summaryrefslogtreecommitdiffstats
path: root/Modules
Commit message (Collapse)AuthorAgeFilesLines
* [3.7] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (GH-96504)Gregory P. Smith2022-09-061-0/+56
| | | | | | | | | | | | | | | | Converting between `int` and `str` in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a `ValueError` if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735). This new limit can be configured or disabled by environment variable, command line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length Limitation` documentation. The default limit is 4300 digits in string form. Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
* [3.7] gh-80254: Disallow recursive usage of cursors in sqlite3 converters ↵Erlend Egeberg Aasland2022-05-231-14/+32
| | | | | | | | | (GH-92334) (cherry picked from commit c908dc5b4798c311981bd7e1f7d92fb623ee448b) Co-authored-by: Sergey Fedoseev <fedoseev.sergey@gmail.com> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
* bpo-46932: Update bundled libexpat to 2.4.7 (GH-31736) (GH-31741)Miss Islington (bot)2022-03-072-14/+155
| | | | | (cherry picked from commit 176835c3d5c70f4c1b152cc2062b549144e37094) Co-authored-by: Steve Dower <steve.dower@python.org>
* bpo-46794: Bump up the libexpat version into 2.4.6 (GH-31487) (GH-31521)Miss Islington (bot)2022-02-235-62/+132
| | | | | | (cherry picked from commit 1935e1cc284942bec8006287c939e295e1a7bf13) Co-authored-by: Dong-hee Na <donghee.na@python.org>
* bpo-46784: Add newly exported expat symbols to the namespace. (GH-31397) ↵Miss Islington (bot)2022-02-211-0/+5
| | | | | | | | | | | | | | | | | | | | (GH-31418) The libexpat 2.4.1 upgrade from introduced the following new exported symbols: * `testingAccountingGetCountBytesDirect` * `testingAccountingGetCountBytesIndirect` * `unsignedCharToPrintable` * `XML_SetBillionLaughsAttackProtectionActivationThreshold` * `XML_SetBillionLaughsAttackProtectionMaximumAmplification` We need to adjust [Modules/expat/pyexpatns.h](https://github.com/python/cpython/blob/master/Modules/expat/pyexpatns.h) (The newer libexpat upgrade has no new symbols). Automerge-Triggered-By: GH:gpshead (cherry picked from commit 6312c1052c0186b4596fc45c42fd3ade9f8f5911) Co-authored-by: Yilei "Dolee" Yang <yileiyang@google.com>
* bpo-46400: Update libexpat from 2.4.1 to 2.4.4 (GH-31022) (GH-31298)Dong-hee Na2022-02-215-29/+235
| | | Co-authored-by: Cyril Jouve <jv.cyril@gmail.com>
* [3.7] bpo-44394: Update libexpat copy to 2.4.1 (GH-26945) (GH-28042)Łukasz Langa2021-08-3120-175/+1366
| | | | | | | | | | | | Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl>. (cherry picked from commit 3fc5d84046ddbd66abac5b598956ea34605a4e5d)
* [3.7] closes bpo-42938: Replace snprintf with Python unicode formatting in ↵Benjamin Peterson2021-01-181-34/+21
| | | | | | | ctypes param reprs. (GH-24249) (cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) Co-authored-by: Benjamin Peterson <benjamin@python.org>
* bpo-40791: Make compare_digest more constant-time. (GH-23438)Miss Islington (bot)2020-11-221-1/+1
| | | | | | | | The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization. (This is change GH-1 from https://bugs.python.org/issue40791 .) (cherry picked from commit 31729366e2bc09632e78f3896dbce0ae64914f28) Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>
* bpo-41100: additional fixes for testing on macOS 11 Big Sur IntelNed Deily2020-08-151-4/+0
| | | | | Note: macOS 11 is not yet released, this release of Python is not fully supported on 11.0, and not all tests pass.
