Permalink
Checking mergeability…
Don’t worry, you can still create the pull request.
Comparing changes
Open a pull request
82
contributors
This comparison is big! We’re only showing the most recent
250
commits
Commits on Dec 06, 2018
(cherry picked from commit 55f41e4)
(cherry picked from commit c9566b8) Co-authored-by: Andre Delfino <adelfino@gmail.com>
Commits on Dec 07, 2018
Commits on Dec 10, 2018
…11068) Fix xml.dom.minidom cloneNode() on a document with an entity: pass the correct arguments to the user data handler of an entity (fix an old copy/paste mistake). Bug spotted and fix proposed by Charalampos Stratakis, initial reproducer written by Petr Viktorin. Co-Authored-By: Charalampos Stratakis <cstratak@redhat.com> Co-Authored-By: Petr Viktorin <encukou@gmail.com> (cherry picked from commit 8e04186)
Include <pyconfig.h> ealier in Modules/expat/xmltok.c to define properly _POSIX_C_SOURCE. Python defines _POSIX_C_SOURCE as 200809L, whereas <features.h> (included indirectly by <string.h>) defines _POSIX_C_SOURCE as 199506L. (cherry picked from commit cf24735) Co-authored-by: Victor Stinner <vstinner@redhat.com>
Commits on Dec 11, 2018
https://bugs.python.org/issue35401 (cherry picked from commit 419b5ff) Co-authored-by: Ned Deily <nad@python.org>
Commits on Dec 12, 2018
* bpo-16039: CVE-2013-1752: Change use of readline() in imaplib.IMAP4_SSL to limit line length. Remove IMAP4_SSL.readline() and IMAP4_SSL.read() to inherit safe IMAP4 implementation. * bpo-20118: reenable test_linetoolong() of test_imaplib on ThreadedNetworkedTests and ThreadedNetworkedTestsSSL. The test now sets the _MAXLINE limit to 10 characters.
Commits on Dec 14, 2018
Commits on Dec 18, 2018
Commits on Dec 19, 2018
…(). (GH-11033) (GH-11234) In _localemodule.c and selectmodule.c, remove dead code that would cause double decrefs if run. In addition, replace PyList_SetItem() with PyList_SET_ITEM() in cases where a new list is populated and there is no possibility of an error. In addition, check if the list changed size in the loop in array_array_fromlist(). (cherry picked from commit 99d56b5) Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Commits on Dec 22, 2018
) This addresses C extension build errors related to an undefined _hypot symbol when building with the Microsoft Visual C++ Compiler for Python 2.7 [1] or MinGWPy [2]. It also addresses errors when building a C++ extension with MinGWPy and C++11 from cmath, 'error "::hypot' has not been declared' [1] https://www.microsoft.com/en-us/download/details.aspx?id=44266 [2] https://mingwpy.github.io/
Commits on Dec 27, 2018
Commits on Jan 02, 2019
Commits on Jan 09, 2019
(cherry picked from commit 91c6158) Co-authored-by: Andre Delfino <adelfino@gmail.com>
Commits on Jan 15, 2019
…ode. (GH-11127)
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue35746 (cherry picked from commit a37f524) Co-authored-by: Christian Heimes <christian@python.org>
Commits on Feb 02, 2019
Commits on Feb 06, 2019
(cherry picked from commit e9bc417) Co-authored-by: Mariatta <Mariatta@users.noreply.github.com>
Commits on Feb 10, 2019
(cherry picked from commit 9db56fb) Co-authored-by: Julien Palard <julien@palard.fr>
Commits on Feb 15, 2019
GH-10607) Change TLS 1.3 cipher suite settings for compatibility with OpenSSL 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by default. Also update multissltests to test with latest OpenSSL. Signed-off-by: Christian Heimes <christian@python.org>. (cherry picked from commit 3e630c5) Co-authored-by: Christian Heimes <christian@python.org>
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2). (cherry picked from commit 358cfd4)
) Backport of TLS 1.3 related fixes from 3.7. Misc fixes and workarounds for compatibility with OpenSSL 1.1.1 from git master and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by default. Some test cases only apply to TLS 1.2. OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS 1.3. The feature is enabled by default for maximum compatibility with broken middle boxes. Users should be able to disable the hack and CPython's test suite needs it to verify default options Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 2a4ee8a)
Commits on Feb 19, 2019
… by one character (GH-4517) (GH-11749) Add one char to MsiSummaryInfoGetProperty() output Based on the patch in [bpo-1104](https://bugs.python.org/issue1104) by Anthony Tuininga (atuining) and Mark McMahon (markm) (cherry picked from commit 2de576e) Co-authored-by: Tzu-ping Chung <uranusjr@gmail.com> https://bugs.python.org/issue1104
