summaryrefslogtreecommitdiffstats
path: root/Misc
Commit message (Collapse)AuthorAgeFilesLines
* Python 3.7.16v3.7.16Ned Deily2022-12-066-18/+56
|
* [3.7] gh-100001: Omit control characters in http.server stderr logs. ↵Miss Islington (bot)2022-12-051-0/+6
| | | | | | | | (GH-100002) (GH-100034) Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to. (cherry picked from commit d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.7] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99232)Miss Islington (bot)2022-11-081-0/+6
| | | | | | | | | There was an unnecessary quadratic loop in idna decoding. This restores the behavior to linear. (cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* [3.7] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98788)Miss Islington (bot)2022-10-281-0/+1
| | | | | | | Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680. Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com> (cherry picked from commit 3e07f827b359617664ad0880f218f17ae4483299)
* [3.7] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) (GH-98528)Miss Islington (bot)2022-10-221-0/+1
| | | | | | | | | | | | | This is a port of the applicable part of XKCP's fix [1] for CVE-2022-37454 and avoids the segmentation fault and the infinite loop in the test cases published in [2]. [1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a [2]: https://mouha.be/sha-3-buffer-overflow/ Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> (cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3) Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
* [3.7] gh-68966: Make mailcap refuse to match unsafe filenames/types/params ↵Miss Islington (bot)2022-10-111-0/+4
| | | | | | | | (GH-91993) (GH-98191) gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (cherry picked from commit b9509ba7a9c668b984dab876c7926fe1dc5aa0ba) Co-authored-by: Petr Viktorin <encukou@gmail.com>
* 3.7.15v3.7.15Ned Deily2022-10-107-14/+61
|
* [3.7] gh-97612: Fix shell injection in get-remote-certificate.py (#97613) ↵Victor Stinner2022-10-051-0/+3
| | | | | | | | | | | | | | (#97634) Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run "openssl" commands. Issue reported and initial fix by Caleb Shortt. Remove the Windows code path to send "quit" on stdin to the "openssl s_client" command: use DEVNULL on all platforms instead. Co-authored-by: Caleb Shortt <caleb@rgauge.com> (cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341)
* [3.7] gh-97616: list_resize() checks for integer overflow (GH-97617) (#97629)Miss Islington (bot)2022-10-051-0/+3
| | | | | | | | | | | Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. list_resize() now checks for integer overflow before multiplying the new allocated length by the list item size (sizeof(PyObject*)). (cherry picked from commit a5f092f3c469b674b8d9ccbd4e4377230c9ac7cf) Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.7] gh-96848: Fix -X int_max_str_digits option parsing (#96988) (#97576)Victor Stinner2022-10-051-0/+3
| | | | | | | Fix command line parsing: reject "-X int_max_str_digits" option with no value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a valid limit. (cherry picked from commit 41351662bcd21672d8ccfa62fe44d72027e6bcf8)
* [3.7] gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) (#97014)Miss Islington (bot)2022-10-051-0/+1
| | | | | | Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org> (cherry picked from commit 10e3d398c31cc1695752fc52bc6ca2ce9ef6237e) Co-authored-by: Dong-hee Na <donghee.na@python.org>
* [3.7] gh-95778: Mention sys.set_int_max_str_digits() in error message ↵Miss Islington (bot)2022-10-041-0/+3
| | | | | | | | | | | | | | | (GH-96874) (GH-96877) (GH-97836) [3.9] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877) When ValueError is raised if an integer is larger than the limit, mention sys.set_int_max_str_digits() in the error message. (cherry picked from commit e841ffc915e82e5ea6e3b473205417d63494808d) Co-authored-by: Ned Deily <nad@python.org> (cherry picked from commit 41188134bd2120f0cedd681ed88743c11c7f3742) Co-authored-by: Victor Stinner <vstinner@python.org>
* gh-96577: Fixes buffer overrun in _msi module (GH-96633) (GH-96659)Miss Islington (bot)2022-09-131-0/+1
