Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upUpdate unittest.mock.rst #17674
Open
Update unittest.mock.rst #17674
+102,524
−41,599
Conversation
…H-10204) After commit d0f49d2, the output of the test suite is always buffered as the test output needs to be included in the JUnit file in same cases (as when a test fails). This has the consequence that printing or using debuggers (like pdb) in the test suite does not result in a good user experience anymore. This commit modifies the test suite runner so it only captures the test output when the JUnit file is requested to fix the regression so prints and debuggers are usable again. (cherry picked from commit 0227748) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
https://bugs.python.org/issue35075 (cherry picked from commit bf46a09) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* Include memo in the documented signature of copy.deepcopy() The memo argument is mentioned lower on the doc page under writing a `__deepcopy__` method, but is not included in the documented function signature. This makes it easy to miss, and can lead to incorrect/buggy implementations of `__deepcopy__` -- which is exatly what just happpend to me! (cherry picked from commit 0200928) Co-authored-by: Stephan Hoyer <shoyer@gmail.com>
Some methods in the os module can accept path-like objects. This is documented in the general documentation but not in the function docstrings. To keep both in sync, the docstrings need to be updated to reflect that path-like objects are also accepted.. (cherry picked from commit b942707) Co-authored-by: BNMetrics <luna@bnmetrics.com>
… systems. (GH-10347) The test depended on '/usr/share/zoneinfo/posixrules' or equivalent because it set TZ without explicit DST transition rules. At least on OpenSUSE Tumbleweed that file is linked to '/etc/localtime', making the test fail with certain local timezones, such as 'Europe/Moscow' which doesn't have DST transitions since 2011. (cherry picked from commit f1b9ad3) Co-authored-by: Alexey Izbyshev <izbyshev@ispras.ru>
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).
LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.
The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to
\d+-\w+-\d+(\s*\s*\s*)$
Therefore, a long sequence of spaces can trigger bad performance.
Matching a malicious string such as
LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")
caused catastrophic backtracking.
The fix removes ambiguity about which \s* should match a particular
space.
You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.
from http.server import BaseHTTPRequestHandler, HTTPServer
def make_set_cookie_value(n_spaces):
spaces = " " * n_spaces
expiry = f"1-c-1{spaces}!"
return f"b;Expires={expiry}"
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
self.log_request(204)
self.send_response_only(204) GH- Don't bother sending Server and Date
n_spaces = (
int(self.path[1:]) GH- Can GET e.g. /100 to test shorter sequences
if len(self.path) > 1 else
65506 GH- Max header line length 65536
)
value = make_set_cookie_value(n_spaces)
for i in range(99): GH- Not necessary, but we can have up to 100 header lines
self.send_header("Set-Cookie", value)
self.end_headers()
if __name__ == "__main__":
HTTPServer(("", 44020), Handler).serve_forever()
This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.
Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :
import http.cookiejar, urllib.request
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
r = opener.open("http://localhost:44020/")
The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):
import requests
requests.get("http://localhost:44020/")
* Regression test for http.cookiejar REDoS
If we regress, this test will take a very long time.
* Improve performance of http.cookiejar.ISO_DATE_RE
A string like
"444444" + (" " * 2000) + "A"
could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
(cherry picked from commit 1b779bf)
Co-authored-by: bcaller <bcaller@users.noreply.github.com>
Small grammatical change.
This comment has been minimized.
This comment has been minimized.
the-knights-who-say-ni
commented
Dec 20, 2019
|
Hello, and thanks for your contribution! I'm a bot set up to make sure that the project can legally accept this contribution by verifying everyone involved has signed the PSF contributor agreement (CLA). Recognized GitHub usernameWe couldn't find a bugs.python.org (b.p.o) account corresponding to the following GitHub usernames: This might be simply due to a missing "GitHub Name" entry in one's b.p.o account settings. This is necessary for legal reasons before we can look at this contribution. Please follow the steps outlined in the CPython devguide to rectify this issue. You can check yourself to see if the CLA has been received. Thanks again for the contribution, we look forward to reviewing it! |
|
Only to Python 3.6? Why not master? |
This comment has been minimized.
This comment has been minimized.
|
Please raise PRs to master unless it's an issue with the specific release branch. 3.6 accepts only security patches. As for the change I am not a native speaker but both versions sound same to me. |
This comment has been minimized.
This comment has been minimized.
|
Apologies, was not paying attention; changed it to master. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
drewmarshburn commentedDec 20, 2019
Small grammatical change.