https://bugs.python.org/issue35584 (cherry picked from commit 3bacf61) Co-authored-by: Raymond Hettinger <rhettinger@users.noreply.github.com>
Commits on Feb 23, 2019
Commits on Feb 26, 2019
Per POSIX, `nice(3)` requires `unistd.h` and `exit(3)` requires `stdlib.h`. Fixing the test will prevent false positives with pedantic compilers like clang. (cherry picked from commit 90c6fac) Co-authored-by: ngie-eign <1574099+ngie-eign@users.noreply.github.com>
…on). (GH-12027) (GH-12050) The standard math library (libm) may follow IEEE-754 recommendation to include an implementation of sinPi(), i.e. sinPi(x):=sin(pi*x). And this triggers a name clash, found by FreeBSD developer Steve Kargl, who worked on putting sinpi into libm used on FreeBSD (it has to be named "sinpi", not "sinPi", cf. e.g. https://en.cppreference.com/w/c/experimental/fpext4).
Commits on Feb 27, 2019
Did you know an API documented as printing the pending traceback would sometimes exit the process? You do now. (cherry picked from commit 4173772) Co-authored-by: Gregory P. Smith <greg@krypto.org>
Commits on Feb 28, 2019
Commits on Mar 02, 2019
Commits on Mar 04, 2019
Fix two unlikely reference leaks in _hashopenssl. The leaks only occur in out-of-memory cases. Thanks to Charalampos Stratakis. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue36179. (cherry picked from commit b7bc283) Co-authored-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue36179
Commits on Mar 05, 2019
GH-12177) Use test_support.TEST_HTTP_URL (pythontest.net) instead of http://www.example.com/.
Commits on Mar 06, 2019
Commits on Mar 07, 2019
Remove 's' mention as there's no argument. (cherry picked from commit e942e7b) Co-authored-by: Andre Delfino <adelfino@gmail.com>
Commits on Mar 08, 2019
Cherry picked by hand from a0e911b
* Update pip to 19.0.3 * Update setuptools to 40.8.0 (cherry picked from commit 01e0f43) Co-authored-by: Pradyun Gedam <pradyunsg@gmail.com>
Commits on Mar 11, 2019
Patch written by David Malcolm. Co-Authored-By: David Malcolm <dmalcolm@redhat.com>
Commits on Mar 14, 2019
…H-12332) Fix an unlikely memory leak on conversion from string to float in the function _Py_dg_strtod() used by float(str), complex(str), pickle.load(), marshal.load(), etc. Fix an unlikely memory leak in _Py_dg_strtod() on "undfl:" label: rewrite memory management in this function to always release all memory before exiting the function. Initialize variables to NULL, and set them to NULL after calling Bfree() at the "cont:" label. Note: Bfree(NULL) is well defined: it does nothing. (cherry picked from commit 9776b06)
Commits on Mar 15, 2019
…H-12349) Fix CFLAGS in customize_compiler() of distutils.sysconfig: when the CFLAGS environment variable is defined, don't override CFLAGS variable with the OPT variable anymore. Initial patch written by David Malcolm. Co-Authored-By: David Malcolm <dmalcolm@redhat.com> (cherry picked from commit 86082c2)
Commits on Mar 19, 2019
(cherry picked from commit 74ae50e) Co-authored-by: CAM Gerlach <CAM.Gerlach@Gerlach.CAM>
Commits on Mar 20, 2019
(cherry picked from commit fc8284e) Co-authored-by: Jean-François B <jfbu@free.fr>
Commits on Mar 26, 2019
…H-9821) (GH-12568) (cherry picked from commit 6cd658b) Co-authored-by: Tal Einat <taleinat+github@gmail.com> https://bugs.python.org/issue34203
Commits on Mar 27, 2019
(cherry picked from commit f760610) Co-authored-by: Andre Delfino <adelfino@gmail.com>
Commits on Mar 28, 2019
Commits on Mar 31, 2019
Commits on Apr 03, 2019
Commits on Apr 09, 2019
Fix reference leak hunting in regrtest: compute also deltas (of reference count and file descriptor count) during warmup, to ensure that everything is initialized before starting to hunt reference leaks. Other changes: * Replace gc.collect() with support.gc_collect() in clear_caches() * dash_R() is now more quiet with --quiet option (don't display progress). * Precompute the full range for "for it in range(repcount):" to ensure that the iteration doesn't allocate anything new. * dash_R() now is responsible to call warm_caches(). (cherry picked from commit 5aaac94)
Commits on Apr 12, 2019
Commits on Apr 13, 2019
Commits on Apr 22, 2019
…H-12687) (GH-12916) (cherry picked from commit 56ed864) https://bugs.python.org/issue9194
Commits on Apr 25, 2019
Commits on Apr 30, 2019
Commits on May 02, 2019
(cherry picked from commit 11e4a94) Co-authored-by: Xtreak <tir.karthi@gmail.com>
Commits on May 08, 2019
…13179) Patch by Mike Taylor.
