summaryrefslogtreecommitdiffstats
path: root/Misc
Commit message (Collapse)AuthorAgeFilesLines
* closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16346) (#16434)Victor Stinner2019-10-091-0/+2
| | | Fixes CVE-2019-15903. See full changelog at https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes.
* [3.5] bpo-38216, bpo-36274: Allow subclasses to separately override ↵Jason R. Coombs2019-10-081-0/+4
| | | | | | validation and encoding behavior (GH-16448) (#16475) * [3.5] bpo-38216, bpo-36274: Allow subclasses to separately override validation and encoding behavior (GH-16448)
* Blurb release and pydoc-topics for 3.5.8rc1.Larry Hastings2019-09-099-11/+80
|
* [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email ↵Abhilash Raj2019-09-071-0/+2
| | | | | | | | | | | | | | | headers (GH-14794) (#15446) * [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994bd3e619cbaff97610a1cee8ffa87c672f5) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com> Co-Authored-By: Ashwin Ramaswami <aramaswamis@gmail.com>
* bpo-36576: Skip test_ssl and test_asyncio tests failing with OpenSSL 1.1.1 ↵Victor Stinner2019-09-071-0/+1
| | | | | (#12694) Some test_ssl and test_asyncio tests were written for OpenSSL 1.0 and TLS 1.0, but fail with OpenSSL 1.1.1 and TLS 1.3. Fixing these requires backporting new ssl flags like ssl.OP_NO_TLSv1_3 or ssl.OP_NO_COMPRESSION, which is inappropriate at this stage in Python 3.5's lifetime. Moreover, it's not really worth it: the code works fine, the problem is just in the tests. This patch disables those problematic tests when Python 3.5 is built using newer versions of OpenSSL.
* [3.5] bpo-34155: Dont parse domains containing @ (GH-13079) (#15317)Abhilash Raj2019-09-071-0/+1
| | | | | | https://bugs.python.org/issue34155 (cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9) Co-authored-by: jpic <jpic@users.noreply.github.com>
* bpo-30458: Disallow control chars in http URLs. (GH-12755) (#13207)Miro Hrončok2019-07-141-0/+1
| | | | | | | | | | Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected. Disable https related urllib tests on a build without ssl (GH-13032) These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures. Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044) Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
* bpo-36742: Fixes handling of pre-normalization characters in urlsplit() ↵Steve Dower2019-07-141-0/+1
| | | | (GH-13017) (#13042)
* bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474) ↵Victor Stinner2019-07-141-0/+3
| | | | | | | | | (GH-13505) (#13510) CVE-2019-9948: Avoid file reading by disallowing local-file:// and local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of urllib.request. Co-Authored-By: SH <push0ebp@gmail.com>
* Fix compatibility with ISO C89 needed by "gnu89" standard of GCC 4.8: use ↵Anthony Sottile2019-07-131-0/+1
| | | | C89 for loops in backported pickle patch (#12622)
* [3.5] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) (#13200)Gregory P. Smith2019-07-131-0/+1
| | | | | | | | | | | | * [3.5] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) We updated the server, our testsuite must match. https://bugs.python.org/issue36816 ✈️ CLE -> DEN ✈️ GH-pycon2019 (cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* Blurb release and pydoc-topics for 3.5.7 final.Larry Hastings2019-03-174-10/+32
|
* [3.5] bpo-35121: prefix dot in domain for proper subdomain validation ↵Xtreak2019-03-171-0/+4
| | | | | | | | (GH-10258) (#12281) Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan. (cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14) Co-authored-by: Xtreak <tir.karthi@gmail.com>
* bpo-35647: Fix path check in cookiejar (#11436) (#12277)Xtreak2019-03-161-0/+3
| | | | | | | | | | | | | * Refactor cookie path check as per RFC 6265 * Add tests for prefix match of path * Add news entry * Fix set_ok_path and refactor tests * Use slice for last letter (cherry picked from commit 0e1f1f01058bd4a9b98cfe443214adecc019a38c)
* bpo-36216: Add check for characters in netloc that normalize to separators ↵Steve Dower2019-03-111-0/+3
| | | | (GH-12201) (#12223)
* PyDoc and blurb updates for 3.5.7rc1.Larry Hastings2019-03-046-11/+49
|
* [3.5] bpo-33329: Fix multiprocessing regression on newer glibcs (GH-6575) ↵Cheryl Sabella2019-03-041-0/+1