* bpo-41288: Fix a crash in unpickling invalid NEWOBJ_EX. (GH-21458) (GH-21461)Miss Islington (bot)2020-07-131-8/+21
| | | | | | Automerge-Triggered-By: @tiran (cherry picked from commit 4f309abf55f0e6f8950ac13d6ec83c22b8d47bf8) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* closes bpo-41235: Fix the error handling in SSLContext.load_dh_params() ↵Miss Islington (bot)2020-07-081-2/+4
| | | | | | | (GH-21389) (cherry picked from commit aebc0495572c5bb85d2bd97d27cf93ab038b5a6a) Co-authored-by: Zackery Spytz <zspytz@gmail.com>
* [3.7] Revert bpo-39576: Prevent memory error for overly optimistic ↵Stefan Krah2020-06-082-210/+6
| | | | | precisions (GH-20748) This reverts commit c6f95543b4832c3f0170179da39bcf99b40a7aa8.
* bpo-30008: Fix OpenSSL no-deprecated compilation (GH-20397)Miss Islington (bot)2020-06-011-11/+45
| | | | | | | | | | | | Fix :mod:`ssl`` code to be compatible with OpenSSL 1.1.x builds that use ``no-deprecated`` and ``--api=1.1.0``. Note: Tests assume full OpenSSL API and fail with limited API. Signed-off-by: Christian Heimes <christian@python.org> Co-authored-by: Mark Wright <gienah@gentoo.org> (cherry picked from commit a871f692b4a2e6c7d45579693e787edc0af1a02c) Co-authored-by: Christian Heimes <christian@python.org>
* bpo-13097: ctypes: limit callback to 1024 arguments (GH-19914)Miss Islington (bot)2020-05-271-0/+15
| | | | | | | | | | | | | ctypes now raises an ArgumentError when a callback is invoked with more than 1024 arguments. The ctypes module allocates arguments on the stack in ctypes_callproc() using alloca(), which is problematic when large numbers of arguments are passed. Instead of a stack overflow, this commit raises an ArgumentError if more than 1024 parameters are passed. (cherry picked from commit 29a1384c040d39659e7d01f1fd7b6eb71ef2634e) Co-authored-by: Sean Gillespie <sean@swgillespie.me>
* [3.7] bpo-38580: Document that select() accepts iterables, not just ↵Tal Einat2020-05-261-2/+2
| | | | | | | sequences (GH-16832) (cherry picked from commit 372ee27d4958302dac7ad6a8711f6fd04771b2e6) Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
* [3.8] bpo-35714: Reject null characters in struct format strings (GH-16928) ↵Miss Islington (bot)2020-05-261-0/+4
| | | | | | | | | | (GH-20419) struct.error is now raised if there is a null character in a struct format string. (cherry picked from commit 3f59b55316f4c6ab451997902579aa69020b537c) (cherry picked from commit 5ff5edfef63b3dbc1abb004b3fa4b3db87e79ff9) Co-authored-by: Zackery Spytz <zspytz@gmail.com>
* bpo-40653: Move _dirnameW out of GH-ifdef HAVE_SYMLINK/GH-endif (GH-20144)Miss Islington (bot)2020-05-181-2/+6
| | | | | (cherry picked from commit 7f21c9ac872acc2114aee3313d132b016550ff42) Co-authored-by: Minmin Gong <gongminmin@msn.com>
* [3.7] bpo-40457: Support OpenSSL without TLS 1.0/1.1 (GH-19862) (GH-20126)Miss Islington (bot)2020-05-161-34/+27
|
* [3.7] bpo-40515: Require OPENSSL_THREADS (GH-19953) (GH-20120)Christian Heimes2020-05-152-1/+9
|
* [3.7] bpo-40559: Add Py_DECREF to _asynciomodule.c:task_step_impl() (GH-19990)Miss Islington (bot)2020-05-081-0/+4
| | | | | | | | This fixes a possible memory leak in the C implementation of asyncio.Task. (cherry picked from commit d2c349b190bcba21a4a38e6520a48ad97a9f1529) Co-authored-by: Chris Jerdonek <chris.jerdonek@gmail.com>
* bpo-40138: Fix Windows os.waitpid() for large exit code (GH-19654)Miss Islington (bot)2020-04-221-1/+3
