| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
| |
1.1.1v, 3.0.10, and 3.1.2. (#108123)
[3.9] gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
(cherry picked from commit 441797d4ffb12acda257370b9e5e19ed8d6e8a71)
|
| |
|
|
|
|
|
|
|
|
| |
(#108274)
(cherry picked from commit acbd3f9c5c5f23e95267714e41236140d84fe962)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>
|
| |
|
|
|
|
|
| |
(GH-99613) (GH-107224) (#107231)
Previously *consumed was not set in this case.
(cherry picked from commit f08e52ccb027f6f703302b8c1a82db9fd3934270).
(cherry picked from commit b8b3e6afc0a48c3cbb7c36d2f73e332edcd6058c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
flaw (#108320)
gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw
Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake
and included protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.
The vulnerability is caused when a socket is connected, data is sent by the
malicious peer and stored in a buffer, and then the malicious peer closes the
socket within a small timing window before the other peers’ TLS handshake can
begin. After this sequence of events the closed socket will not immediately
attempt a TLS handshake due to not being connected but will also allow the
buffered data to be read as if a successful TLS handshake had occurred.
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-105200) (#105205)
Upgrade builds to OpenSSL 1.1.1u.
Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.
Manual edits to the _ssl_data_300.h file prevent it from removing any
existing definitions in case those exist in some peoples builds and were
important (avoiding regressions during backporting).
(cherry picked from commit ede89af)
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-102508) (GH-104575) (GH-104592) (#104593)
gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport. (people will see
that in the mainline /3/ docs)
(cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10)
(cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941)
(cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946)
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
|
| |
|
|
|
|
|
| |
(GH-104096) (#104331)
(cherry picked from commit 0aeda297931820436a50b78f4f7f0597274b5df4)
Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
SimpleHTTPRequestHandler (GH-104067) (#104120)
Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)
(cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a)
Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
|
| |
|
|
|
| |
profile modules (GH-103947) (#103953)
Co-authored-by: Tian Gao <gaogaotiantian@hotmail.com>
|
| |
|
|
|
|
| |
(GH-102953) (#104382)
Backport of c8c3956d905e019101038b018129a4c90c9c9b8f
|
| |
|
|
|
| |
(GH-102222) (#102236)
(cherry picked from commit 5f11478ce7fda826d399530af4c5ca96c592f144)
|
| |
|
| |
(cherry picked from commit 89d9ff0f48c51a85920c7372a7df4a2204e32ea5)
|
| |
|
|
|
|
|
| |
Fixes CVE-2023-0286 (High) and a couple of Medium security issues.
https://www.openssl.org/news/secadv/20230207.txt
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
|
| |
Windows (GH-101286) (#101709)
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Steve Dower <steve.dower@microsoft.com>
|
| |
|
|
| |
(#100904)
|
| |
|
|
|
|
|
|
|
| |
[3.9] [3.10] GH-100892: Fix race in clearing `threading.local` (GH-100922).
(cherry picked from commit 762745a124cbc297cf2fe6f3ec9ca1840bb2e873)
Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>.
(cherry picked from commit 683e9fe30ecd024f5508b2a33316752870100a96)
Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-100002) (#100032)
* gh-100001: Omit control characters in http.server stderr logs. (GH-100002)
Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
(cherry picked from commit d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
* also escape \s (backport of PR #100038).
* add versionadded and remove extra 'to'
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
| |
via the gc module (GH-99373) (GH-99493)
|
| |
|
|
|
|
|
|
|
|
| |
There was an unnecessary quadratic loop in idna decoding. This restores
the behavior to linear.
(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d)
(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-98501) (#98504)
Linux abstract sockets are insecure as they lack any form of filesystem
permissions so their use allows anyone on the system to inject code into
the process.
This removes the default preference for abstract sockets in
multiprocessing introduced in Python 3.9+ via
https://github.com/python/cpython/pull/18866 while fixing
https://github.com/python/cpython/issues/84031.
Explicit use of an abstract socket by a user now generates a
RuntimeWarning. If we choose to keep this warning, it should be
backported to the 3.7 and 3.8 branches.
(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].
[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
[2]: https://mouha.be/sha-3-buffer-overflow/
Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3)
Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.
Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f827b359617664ad0880f218f17ae4483299)
|
| |
|
|
|
|
|
|
| |
(GH-91993) (#98190)
gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
(cherry picked from commit b9509ba7a9c668b984dab876c7926fe1dc5aa0ba)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-97944) (#97968)
The macOS 13 SDK includes support for the `mkfifoat` and `mknodat` system calls.
Using the `dir_fd` option with either `os.mkfifo` or `os.mknod` could result in a
segfault if cpython is built with the macOS 13 SDK but run on an earlier
version of macOS. Prevent this by adding runtime support for detection of
these system calls ("weaklinking") as is done for other newer syscalls on
macOS.
(cherry picked from commit 6d0a0191a4e5477bd843e62c24d7f3bcad4fd5fc)
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
|
|
|
|
|
| |
gh-96848: Fix -X int_max_str_digits option parsing (GH-96988)
Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 41351662bcd21672d8ccfa62fe44d72027e6bcf8)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
| |
gh-96577: Fixes buffer overrun in _msi module (GH-96633)
(cherry picked from commit 4114bcc9ef7595a07196bcecf9c7d6d39f57f64d)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| |
|
|
|
|
|
|
|
|
| |
(#96874) (#96877)
When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.