| | | | | | | | | | | | (#12144) Starting with glibc 2.27.9000-xxx, sigaddset() can return EINVAL for some reserved signal numbers between 1 and NSIG. The `range(1, NSIG)` idiom is commonly used to select all signals for blocking with `pthread_sigmask`. So we ignore the sigaddset() return value until we expose sigfillset() to provide a better idiom. (cherry picked from commit 25038ec) Co-authored-by: Antoine Pitrou <pitrou@free.fr>
* [3.5] bpo-33127: Compatibility patch for LibreSSL 2.7.0 (GH-6210) (#10994)Alex Viscreanu2019-03-011-0/+1
| | | | | | | | | | | | * bpo-33127: Compatibility patch for LibreSSL 2.7.0 (GH-6210) LibreSSL 2.7 introduced OpenSSL 1.1.0 API. The ssl module now detects LibreSSL 2.7 and only provides API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7. Documentation updates and fixes for failing tests will be provided in another patch set. Signed-off-by: Christian Heimes <christian@python.org>
* bpo-34791: xml package obeys ignore env flags (GH-9544) (#11871)Victor Stinner2019-02-261-0/+3
| | | | | | | | The xml.sax and xml.dom.domreg modules now obey sys.flags.ignore_environment. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 223e501fb9c2b6ae21b96054e20c4c31d94a5d96)
* bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (#11867)Victor Stinner2019-02-261-0/+4
| | | | | | | | | | | | Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of Cisco. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
* [3.5] bpo-34623: Use XML_SetHashSalt in _elementtree (#9933)stratakis2019-02-251-0/+2
| | | | | | | | | | | | | * bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146) The C accelerated _elementtree module now initializes hash randomization salt from _Py_HashSecret instead of libexpat's default CPRNG. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue34623 (cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b) Co-authored-by: Christian Heimes <christian@python.org>
* Add Blurb entry for 3.5.6 final.Larry Hastings2018-08-021-0/+8
|
* PyDoc topics refresh & blurb release for 3.5.6rc1.Larry Hastings2018-07-204-7/+29
|
* bpo-33216: Clarify the documentation for CALL_FUNCTION_* (#8338)larryhastings2018-07-191-0/+2
| | | Clarify the documentation for the CALL_FUNCTION_* bytecodes. They changed in 3.5 in subtle ways and the documentation has never been correct, much less clear.
* [3.5] bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) (#5991)Steve Dower2018-05-141-0/+1
| | | | | | * bpo-33001: Minimal fix to prevent buffer overrun in os.symlink * Remove invalid test
* [3.5] bpo-32981: Fix catastrophic backtracking vulns (GH-5955) (#6034)Ned Deily2018-03-112-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Prevent low-grade poplib REDOS (CVE-2018-1060) The regex to test a mail server's timestamp is susceptible to catastrophic backtracking on long evil responses from the server. Happily, the maximum length of malicious inputs is 2K thanks to a limit introduced in the fix for CVE-2013-1752. A 2KB evil response from the mail server would result in small slowdowns (milliseconds vs. microseconds) accumulated over many apop calls. This is a potential DOS vector via accumulated slowdowns. Replace it with a similar non-vulnerable regex. The new regex is RFC compliant. The old regex was non-compliant in edge cases. * Prevent difflib REDOS (CVE-2018-1061) The default regex for IS_LINE_JUNK is susceptible to catastrophic backtracking. This is a potential DOS vector. Replace it with an equivalent non-vulnerable regex. Also introduce unit and REDOS tests for difflib. Co-authored-by: Tim Peters <tim.peters@gmail.com> Co-authored-by: Christian Heimes <christian@python.org>. (cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac)
* Finalize blurb archive for 3.5.5 (no new blurbs).Larry Hastings2018-02-041-0/+8
|
* blurb release and pydoc topics for 3.5.5rc1.Larry Hastings2018-01-237-28/+74
|
* [3.5] bpo-32072: Fix issues with binary plists. (GH-4455) (#4656)Serhiy Storchaka2018-01-231-0/+6
| | | | | | | | | | | | | | * [3.5] bpo-32072: Fix issues with binary plists. (GH-4455) * Fixed saving bytearrays. * Identical objects will be saved only once. * Equal references will be load as identical objects. * Added support for saving and loading recursive data structures. (cherry picked from commit a897aee) * Fix implementation dependent assertion in test_plistlib. (#4813) It is failed with an advanced optimizer.