| | | | | | | | Fix the Windows implementation of os.waitpid() for exit code larger than "INT_MAX >> 8". The exit status is now interpreted as an unsigned number. (cherry picked from commit b07350901cac9197aef41855d8a4d56533636b91) Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.7] bpo-40179: Fix translation of #elif in Argument Clinic (GH-19364) ↵Serhiy Storchaka2020-04-181-3/+3
| | | | | | | (GH-19584) Co-authored-by: Ammar Askar <ammar@ammaraskar.com> (cherry picked from commit 12446e6a605f066d837d3a595d0a73e4f3b43b65)
* [3.7] bpo-31758: Prevent crashes when using an uninitialized ↵Miss Islington (bot)2020-04-121-0/+27
| | | | | _elementtree.XMLParser object (GH-3997) (GH-19487) (cherry picked from commit 402e1cdb132f384e4dcde7a3d7ec7ea1fc7ab527)
* bpo-39689: Do not use native packing for format "?" with standard size ↵Miss Islington (bot)2020-03-311-0/+3
| | | | | | | (GH-18969) (cherry picked from commit 472fc843ca816d65c12f9508ac762ca492165c45) Co-authored-by: Stefan Krah <skrah@bytereef.org>
* bpo-40014: Fix os.getgrouplist() (GH-19126)Miss Islington (bot)2020-03-241-22/+25
| | | | | | | | | | | Fix os.getgrouplist(): if getgrouplist() function fails because the group list is too small, retry with a larger group list. On failure, the glibc implementation of getgrouplist() sets ngroups to the total number of groups. For other implementations, double the group list size. (cherry picked from commit f5c7cabb2be4e42a5975ba8aac8bb458c8d9d6d7) Co-authored-by: Victor Stinner <vstinner@python.org>
* bpo-40014: Fix os.getgrouplist() on macOS (GH-19118)Miss Islington (bot)2020-03-231-0/+19
| | | | | | | | On macOS, getgrouplist() returns a non-zero value without setting errno if the group list is too small. Double the list size and call it again in this case. (cherry picked from commit 8ec7370c89aa522602eb9604086ce9f09770953d) Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.7] bpo-22490: Remove __PYVENV_LAUNCHER__ from environment during launch ↵Jason R. Coombs2020-03-221-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | (GH-9516) (GH-19111) * bpo-22490: Remove "__PYVENV_LAUNCHER__" from the shell environment on macOS This changeset removes the environment varialbe "__PYVENV_LAUNCHER__" during interpreter launch as it is only needed to communicate between the stub executable in framework installs and the actual interpreter. Leaving the environment variable present may lead to misbehaviour when launching other scripts. * Actually commit the changes for issue 22490... * Correct typo Co-Authored-By: Nicola Soranzo <nicola.soranzo@gmail.com> * Run make patchcheck Co-authored-by: Jason R. Coombs <jaraco@jaraco.com> Co-authored-by: Nicola Soranzo <nicola.soranzo@gmail.com>. (cherry picked from commit 044cf94f610e831464a69a8e713dad89878824ce) Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com> Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
* [3.7] bpo-39652: Truncate the column name after '[' only if PARSE_COLNAMES ↵Serhiy Storchaka2020-03-211-7/+23
| | | | | | is set. (GH-18942). (GH-19104) (cherry picked from commit b146568dfcbcd7409c724f8917e4f77433dd56e4)
* bpo-39582: ossaudiodev module update helpers signature for ioctl calls. ↵Miss Islington (bot)2020-03-141-3/+3
| | | | | | | (GH-18412) (cherry picked from commit b81f40f0adae3b1d1e57f9a89940ba827b9ede70) Co-authored-by: David CARLIER <devnexen@gmail.com>
* [3.7] bpo-39871: Fix possible SystemError in atan2, copysign and remainder ↵Mark Dickinson2020-03-141-1/+5