| | | | | (cherry picked from commit 4114bcc9ef7595a07196bcecf9c7d6d39f57f64d) Co-authored-by: Steve Dower <steve.dower@python.org>
* 3.7.14Ned Deily2022-09-0611-32/+112
|
* [3.7] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (GH-96504)Gregory P. Smith2022-09-061-0/+14
| | | | | | | | | | | | | | | | Converting between `int` and `str` in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a `ValueError` if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735). This new limit can be configured or disabled by environment variable, command line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length Limitation` documentation. The default limit is 4300 digits in string form. Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
* bpo-41306: Allow scale value to not be rounded (GH-21715) (GH-96484)Miss Islington (bot)2022-09-011-0/+1
| | | | | | | | | | This fixes the test failure with Tk 6.8.10 which is caused by changes to how Tk rounds the `from`, `to` and `tickinterval` arguments. This PR uses `noconv` if the patchlevel is greater than or equal to 8.6.10 (credit to Serhiy for this idea as it is much simpler than what I previously proposed). Going into more detail for those who want it, the Tk change was made in [commit 591f68c](https://github.com/tcltk/tk/commit/591f68cb382525b72664c6fecaab87742b6cc87a) and means that the arguments listed above are rounded relative to the value of `from`. However, when rounding the `from` argument ([line 623](https://github.com/tcltk/tk/blob/591f68cb382525b72664c6fecaab87742b6cc87a/generic/tkScale.cGH-L623)), it is rounded relative to itself (i.e. rounding `0`) and therefore the assigned value for `from` is always what is given (no matter what values of `from` and `resolution`). Automerge-Triggered-By: @pablogsal (cherry picked from commit aecf036738a404371303e770f4ce4fd9f7d43de7) Co-authored-by: E-Paine <63801254+E-Paine@users.noreply.github.com>
* [3.7] gh-94208: Add more TLS version/protocol checks for FreeBSD (GH-94347) ↵Łukasz Langa2022-07-271-0/+2
| | | | | | | | (GH-95314) Three test cases were failing on FreeBSD with latest OpenSSL. (cherry picked from commit 1bc86c26253befa006c0f52eebb6ed633c7d1e5c) Co-authored-by: Christian Heimes <christian@python.org>
* gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879) ↵Miss Islington (bot)2022-06-221-0/+3
| | | | | | | | | | | | | (GH-94095) Fix an open redirection vulnerability in the `http.server` module when an URI path starts with `//` that could produce a 301 Location header with a misleading target. Vulnerability discovered, and logic fix proposed, by Hamza Avvan (@hamzaavvan). Test and comments authored by Gregory P. Smith [Google]. (cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* gh-91172: Create a workflow for verifying bundled pip and setuptools ↵Miss Islington (bot)2022-06-221-0/+2
| | | | | | | | | (GH-31885) (GH-94126) Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> (cherry picked from commit d36954b7ead06daead3dcf9b0dd9f8002eab508f) Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
* [3.7] gh-93065: Fix HAMT to iterate correctly over 7-level deep trees (GH-93149)Łukasz Langa2022-05-232-0/+7
| | | | | | | | Also while there, clarify a few things about why we reduce the hash to 32 bits. Co-authored-by: Eli Libman <eli@hyro.ai> Co-authored-by: Yury Selivanov <yury@edgedb.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl> (cherry picked from commit c1f5c903a7e4ed27190488f4e33b00d3c3d952e5)
* [3.7] gh-80254: Disallow recursive usage of cursors in sqlite3 converters ↵Erlend Egeberg Aasland2022-05-231-0/+2
| | | | | | | | | (GH-92334) (cherry picked from commit c908dc5b4798c311981bd7e1f7d92fb623ee448b) Co-authored-by: Sergey Fedoseev <fedoseev.sergey@gmail.com> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
* gh-92448: Update the documentation builder to render the GitHub issue (GH-92600)Ned Deily2022-05-103-3/+3
|
* [3.7] gh-91888: add a `:gh:` role to the documentation (GH-91889) (GH-91937)Ezio Melotti2022-05-101-0/+1
| | | | | Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>. Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> (cherry picked from commit f7641a2ffec243e5f600028a84debe9028a9ee44)
* bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 ↵Miss Islington (bot)2022-04-041-0/+1
