)Zachary Ware2021-05-071-2/+4
|
* bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 ↵Miss Islington (bot)2021-05-062-18/+30
| | | | | | | | | | | Continue (GH-25916) (GH-25934) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 47895e31b6f626bc6ce47d175fe9d43c1098909d) Co-authored-by: Gen Xu <xgbarry@gmail.com>
* [3.7] bpo-43882 - urllib.parse should sanitize urls containing ASCII newline ↵Miss Islington (bot)2021-05-062-0/+58
| | | | | | | | | | | | and tabs. (GH-25923) Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> (cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4) Co-authored-by: Senthil Kumaran <senthil@uthcode.com> (cherry picked from commit 515a7bc4e13645d0945b46a8e1d9102b918cd407) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
* bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (#25249)Miss Islington (bot)2021-05-041-1/+1
| | | | | | | | | | Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. (cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1) Co-authored-by: Yeting Li <liyt@ios.ac.cn>
* bpo-41561: Fix testing with OpenSSL 1.0.2 (GH-25355) (GH-25858)Miss Islington (bot)2021-05-031-1/+4
| | | | | | Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 3447750073aff229b049e4ccd6217db2811dcfd1) Co-authored-by: Christian Heimes <christian@python.org>
* [3.7] bpo-41561: Add workaround for Ubuntu's custom security level ↵Christian Heimes2021-05-031-0/+29
| | | | | | | | | | | | | | | (GH-24915) (GH-24928) Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level 2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow TLS 1.0 and 1.1 on security level 2. See: See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit f6c6b5821bff815bdc810de53992fd1fbdb2edd4) Co-authored-by: Christian Heimes <christian@python.org>
* [3.7] bpo-43660: Fix crash when displaying exceptions with custom values for ↵Pablo Galindo2021-03-291-0/+15
| | | | | | | sys.stderr (GH-25075). (GH-25085) (cherry picked from commit 09b90a037d18f5d4acdf1b14082e57bda78e85d3) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* bpo-42988: Remove the pydoc getfile feature (GH-25015) (#25066)Miss Islington (bot)2021-03-292-24/+0
| | | | | | | | | | | | CVE-2021-3426: Remove the "getfile" feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer. (cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048) Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.7] bpo-43285 Make ftplib not trust the PASV response. (GH-24838) ↵Miss Islington (bot)2021-03-162-2/+34
| | | | | | | | | | | | | | | | | | | | (GH-24881) (GH-24883) The IPv4 address value returned from the server in response to the PASV command should not be trusted. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Instead of using the returned address, we use the IP address we're already connected to. This is the strategy other ftp clients adopted, and matches the only strategy available for the modern IPv6 EPSV command where the server response must return a port number and nothing else. For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address` attribute on your `ftplib.FTP` instance to True.. (cherry picked from commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e) Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 664d1d16274b47eea6ec92572e1ebf3939a6fa0c)
* 3.7.10v3.7.10Ned Deily2021-02-161-1/+1
|
* [3.7] bpo-42967: only use '&' as a query string separator (GH-24297) (GH-24531)Senthil Kumaran2021-02-154-41/+98
| | | | | | | | | | | | | | bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl(). urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator. Co-authored-by: Éric Araujo <merwok@netwok.org> Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com> (cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
* [3.7] closes bpo-42938: Replace snprintf with Python unicode formatting in ↵Benjamin Peterson2021-01-181-0/+43
| | | | | | | ctypes param reprs. (GH-24249) (cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) Co-authored-by: Benjamin Peterson <benjamin@python.org>
* bpo-42794: Update test_nntplib to use offical group name for testing ↵Miss Islington (bot)2021-01-011-3/+7
| | | | | | | (GH-24037) (GH-24041) (cherry picked from commit ec3165320e81ac87edcb85c86c452528ddbaec1c) Co-authored-by: Dong-hee Na <donghee.na@python.org>
* [3.7] bpo-42103: Improve validation of Plist files. (GH-22882) (#23117)Serhiy Storchaka2020-11-102-67/+362
| | | | | | | | | | | * Prevent some possible DoS attacks via providing invalid Plist files with extremely large number of objects or collection sizes. * Raise InvalidFileException for too large bytes and string size instead of returning garbage. * Raise InvalidFileException instead of ValueError for specific invalid datetime (NaN). * Raise InvalidFileException instead of TypeError for non-hashable dict keys. * Add more tests for invalid Plist files.. (cherry picked from commit 34637a0ce21e7261b952fbd9d006474cc29b681f) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* bpo-41944: No longer call eval() on content received via HTTP in the CJK ↵Miss Skeleton (bot)2020-10-201-14/+8
| | | | | | | codec tests (GH-22566) (GH-22578) (cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* bpo-42051: Reject XML entity declarations in plist files (#22760) (GH-22801)Ned Deily2020-10-202-0/+25
| | | Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
* [3.7] bpo-41976: Fix the fallback to gcc of ctypes.util.find_library when ↵Pablo Galindo2020-10-082-8/+36
| | | | | | | using gcc>9 (GH-22598). (GH-22601) (cherry picked from commit 27ac19cca2c639caaf6fedf3632fe6beb265f24f) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* 3.7.9v3.7.9Ned Deily2020-08-151-1/+1
|
* bpo-41100: additional fixes for testing on macOS 11 Big Sur IntelNed Deily2020-08-152-1/+6
| | | | | Note: macOS 11 is not yet released, this release of Python is not fully supported on 11.0, and not all tests pass.