| | | | | | | | | | | | (GH-18806) (GH-18990) In math_2(), the first PyFloat_AsDouble() call should be checked for failure before the second call. Co-authored-by: Mark Dickinson <dickinsm@gmail.com>. (cherry picked from commit 5208b4b37953a406db0ed6a9db545c2948dde989) Co-authored-by: Zackery Spytz <zspytz@gmail.com>
* [3.7] bpo-38643: Raise SystemError instead of crashing when PyNumber_ToBase ↵Serhiy Storchaka2020-03-121-0/+14
| | | | | | is called with invalid base. (GH-18863). (GH-18955) (cherry picked from commit e5ccc94bbb153431698b2391df625e8d47a93276)
* bpo-39903: Fix double decref in _elementtree.Element.__getstate__ (GH-18850)Miss Islington (bot)2020-03-091-26/+17
| | | | | (cherry picked from commit 88944a44aa84b0f3674939019b1befbc7a9dc874) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* bpo-39378: partial of PickleState struct should be traversed. (GH-18046)Miss Islington (bot)2020-03-021-0/+1
| | | | | (cherry picked from commit 1f577ce363121d590b51abf5c41d1bcf3d751436) Co-authored-by: Hai Shi <shihai1992@gmail.com>
* [3.7] bpo-39794: Add --without-decimal-contextvar (GH-18702)Stefan Krah2020-02-292-30/+177
| | | | | | | * bpo-39794: Add --without-decimal-contextvar (#18702) (cherry picked from commit 815280eb160af637e1347213659f9236adf78f80)
* [3.7] bpo-39427: Document -X opt options in the CLI --help and the man page ↵Pablo Galindo2020-02-231-1/+29
| | | | | | | | | | (GH-18131) (#18134) https://bugs.python.org/issue39427 Automerge-Triggered-By: @pablogsal. (cherry picked from commit 41f0ef6abbd304409c55612a08788cdd59fbc8a3) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* bpo-39576: Prevent memory error for overly optimistic precisions (GH-18581) ↵Miss Islington (bot)2020-02-212-6/+210
| | | | | | | | (#18585) (cherry picked from commit 90930e65455f60216f09d175586139242dbba260) Authored-by: Stefan Krah <skrah@bytereef.org>
* Valgrind no longer supports --db-attach=yes. (GH-18568) (#18578)Miss Islington (bot)2020-02-201-1/+1
| | | | | | | | (cherry picked from commit c0cb8beb389da3ba67ad31b1ecc95e100b6292ab) Co-authored-by: Stefan Krah <skrah@bytereef.org> Co-authored-by: Stefan Krah <skrah@bytereef.org>
* Use the new recommended number of repetitions in the refleak tests. ↵Miss Islington (bot)2020-02-201-1/+1
| | | | | | | | | | (GH-18569) (#18575) (cherry picked from commit 1246d892038a693304549f8574e6c2784b91589a) Co-authored-by: Stefan Krah <skrah@bytereef.org> Co-authored-by: Stefan Krah <skrah@bytereef.org>
* Update runall.bat to the latest Windows build system. (GH-18571) (#18572)Miss Islington (bot)2020-02-201-41/+59
| | | | | | | | (cherry picked from commit 9b833e00e447a3b8b6966686bff701f549c66263) Co-authored-by: Stefan Krah <skrah@bytereef.org> Co-authored-by: Stefan Krah <skrah@bytereef.org>
* closes bpo-39510: Fix use-after-free in BufferedReader.readinto() (GH-18295)Miss Islington (bot)2020-02-041-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | When called on a closed object, readinto() segfaults on account of a write to a freed buffer: ==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==220553== Access not within mapped region at address 0x2A ==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272) ==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972) ==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053) ==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253) Reproducer: reader = open ("/dev/zero", "rb") _void = reader.read (42) reader.close () reader.readinto (bytearray (42)) GH-GH-GH- BANG! The problem exists since 2012 when commit dc469454ec added code to free the read buffer on close(). Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> (cherry picked from commit cb1c0746f277052e45a60d6c436a765e34722821) Co-authored-by: Philipp Gesang <phg@phi-gamma.net>