Commits on May 09, 2019
GH-13199) * [2.7] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) We updated the server, our testsuite must match. https://bugs.python.org/issue36816✈️ CLE -> DEN✈️ #pycon2019 #beyonce (cherry picked from commit 6bd8173) The 2.7 tree also needed a certificate in the capath directory updated. The filename for that was determined by `openssl x509 -in $cert.pem -subject_hash`. Authored-by: Gregory P. Smith <greg@krypto.org>
Commits on May 12, 2019
…ibintl. (GH-13265) In Python-2.7, we were only searching for bind_textdomain_codeset in libc. We should have also checked for it in libintl. This change from Mel Flynn https://bugs.python.org/file24918/python27-configure.in.patch fixes that.
Commits on May 13, 2019
…or old TLS (GH-13124) (GH-13253) Modern Linux distros such as Debian Buster have default OpenSSL system configurations that reject connections to servers with weak certificates by default. This causes our test suite run with external networking resources enabled to skip these tests when they encounter such a failure. Fixing the network servers is a separate issue. (cherry picked from commit 2cc0223) Changes to test_ssl.py required as 2.7 has legacy protocol tests. The test_httplib.py change is omitted from this backport as self-signed.pythontest.net's certificate was updated and the test_nntplib.py change is not applicable on 2.7. Authored-by: Gregory P. Smith greg@krypto.org
Commits on May 17, 2019
… default. (GH-13370) TLS 1.3 has a more efficient handshake protocol. The client can reject the server's credentials and close the connection before the server has even finished writing out all of its initial data. Depending on whether the server finishes writing the rest of its handshake before the it sees the connection is reset, the server will read an empty line or see a ECONNRESET OSError. Nothing is really wrong here with the server or client, so just suppress the error output in the OSError case to fix the test. This fix isn't required in Python 3 because clients that reject the server's certificate will shut down the TLS layer before closing the TCP connection.
Commits on May 20, 2019
Commits on May 21, 2019
…H-13315) Disallow control chars in http URLs in urllib2.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected. Disable https related urllib tests on a build without ssl (GH-13032) These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures. Use httplib.InvalidURL instead of ValueError as the new error case's exception. (GH-13044) Backport Co-Authored-By: Miro Hrončok <miro@hroncok.cz> (cherry picked from commit 7e200e0) Notes on backport to Python 2.7: * test_urllib tests urllib.urlopen() which quotes the URL and so is not vulerable to HTTP Header Injection. * Add tests to test_urllib2 on urllib2.urlopen(). * Reject non-ASCII characters: range 0x80-0xff.
Commits on May 22, 2019
Commits on May 23, 2019
modified: Lib/ctypes/test/test_unicode.py modified: Misc/ACKS new file: Misc/NEWS.d/next/Library/2019-05-23-15-57-36.bpo-36713.sjPhnf.rst
Commits on May 28, 2019
Commits on May 29, 2019
…an be iterable (GH-6015) https://bugs.python.org/issue33006
Patch by Kojo Idrissa. (cherry picked from commit 1b4abcf) Co-authored-by: Kojo Idrissa <kojoidrissa@users.noreply.github.com> https://bugs.python.org/issue33071
Commits on May 31, 2019
Commits on Jun 03, 2019
(cherry picked from commit d337169) Co-authored-by: cclauss <cclauss@me.com>
Commits on Jun 04, 2019
(cherry picked from commit 59e7bbc) Co-authored-by: Julien Palard <julien@palard.fr>
Commits on Jun 07, 2019
Commits on Jun 08, 2019
Commits on Jun 09, 2019
) Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> https://bugs.python.org/issue34836
Commits on Jun 11, 2019
Commits on Jun 15, 2019
…GH-10258) (GH-13426) This is a manual backport of ca7fe50 since 2.7 has `http.cookiejar` in `cookielib` https://bugs.python.org/issue35121
Commits on Jun 16, 2019
Cherry-picked from 66d47da.