* bpo-33786: Fix asynchronous generators to handle GeneratorExit in athrow() ↵Miss Islington (bot)2020-08-143-1/+79
| | | | | | | | (GH-7467) (GH-21878) (cherry picked from commit 52698c7ad9eae9feb35839fde17a7d1da8036a9b) Co-authored-by: Yury Selivanov <yury@magic.io>
* bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21538)Miss Islington (bot)2020-07-192-0/+37
| | | | | | reject control chars in http method in http.client.putrequest to prevent http header injection (cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
* bpo-41304: Ensure python3x._pth is loaded on Windows (GH-21495) (#21499)Steve Dower2020-07-151-2/+34
|
* bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (GH-21484)Miss Islington (bot)2020-07-153-0/+9
| | | | | | | | Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). (cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4) Co-authored-by: Rishi <rishi_devan@mail.com>
* bpo-41288: Fix a crash in unpickling invalid NEWOBJ_EX. (GH-21458) (GH-21461)Miss Islington (bot)2020-07-131-0/+18
| | | | | | Automerge-Triggered-By: @tiran (cherry picked from commit 4f309abf55f0e6f8950ac13d6ec83c22b8d47bf8) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.7] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface ↵Tapas Kundu2020-06-302-2/+13
| | | | | | | | | | | | | | (GH-21033) (GH-21231) CVE-2020-14422 The __hash__() methods of classes IPv4Interface and IPv6Interface had issue of generating constant hash values of 32 and 128 respectively causing hash collisions. The fix uses the hash() function to generate hash values for the objects instead of XOR operation (cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28) Co-authored-by: Ravi Teja P <rvteja92@gmail.com> Signed-off-by: Tapas Kundu <tkundu@vmware.com>
* [3.7] bpo-41009: fix requires_OS_version() class decorator (GH-20942) (GH-20949)Christian Heimes2020-06-251-19/+19
| | | | | | | | Signed-off-by: Christian Heimes <christian@python.org> Automerge-Triggered-By: @tiran. (cherry picked from commit bb6ec14479f18c32e71e43f2785f177aa17aabbd) Co-authored-by: Christian Heimes <christian@python.org>
* 3.7.8rc1v3.7.8rc1Ned Deily2020-06-171-475/+561
|
* bpo-38488: Upgrade bundled versions of pip & setuptools (GH-20491) (GH-20900)Miss Islington (bot)2020-06-155-7/+7
| | | | | | Co-authored-by: Xavier Fernandez <xav.fernandez@gmail.com> (cherry picked from commit e63cc2f64668bd1d4581f8efa7089af7e08863b8) Co-authored-by: Ned Deily <nad@python.org>
* bpo-40448: ensurepip: Do not use cache (GH-19812)Miss Islington (bot)2020-06-152-9/+9
| | | | | | | | | | | | | | | | | ensurepip optionally installs or upgrades 'pip' and 'setuptools' using the version of those modules bundled with Python. The internal PIP installation routine by default temporarily uses its cache, if it exists. This is undesirable as Python builds and installations may be independent of the user running the build, whilst PIP cache location is dependent on the user's environment and outside of the build environment. At the same time, there's no value in using the cache while installing bundled modules. This change disables PIP caching when used in ensurepip. (cherry picked from commit 4a3a682b12f93a03888e8b59f439bc5fe30d6055) Co-authored-by: Krzysztof Konopko <kkonopko@users.noreply.github.com>
* [3.7] bpo-34226: fix cgi.parse_multipart without content_length (GH-8530) ↵Miss Islington (bot)2020-06-152-2/+20