* bpo-39421: Fix posible crash in heapq with custom comparison operators ↵Miss Islington (bot)2020-01-231-9/+26
| | | | | | | | | | | | (GH-18118) * bpo-39421: Fix posible crash in heapq with custom comparison operators * fixup! bpo-39421: Fix posible crash in heapq with custom comparison operators * fixup! fixup! bpo-39421: Fix posible crash in heapq with custom comparison operators (cherry picked from commit 79f89e6e5a659846d1068e8b1bd8e491ccdef861) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* [3.7] bpo-16575: Disabled checks for union types being passed by value. ↵Vinay Sajip2020-01-121-0/+19
| | | | | | | | | | (GH-17960) (GH-17970) Although the underlying libffi issue remains open, adding these checks have caused problems in third-party projects which are in widespread use. See the issue for examples. The corresponding tests have also been skipped. (cherry picked from commit c12440c371025bea9c3bfb94945f006c486c2c01)
* Add PYTHONUTF8 to commandline usage. (GH-17587) (GH-17599)Inada Naoki2019-12-141-0/+1
| | | | Co-Authored-By: Victor Stinner <vstinner@python.org> (cherry picked from commit 95826c773a9004fc5b3c89de55f800504685ab21)
* [3.7] bpo-38820: OpenSSL 3.0.0 compatibility. (GH-17190) (GH-17500)Miss Islington (bot)2019-12-071-1/+48
| | | | | | | | | | | | | | | | | | | | | test_openssl_version now accepts version 3.0.0. getpeercert() no longer returns IPv6 addresses with a trailing new line. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38820 (cherry picked from commit 2b7de6696bf2f924cd2cd9ff0a539c8aa37c6244) Co-authored-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38820 Automerge-Triggered-By: @tiran
* [3.7] Make repr of C accelerated TaskWakeupMethWrapper the same as of pure ↵Andrew Svetlov2019-12-071-0/+16
| | | | | | | Python version (GH-17484) (GH-17494) (cherry picked from commit 969ae7aca809a8dacafee04c261110eea0ac1945) Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
* bpo-38965: Fix faulthandler._stack_overflow() on GCC 10 (GH-17467)Miss Islington (bot)2019-12-041-10/+6
| | | | | | | Use the "volatile" keyword to prevent tail call optimization on any compiler, rather than relying on compiler specific pragma. (cherry picked from commit 8b787964e0a647caa0558b7c29ae501470d727d9) Co-authored-by: Victor Stinner <vstinner@python.org>
* bpo-36854: Fix reference counter in PyInit__testcapi() (GH-17338)Miss Islington (bot)2019-11-221-2/+5
| | | | | | | Increment properly Py_True/Py_False reference counter for _testcapi.WITH_PYMALLOC variable. (cherry picked from commit 84c36c152a2bdf98f9cc7ce0e1db98e1f442a05e) Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.7] bpo-16576: Add checks for bitfields passed by value to functions. ↵Miss Islington (bot)2019-11-212-7/+64
| | | | | (GH-17097) (GH-17224) (cherry picked from commit 106271568c58cfebae58f0c52b640dbe716ba2ce)
* bpo-38823: Fix refleak in _tracemalloc init error handling (GH-17235)Miss Islington (bot)2019-11-201-1/+3
| | | | | (cherry picked from commit d51a363a4379385fdfe9c09a56324631465ede29) Co-authored-by: Brandt Bucher <brandtbucher@gmail.com>
generated by cgit v0.12 at 2026-01-02 14:38:28 (GMT)