Commits on Jun 18, 2019
Commits on Jun 19, 2019
Commits on Jun 21, 2019
Commits on Jun 23, 2019
Rephrase and clarify that "the entire Python program exits when only daemon threads are left". This matches the documentation at https://docs.python.org/3/library/threading.htmlGH-thread-objects. (cherry picked from commit bb110cc) Co-authored-by: mbarkhau <mbarkhau@gmail.com>
Commits on Jun 24, 2019
Commits on Jun 25, 2019
Commits on Jun 26, 2019
) Fix test_wsgiref.testEnviron() to no longer depend on the environment variables (don't fail if "X" variable is set). testEnviron() now overrides os.environ to get a deterministic environment. Test full TestHandler.environ content: not only a few selected variables. (cherry picked from commit 5150d32) Co-authored-by: Victor Stinner <vstinner@redhat.com>
Commits on Jun 28, 2019
(cherry picked from commit 3b03b09) Co-authored-by: Benjamin Peterson <benjamin@python.org>
Commits on Jun 30, 2019
) (GH-14475) * Added documentation for textwrap.dedent behavior. (cherry picked from commit eb97b92) Co-authored-by: tmblweed <tmblweed@users.noreply.github.com> https://bugs.python.org/issue30754
Commits on Jul 01, 2019
…H-14257) When building 2.7 on macOS without system header files installed in ``/usr/include``, a few extension modules dependent on system-supplied third-party libraries were not being built, most notably zlib. This situation arose in the past when building without the Command Line Tools and the option to install header files in the traditional system locations (like /usr/include). As of macOS 10.14, the header files are only available in an SDK so the problem addressed here affects most 2.7 builds.
Commits on Jul 02, 2019
(cherry picked from commit 2cd0792) Co-authored-by: Benjamin Peterson <benjamin@python.org>
Commits on Jul 06, 2019
Also fix a name misspelling. (cherry picked from commit 45bc61b) Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
0 is a legal index. (cherry picked from commit f8709e8) Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Commits on Jul 07, 2019
Commits on Jul 11, 2019
(cherry picked from commit 2a3d4d9) Co-authored-by: Benjamin Peterson <benjamin@python.org>
Commits on Jul 24, 2019
…e rather than listdir. (14942) (cherry picked from commit 93e8aa6) Co-authored-by: Benjamin Peterson <benjamin@python.org>
Commits on Aug 05, 2019
Commits on Aug 21, 2019
…5349) If this service had thoroughly vanished, we could just ignore the test until someone gets around to either recreating such a service or redesigning the test to somehow work locally. The `support.transient_internet` mechanism catches the failure to resolve the domain name, and skips the test. But in fact the domain snakebite.net does still exist, as do its nameservers -- and they can be quite slow to reply. As a result this test can easily take 20-30s before it gets auto-skipped. So, skip the test explicitly up front. (cherry picked from commit 5b95a15) Co-authored-by: Greg Price <gnprice@gmail.com>
Fixed wrong link to Telnet.open() method in telnetlib documentation. (cherry picked from commit e0b6117) Co-authored-by: Michael Anckaert <michael.anckaert@sinax.be>
Commits on Aug 23, 2019
Commits on Aug 28, 2019
…nction. (GH-15560) https://bugs.python.org/issue37965 https://bugs.python.org/issue37965 Automerge-Triggered-By: @benjaminp (cherry picked from commit 55aabee) Co-authored-by: Anonymous Maarten <madebr@users.noreply.github.com>
Commits on Sep 09, 2019
GH-15808) The link we have points to the version from Unicode 6.0.0, dated 2010. There have been numerous updates to it since then: https://www.unicode.org/reports/tr44/GH-Modifications Change the link to one that points to the current version. Also, use HTTPS.. (cherry picked from commit 64c6ac7) Co-authored-by: Greg Price <gnprice@gmail.com>
Commits on Sep 11, 2019
…enamed.py. (GH-14800)
Fixes a build error with OpenSSL 1.1.0. There is already code in the `_ssl.c` that handles all the weird cases of the NPN config macros (with various OpenSSL & LibreSSL versions). That code will provide a HAVE_NPN variable, which should be used in the rest of the code to check whether (or what) to compile regarding NPN. This change adds HAVE_NPN in the remaining places where it should have been placed. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com> https://bugs.python.org/issue35264