| | | | | | | (GH-32241) (GH-32251) (cherry picked from commit 6066739ff7794e54c98c08b953a699cbc961cd28) Co-authored-by: Zachary Ware <zach@python.org>
* bpo-47138: Fix documentation build by pinning Jinja version to 3.0.3 (GH-32111)m-aciek2022-03-281-0/+1
|
* 3.7.13v3.7.13Ned Deily2022-03-1610-16/+87
|
* bpo-47024: Update Windows builds and macOS installer build to use OpenSSL ↵Ned Deily2022-03-151-0/+1
| | | | 1.1.1n. (GH-31911)
* Tidy changelog by removing redundant intermediate expat update items. (GH-31907)Ned Deily2022-03-152-2/+0
|
* bpo-45405: Prevent internal configure error when running configure with ↵Ned Deily2022-03-151-0/+2
| | | | | | | | | | | | | recent versions of clang. (GH-28845) (GH-31890) Change the configure logic to function properly on macOS when the compiler outputs a platform triplet for option --print-multiarch. The Apple Clang included with Xcode 13.3 now supports --print-multiarch causing configure to fail without this change. Co-authored-by: Ned Deily <nad@python.org> (cherry picked from commit 9c4766772cda67648184f8ddba546a5fc0167f91) Co-authored-by: David Bohman <debohman@gmail.com>
* Revert "bpo-46986: Upgrade bundled setuptools to 60.9.3 (GH-31820)" (GH-31882)Ned Deily2022-03-141-1/+0
| | | | This reverts commit 0fbab8a593dcd94cfc788700dd9bf67a73f85920 as it breaks test_bdb and test_distutils with installed Pythons.
* bpo-46986: Upgrade bundled setuptools to 60.9.3 (GH-31820) (GH-31861)Ned Deily2022-03-131-0/+1
| | | | | (cherry picked from commit c99ac3c364ee21be72263791b71ee8b55f64de08) Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net>
* bpo-46985: Upgrade bundled pip to 22.0.4 (GH-31819) (GH-31852)Ned Deily2022-03-131-0/+1
| | | | | (cherry picked from commit d87f1b787ed38dfd307d82452f2efe9dc5b93942) Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net>
* bpo-46932: Update bundled libexpat to 2.4.7 (GH-31736) (GH-31741)Miss Islington (bot)2022-03-071-0/+1
| | | | | (cherry picked from commit 176835c3d5c70f4c1b152cc2062b549144e37094) Co-authored-by: Steve Dower <steve.dower@python.org>
* bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 ↵Steve Dower2022-03-071-0/+2
| | | | and CVE-2019-12900 (GH-31732) (GH-31735)
* bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly ↵Steve Dower2022-03-071-0/+2
| | | | uses the install path during repair (GH-31730)
* bpo-46756: Fix authorization check in urllib.request (GH-31353) (GH-31573)Miss Islington (bot)2022-02-251-0/+5
| | | | | | | | | Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e72567a1c94c548868f6ee5329363e6036057a) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* bpo-46794: Bump up the libexpat version into 2.4.6 (GH-31487) (GH-31521)Miss Islington (bot)2022-02-231-0/+1
| | | | | | (cherry picked from commit 1935e1cc284942bec8006287c939e295e1a7bf13) Co-authored-by: Dong-hee Na <donghee.na@python.org>
* bpo-46784: Add newly exported expat symbols to the namespace. (GH-31397) ↵Miss Islington (bot)2022-02-211-0/+1
| | | | | | | | | | | | | | | | | | | | (GH-31418) The libexpat 2.4.1 upgrade from introduced the following new exported symbols: * `testingAccountingGetCountBytesDirect` * `testingAccountingGetCountBytesIndirect` * `unsignedCharToPrintable` * `XML_SetBillionLaughsAttackProtectionActivationThreshold` * `XML_SetBillionLaughsAttackProtectionMaximumAmplification` We need to adjust [Modules/expat/pyexpatns.h](https://github.com/python/cpython/blob/master/Modules/expat/pyexpatns.h) (The newer libexpat upgrade has no new symbols). Automerge-Triggered-By: GH:gpshead (cherry picked from commit 6312c1052c0186b4596fc45c42fd3ade9f8f5911) Co-authored-by: Yilei "Dolee" Yang <yileiyang@google.com>
* bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453) (GH-31471)Miss Islington (bot)2022-02-211-0/+1
| | | | | | | | | | | | | | | | | | | | Curly brackets were never allowed in namespace URIs according to RFC 3986, and so-called namespace-validating XML parsers have the right to reject them a invalid URIs. libexpat >=2.4.5 has become strcter in that regard due to related security issues; with ET.XML instantiating a namespace-aware parser under the hood, this test has no future in CPython. References: - https://datatracker.ietf.org/doc/html/rfc3968 - https://www.w3.org/TR/xml-names/ Also, test_minidom.py: Support Expat >=2.4.5 (cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e) Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
* bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) (GH-31298)Dong-hee Na2022-02-211-0/+1
| | | Co-authored-by: Cyril Jouve <jv.cyril@gmail.com>
* 3.7.12v3.7.12Ned Deily2021-09-044-7/+30
|
* [3.7] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042)Łukasz Langa2021-08-311-0/+3
| | | | | | | | | | | | Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl>. (cherry picked from commit 3fc5d84046ddbd66abac5b598956ea34605a4e5d)
* [3.7] bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) (GH-28037)Miss Islington (bot)2021-08-301-0/+2
| | | | | | | Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl> (cherry picked from commit 0897253f426068ea6a6fbe0ada01689af9ef1019)
* bpo-45001: Make email date parsing more robust against malformed input ↵Miss Islington (bot)2021-08-301-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (GH-27946) (GH-27975) Various date parsing utilities in the email module, such as email.utils.parsedate(), are supposed to gracefully handle invalid input, typically by raising an appropriate exception or by returning None. The internal email._parseaddr._parsedate_tz() helper used by some of these date parsing routines tries to be robust against malformed input, but unfortunately it can still crash ungracefully when a non-empty but whitespace-only input is passed. This manifests as an unexpected IndexError. In practice, this can happen when parsing an email with only a newline inside a ‘Date:’ header, which unfortunately happens occasionally in the real world. Here's a minimal example: $ python Python 3.9.6 (default, Jun 30 2021, 10:22:16) [GCC 11.1.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import email.utils >>> email.utils.parsedate('foo') >>> email.utils.parsedate(' ') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.9/email/_parseaddr.py", line 176, in parsedate t = parsedate_tz(data) File "/usr/lib/python3.9/email/_parseaddr.py", line 50, in parsedate_tz res = _parsedate_tz(data) File "/usr/lib/python3.9/email/_parseaddr.py", line 72, in _parsedate_tz if data[0].endswith(',') or data[0].lower() in _daynames: IndexError: list index out of range The fix is rather straight-forward: guard against empty lists, after splitting on whitespace, but before accessing the first element. (cherry picked from commit 989f6a3800f06b2bd31cfef7c3269a443ad94fac) Co-authored-by: wouter bolsterlee <wouter@bolsterl.ee>
* Fix Sphinx directive typo in 3.7.11 changelog.Ned Deily2021-07-051-1/+1
|
* 3.7.11v3.7.11Ned Deily2021-06-288-25/+84
|
* bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 ↵Miss Islington (bot)2021-05-061-0/+2
| | | | | | | | | | | Continue (GH-25916) (GH-25934) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 47895e31b6f626bc6ce47d175fe9d43c1098909d) Co-authored-by: Gen Xu <xgbarry@gmail.com>
* [3.7] bpo-43882 - urllib.parse should sanitize urls containing ASCII newline ↵Miss Islington (bot)2021-05-061-0/+6
| | | | | | | | | | | | and tabs. (GH-25923) Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> (cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4) Co-authored-by: Senthil Kumaran <senthil@uthcode.com> (cherry picked from commit 515a7bc4e13645d0945b46a8e1d9102b918cd407) Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
* bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (#25249)Miss Islington (bot)2021-05-041-0/+1
| | | | | | | | | | Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. (cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1) Co-authored-by: Yeting Li <liyt@ios.ac.cn>
* [3.7] bpo-41561: Add workaround for Ubuntu's custom security level ↵Christian Heimes2021-05-031-0/+1
| | | | | | | | | | | | | | | (GH-24915) (GH-24928) Ubuntu 20.04 comes with a patched OpenSSL 1.1.1. Default security level 2 blocks TLS 1.0 and 1.1 connections. Regular OpenSSL 1.1.1 builds allow TLS 1.0 and 1.1 on security level 2. See: See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 See: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit f6c6b5821bff815bdc810de53992fd1fbdb2edd4) Co-authored-by: Christian Heimes <christian@python.org>
generated by cgit v0.12 at 2026-01-08 07:30:51 (GMT)