* [3.5] bpo-32551: Consistently configure sys.path[0] (#5197)Nick Coghlan2018-01-231-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | Directory and zipfile execution previously added the parent directory of the directory or zipfile as sys.path[0] and then subsequently overwrote it with the directory or zipfile itself. This caused problems in isolated mode, as it overwrote the "stdlib as a zip archive" entry in sys.path, as the parent directory was never added. The attempted fix to that issue in bpo-29319 created the opposite problem in *non*-isolated mode, by potentially leaving the parent directory on sys.path instead of overwriting it. This change fixes the root cause of the problem by removing the whole "add-and-overwrite" dance for sys.path[0], and instead simply never adds the parent directory to sys.path in the first place. (cherry picked from commit d2977a3ae2cc6802921b1e3b6e9d13fcfbda872d)
* bpo-30657: Fix CVE-2017-1000158 (#4664)Miro Hrončok2017-12-082-0/+4
| | | | | Fixes possible integer overflow in PyBytes_DecodeEscape. Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com>
* bpo-31095: fix potential crash during GC (GH-2974) (#3196)INADA Naoki2017-09-261-0/+2
| | | (cherry picked from commit a6296d34a478b4f697ea9db798146195075d496c)
* [3.5][Security] bpo-30947, bpo-31170: Update expat from 2.2.1 to 2.2.4 (#3354)Victor Stinner2017-09-252-0/+5
| | | | | | | | | | | | | * bpo-30947, bpo-31170: Update expat from 2.2.1 to 2.2.4 * Upgrade libexpat embedded copy from version 2.2.1 to 2.2.3 to get security fixes. * Update libexpat from 2.2.3 to 2.2.4. Fix copying of partial characters for UTF-8 input (libexpat bug 115): https://github.com/libexpat/libexpat/issues/115 * Define XML_POOR_ENTROPY when compiling expat
* Blurb release and pydoc topics for 3.5.4 final.Larry Hastings2017-08-072-2/+8
|
* [3.5] [security] bpo-30119: fix ftplib.FTP.putline() to throw an error for a ↵Dong-hee Na2017-07-261-0/+2
| | | | illegal command (#1214) (#2887)
* Blurb release for 3.5.4rc1.Larry Hastings2017-07-24112-253/+1135
|
* Update 3.5 to use blurb!Larry Hastings2017-07-24131-9670/+28656
|
* [3.5] Backport bpo-30876 (GH-2639), bpo-18018 and bpo-26367. (#2677)Serhiy Storchaka2017-07-231-0/+3
| | | | | | | | | | | | | | | | * bpo-30876: Relative import from unloaded package now reimports the package instead of failing with SystemError. Relative import from non-package now fails with ImportError rather than SystemError. (cherry picked from commit 8a9cd20edca7d01b68292036029ae3735ce65edd) * bpo-18018: Import raises ImportError instead of SystemError if a relative import is attempted without a known parent package. * bpo-26367: importlib.__init__() raises ImportError like builtins.__import__() when ``level`` is specified but without an accompanying package specified.
* [3.5] bpo-29403: Fix mock's broken autospec behavior on method-bound builtin ↵Berker Peksag2017-07-211-0/+2
| | | | | | | | | | | | | | | | | | | | | functions (GH-3) Cython will, in the right circumstances, offer a MethodType instance where im_func is a builtin function. Any instance of MethodType is automatically assumed to be a Python-defined function (more specifically, a function that has an inspectable signature), but _set_signature was still conservative in its assumptions. As a result _set_signature would return early with None instead of a mock since the im_func had no inspectable signature. This causes problems deeper inside mock, as _set_signature is assumed to _always_ return a mock, and nothing checked its return value. In similar corner cases, autospec will simply not check the spec of the function, so _set_signature is amended to now return early with the original, not-wrapped mock object. Patch by Aaron Gallagher. (cherry picked from commit 856cbcc12f2e4cca93af5dc7ed6bcea4dd942f10)
* bpo-30822: regrtest: remove tzdata (#2782)Victor Stinner2017-07-201-4/+1
| | | | | * Oops, tzdata was introduced in Python 3.6: remove it from regrtest * Remove also Lib/test/libregrtest/__init__.py file: add by mistake on a backport.