(cherry picked from commit e841ffc915e82e5ea6e3b473205417d63494808d)
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
|
|
|
|
| |
gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006)
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d398c31cc1695752fc52bc6ca2ce9ef6237e)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
gh-97616: list_resize() checks for integer overflow (GH-97617)
Fix multiplying a list by an integer (list *= int): detect the
integer overflow when the new allocated length is close to the
maximum size. Issue reported by Jordan Limor.
list_resize() now checks for integer overflow before multiplying the
new allocated length by the list item size (sizeof(PyObject*)).
(cherry picked from commit a5f092f3c469b674b8d9ccbd4e4377230c9ac7cf)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-97632)
gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613)
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.
Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.
Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Correctly pre-check for int-to-str conversion (#96537)
Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)
The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.
The justification for the current check. The C code check is:
```c
max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10
```
In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:
$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$
From this it follows that
$$\frac{M}{3L} < \frac{s-1}{10}$$
hence that
$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
So
$$2^{L(s-1)} > 10^M.$$
But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.
<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
|
| |
|
|
|
|
|
| |
(GH-95282) (GH-95323)
(cherry picked from commit 565403038b75eb64ea483b2757ba30769246d853)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
| |
(GH-95312)
Three test cases were failing on FreeBSD with latest OpenSSL.
(cherry picked from commit 1bc86c26253befa006c0f52eebb6ed633c7d1e5c)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When binding a unix socket to an empty address on Linux, the socket is
automatically bound to an available address in the abstract namespace.
>>> s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
>>> s.bind("")
>>> s.getsockname()
b'\x0075499'
Since python 3.9, the socket is bound to the one address:
>>> s.getsockname()
b'\x00'
And trying to bind multiple sockets will fail with:
Traceback (most recent call last):
File "/home/nsoffer/src/cpython/Lib/test/test_socket.py", line 5553, in testAutobind
s2.bind("")
OSError: [Errno 98] Address already in use
Added 2 tests:
- Auto binding empty address on Linux
- Failing to bind an empty address on other platforms
Fixes f6b3a07b7df6 (bpo-44493: Add missing terminated NUL in sockaddr_un's length (GH-26866)
(cherry picked from commit c22f134211743cd5ad14cec1dd4f527bee542b4c)
Co-authored-by: Nir Soffer <nsoffer@redhat.com>
|
| |
|
|
|
|
|
| |
Co-authored-by: Carter Dodd <carter.dodd@gmail.com>
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c8556bcf6c0b05ac46bd74880626a2853e7c99a1)
|
| |
|
|
|
|
|
|
|
| |
(GH-31885) (GH-94123)
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
(cherry picked from commit d36954b7ead06daead3dcf9b0dd9f8002eab508f)
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-94093)
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).
Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
encoding='unicode' (GH-93426) (GH-93791)
Suppress writing an XML declaration in open files in ElementTree.write()
with encoding='unicode' and xml_declaration=None.
If file patch is passed to ElementTree.write() with encoding='unicode',
always open a new file in UTF-8.
(cherry picked from commit d7db9dc3cc5b44d0b4ce000571fecf58089a01ec)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(#93147)
Also while there, clarify a few things about why we reduce the hash to 32 bits.
Co-authored-by: Eli Libman <eli@hyro.ai>
Co-authored-by: Yury Selivanov <yury@edgedb.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c1f5c903a7e4ed27190488f4e33b00d3c3d952e5)
|
| |
|
|
|
|
|
| |
(GH-92967)
(cherry picked from commit fb082c2fc5a925085b179e63ca10b7f60b356d2f)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
|
| | |
|
| |
|
|
|
|
|
| |
(GH-92372)
(cherry picked from commit 85354ed78c0edb6d81a2bd53cabc85e547b8b26e)
Co-authored-by: Alexey Izbyshev <izbyshev@ispras.ru>
|
| |
|
|
|
|
|
| |
(GH-17643) (GH-32256)
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-92748)
The `utc_to_seconds` call can fail, here's a minimal reproducer on
Linux:
TZ=UTC python -c "from datetime import *; datetime.fromtimestamp(253402300799 + 1)"
The old behavior still raised an error in a similar way, but only
because subsequent calculations happened to fail as well. Better to fail
fast.
This also refactors the tests to split out the `fromtimestamp` and
`utcfromtimestamp` tests, and to get us closer to the actual desired
limits of the functions. As part of this, we also changed the way we
detect platforms where the same limits don't necessarily apply (e.g.
Windows).
As part of refactoring the tests to hit this condition explicitly (even
though the user-facing behvior doesn't change in any way we plan to
guarantee), I noticed that there was a difference in the places that
`datetime.utcfromtimestamp` fails in the C and pure Python versions, which
was fixed by skipping the "probe for fold" logic for UTC specifically —
since UTC doesn't have any folds or gaps, we were never going to find a
fold value anyway. This should prevent some failures in the pure python
`utcfromtimestamp` method on timestamps close to 0001-01-01.
There are two separate news entries for this because one is a
potentially user-facing change, the other is an internal code
correctness change that, if anything, changes some error messages. The
two happen to be coupled because of the test refactoring, but they are
probably best thought of as independent changes.
Fixes GH-91581
(cherry picked from commit 83c0247d47b99f4571e35ea95361436e1d2a61cd)
Co-authored-by: Paul Ganssle <1377457+pganssle@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
| |
threading.Condition.notify (GH-92534) (GH-92831)
If Condition.notify() was interrupted just after it released the waiter lock,
but before removing it from the queue, the following calls of notify() failed
with RuntimeError: cannot release un-acquired lock.
(cherry picked from commit 70af994fee7c0850ae859727d9468a5f29375a38)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