Commits on Sep 14, 2019
This change skips parsing of email addresses where domains include a "@" character, which can be maliciously used since the local part is returned as a complete address. (cherry picked from commit 8cb65d1) Excludes changes to Lib/email/_header_value_parser.py, which did not exist in 2.7. Co-authored-by: jpic <jpic@users.noreply.github.com> https://bugs.python.org/issue34155
Commits on Sep 16, 2019
…H-16136) (GH-16176) (cherry picked from commit 56a4514) Co-authored-by: Hai Shi shihai1992@gmail.com https://bugs.python.org/issue38168
…6140) ``OPENSSL_VERSION_1_1`` was never defined in ``_hashopenssl.c``. https://bugs.python.org/issue33936 (cherry picked from commit 724f1a5) Co-authored-by: Christian Heimes <christian@python.org>
Commits on Sep 17, 2019
Commits on Sep 18, 2019
A little change on first paragraph of python tutorial to be more clearly https://bugs.python.org/issue37904 Automerge-Triggered-By: @ericvsmith (cherry picked from commit b574813) Co-authored-by: Diego Alberto Barriga Martínez <diegobarriga@protonmail.com>
Commits on Sep 24, 2019
Commits on Sep 26, 2019
…6408) Fixes CVE-2019-15903. See full changelog at https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes.. (cherry picked from commit 52b9408) Co-authored-by: Benjamin Peterson <benjamin@python.org>
Commits on Sep 28, 2019
Commits on Oct 01, 2019
Commits on Oct 02, 2019
Commits on Oct 03, 2019
Fix race in PyThread_release_lock that was leading to memory corruption and deadlocks. The fix applies to POSIX systems where Python locks are implemented with mutex and condition variable because POSIX semaphores are either not provided, or are known to be broken. One particular example of such system is macOS. On Darwin, even though this is considered as POSIX, Python uses mutex+condition variable to implement its lock, and, as of 2019-08-28, Py2.7 implementation, even though similar issue was fixed for Py3 in 2012, contains synchronization bug: the condition is signalled after mutex unlock while the correct protocol is to signal condition from under mutex: https://github.com/python/cpython/blob/v2.7.16-127-g0229b56d8c0/Python/thread_pthread.h#L486-L506 187aa54 (py3 fix) PyPy has the same bug for both pypy2 and pypy3: https://bitbucket.org/pypy/pypy/src/578667b3fef9/rpython/translator/c/src/thread_pthread.c#lines-443:465 https://bitbucket.org/pypy/pypy/src/5b42890d48c3/rpython/translator/c/src/thread_pthread.c#lines-443:465 Signalling condition outside of corresponding mutex is considered OK by POSIX, but in Python context it can lead to at least memory corruption if we consider the whole lifetime of python level lock. For example the following logical scenario: T1 T2 sema = Lock() sema.acquire() sema.release() sema.acquire() free(sema) ... can translate to the next C-level calls: T1 T2 # sema = Lock() sema = malloc(...) sema.locked = 0 pthread_mutex_init(&sema.mut) pthread_cond_init (&sema.lock_released) # sema.acquire() pthread_mutex_lock(&sema.mut) # sees sema.locked == 0 sema.locked = 1 pthread_mutex_unlock(&sema.mut) # sema.release() pthread_mutex_lock(&sema.mut) sema.locked = 0 pthread_mutex_unlock(&sema.mut) # OS scheduler gets in and relinquishes control from T2 # to another process ... # second sema.acquire() pthread_mutex_lock(&sema.mut) # sees sema.locked == 0 sema.locked = 1 pthread_mutex_unlock(&sema.mut) # free(sema) pthread_mutex_destroy(&sema.mut) pthread_cond_destroy (&sema.lock_released) free(sema) # ... e.g. malloc() which returns memory where sema was ... # OS scheduler returns control to T2 # sema.release() continues # # BUT sema was already freed and writing to anywhere # inside sema block CORRUPTS MEMORY. In particular if # _another_ python-level lock was allocated where sema # block was, writing into the memory can have effect on # further synchronization correctness and in particular # lead to deadlock on lock that was next allocated. pthread_cond_signal(&sema.lock_released) Note that T2.pthread_cond_signal(&sema.lock_released) CORRUPTS MEMORY as it is called when sema memory was already freed and is