* bpo-30822: Exclude tzdata from regrtest --all (#2775) (#2781)Victor Stinner2017-07-201-0/+5
| | | | | | | | | | | | | | When running the test suite using --use=all / -u all, exclude tzdata since it makes test_datetime too slow (15-20 min on some buildbots) which then times out on some buildbots. -u tzdata must now be enabled explicitly, -u tzdata or -u all,tzdata, to run all test_datetime tests. Fix also regrtest command line parser to allow passing -u extralargefile to run test_zipfile64. Travis CI: remove -tzdata. Replace -u all,-tzdata,-cpu with -u all,-cpu since tzdata is now excluded from -u all. (cherry picked from commit 5b392bbaeb9d9b1db961ecfc7315d8c8662c27f6)
* bpo-30961: Fix decrementing a borrowed reference in tracemalloc. (#2747) (#2749)Xiang Zhang2017-07-181-0/+1
| | | (cherry picked from commit 4ed5ad79ec6c6270e6018bd0a55656305ee60907)
* [3.5] bpo-30879: os.listdir() and os.scandir() now emit bytes names when ↵Serhiy Storchaka2017-07-111-0/+3
| | | | | | | (GH-2634) (#2657) called with bytes-like argument. (cherry picked from commit 1180e5a51871fa53ca6892e83fd2e69dc2600447)
* bpo-30886: Fix multiprocessing.Queue.join_thread() (#2642) (#2644)Victor Stinner2017-07-101-0/+3
| | | | | | | | | | | multiprocessing.Queue.join_thread() now waits until the thread completes, even if the thread was started by the same process which created the queue. Fix the following warning which occurs randomly when running test_handle_called_with_mp_queue of test_logging.QueueListenerTest: Warning -- threading_cleanup() failed to cleanup -1 threads after 4 sec (count: 0, dangling: 1) (cherry picked from commit 3b69d911c57ef591ac0c0f47a66dbcad8337f33a)
* [3.5] bpo-29854: Fix segfault in call_readline() (GH-728)Nir Soffer2017-07-091-0/+2
| | | | | | | | | | | | If history-length is set in .inputrc, and the history file is double the history size (or more), history_get(N) returns NULL, and python segfaults. Fix that by checking for NULL return value. It seems that the root cause is incorrect handling of bigger history in readline, but Python should not segfault even if readline returns unexpected value. This issue affects only GNU readline. When using libedit emulation system history size option does not work.
* bpo-30532: Fix whitespace folding in certain cases (#2592)Joel Hillacre2017-07-062-0/+2
| | | Leading whitespace was incorrectly dropped during folding of certain lines in the _header_value_parser's folding algorithm. This makes the whitespace handling code consistent.
* [3.5] bpo-30441: Fix bug when modifying os.environ while iterating over it ↵Serhiy Storchaka2017-07-042-0/+2
| | | | | (GH-2409). (#2557) (cherry picked from commit 8a8d28501fc8ce25926d168f1c657656c809fd4c)
* [3.5] bpo-30807: signal.setitimer() may disable the timer by mistake ↵Antoine Pitrou2017-06-301-0/+6
| | | | | | | | (GH-2493) (#2498) * bpo-30807: signal.setitimer() may disable the timer by mistake * Add NEWS blurb (cherry picked from commit 729780a810bbcb12b245a1b652302a601fc9f6fd)
* bpo-30383: Add NEWS entry for backported regrtest (#2438)Victor Stinner2017-06-271-0/+14
|
* [3.5] bpo-30765: Avoid blocking when PyThread_acquire_lock() is asked not to ↵Antoine Pitrou2017-06-261-0/+2
| | | | | | | | | | | | | (GH-2403) (#2419) * bpo-30765: Avoid blocking when PyThread_acquire_lock() is asked not to lock This is especially important if PyThread_acquire_lock() is called reentrantly (for example from a signal handler). * Update 2017-06-26-14-29-50.bpo-30765.Q5iBmf.rst * Avoid core logic when taking the mutex failed. (cherry picked from commit f84ac420c2af98339678744953869cad3c253281)
generated by cgit v0.12 at 2024-11-17 06:35:49 (GMT)