| | | | | | | | | | | | | | | | | (GH-20892) In Python 3.7 the behavior of parse_multipart changed requiring CONTENT-LENGTH header, this fix remove this header as required and fix FieldStorage read_lines_to_outerboundary, by not using limit when it's negative, since by default it's -1 if not content-length and keeps substracting what was read from the file object. Also added a test case for this problem. (cherry picked from commit d8cf3514dd4682419a66f6e834bb384ee34afc95) Co-authored-by: roger <rogerduran@gmail.com> Automerge-Triggered-By: @ned-deily
* bpo-40964: disable remote IMAP tests (GH-20836)Christian Heimes2020-06-121-0/+3
| | | | | | Remote host cyrus.andrew.cmu.edu is blocking incoming connections and is causing test suite to fail. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-40025: Require _generate_next_value_ to be defined before members (GH-19762)Miss Islington (bot)2020-06-112-0/+15
| | | | require `_generate_next_value_` to be defined before members (cherry picked from commit d9a43e20facdf4ad10186f820601c6580e1baa80)
* bpo-29620: iterate over a copy of sys.modules (GH-4800) (GH-20817)Miss Islington (bot)2020-06-112-1/+16
| | | | | | | | unittest.TestCase.assertWarns no longer raises a RuntimeException when accessing a module's ``__warningregistry__`` causes importation of a new module, or when a new module is imported in another thread. (cherry picked from commit 46398fba4d66ad342cf2504ef947b5fb857423b2) Co-authored-by: kernc <kerncece@gmail.com>
* Add quotes to code to be a stringMiss Islington (bot)2020-06-092-9/+18
|
* [3.7] Revert bpo-39576: Prevent memory error for overly optimistic ↵Stefan Krah2020-06-081-35/+0
| | | | | precisions (GH-20748) This reverts commit c6f95543b4832c3f0170179da39bcf99b40a7aa8.
* [3.8] bpo-40807: Backport test_codeop change [GH-19670]Miss Islington (bot)2020-06-051-4/+4
| | | | | | A tiny sliver of a 3.9 PEG parser patch needed to backport the test added by GH-20486. (cherry picked from commit a5d6aba318ead9cc756ba750a70da41f5def3f8f) Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
* bpo-40767: Allow pure Wayland to get default XDG web browser (GH-20382)Miss Islington (bot)2020-06-031-1/+1
| | | | | | | | | | Would be nice to backport to python 3.7+. I don't think it's worth the hassle to backport this all the way down to 3.10. But I'll let the maintainers decide. This is hard to test because the test setup already includes this [environment variable](https://github.com/python/cpython/blob/master/Lib/test/pythoninfo.pyGH-L292) Let me know if something doesn't match the PR guidelines. This is my first PR in the python source code. (cherry picked from commit c822efeda9a0afe87cf3429724732fc8e19a01fb) Co-authored-by: Jeremy Attali <jeremy.attali@gmail.com>
* bpo-39885: Make IDLE context menu cut and copy work again (GH-18951)Miss Islington (bot)2020-05-293-16/+50
| | | | | | Leave selection when right click within. This exception to clearing selections when right-clicking was omitted from the previous commit, 4ca060d. I did not realize that this completely disabled the context menu entries, and I should have merged a minimal fix immediately. An automated test should follow. (cherry picked from commit 97e4e0f53d6690db6b942678489716a30925b8af) Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
* [3.8] bpo-25872: Fix KeyError in linecache when multithreaded (GH-18007) ↵Miss Islington (bot)2020-05-291-3/+3
| | | | | | | | (GH-20092) Backporting to 3.8 and adding a NEWS item (I should have added one to the master branch -- oh well). (cherry picked from commit b86636bff4b29ce23c886df079715dd951f13a07) Co-authored-by: Andrew Kuchling <amk@amk.ca>
generated by cgit v0.12 at 2026-01-07 10:06:47 (GMT)