potentially reallocated for another object. The fix is to move pthread_cond_signal to be done under corresponding mutex: # sema.release() pthread_mutex_lock(&sema.mut) sema.locked = 0 pthread_cond_signal(&sema.lock_released) pthread_mutex_unlock(&sema.mut) To do so this patch cherry-picks thread_pthread.h part of the following 3.2 commit: commit 187aa54 Author: Kristján Valur Jónsson <kristjan@ccpgames.com> Date: Tue Jun 5 22:17:42 2012 +0000 Signal condition variables with the mutex held. Destroy condition variables before their mutexes. Python/ceval_gil.h | 9 +++++---- Python/thread_pthread.h | 15 +++++++++------ 2 files changed, 14 insertions(+), 10 deletions(-) (ceval_gil.h is Python3 specific and does not apply to Python2.7) The bug was there since 1994 - since at least [1]. It was discussed in 2001 with original code author[2], but the code was still considered to be race-free. In 2010 the place where pthread_cond_signal should be - before or after pthread_mutex_unlock - was discussed with the rationale to avoid threads bouncing[3,4,5], and in 2012 pthread_cond_signal was moved to be called from under mutex, but only for CPython3[6,7]. In 2019 the bug was (re-)discovered while testing Pygolang[8] on macOS with CPython2 and PyPy2 and PyPy3. [1] 2c8cb9f [2] https://bugs.python.org/issue433625 [3] https://bugs.python.org/issue8299#msg103224 [4] https://bugs.python.org/issue8410#msg103313 [5] https://bugs.python.org/issue8411#msg113301 [6] https://bugs.python.org/issue15038#msg163187 [7] 187aa54 [8] https://pypi.org/project/pygolang (cherry picked from commit 187aa54) Co-Authored-By: Kristján Valur Jónsson <kristjan@ccpgames.com>
Commits on Oct 08, 2019
…alidation and encoding behavior (GH-16476) Backporting this change, I observe a couple of things: 1. The _encode_request call is no longer meaningful because the request construction will implicitly encode the request using the default encoding when the format string is used (request = '%s %s %s'...). In order to keep the code as consistent as possible, I decided to include the call as a pass-through. I'd be just as happy to remove it entirely, but I'll leave that up to the reviewer to decide. It's okay that this functionality is disabled on Python 2 because this functionality was mainly around bpo-36274, which was mainly a concern with the transition to Python 3. 2. Because _encode_request is no longer meaningful, neither is the test for it, so I've removed that test. Therefore, the meaningful part of this test is that for bpo-38216, adding a (underscore-protected) hook to customize/disable validation. (cherry picked from commit 7774d78) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
…-16638) Rather than requiring the path to blurb and/or sphinx-build to be specified to the make rule, enhance the Doc/Makefile to look for each first in a virtual environment created by make venv and, if not found, look on the normal process PATH. This allows the Doc/Makefile to take advantage of an installed spinx-build or blurb and, thus, do the right thing most of the time. Also, make the directory for the venv be configurable and document the `make venv` target.. (cherry picked from commit 590665c) Co-authored-by: Ned Deily <nad@python.org>
Commits on Oct 14, 2019
Commits on Oct 18, 2019
Commits on Oct 19, 2019
(cherry picked from commit 3f36043) Co-authored-by: Ned Deily <nad@python.org>
Commits on Oct 21, 2019
Commits on Oct 22, 2019
(cherry picked from commit dfe726b) Co-authored-by: Kyle Stanley <aeros167@gmail.com>
Commits on Oct 23, 2019
AddRefActCtx() does not return a value.
(cherry picked from commit 01659ca) Co-authored-by: Ned Deily <nad@python.org>
Commits on Oct 26, 2019
(cherry picked from commit d898d20) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Commits on Nov 07, 2019
Commits on Nov 24, 2019
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).
LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.
The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to
\d+-\w+-\d+(\s*\s*\s*)$
Therefore, a long sequence of spaces can trigger bad performance.
Matching a malicious string such as
LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")
caused catastrophic backtracking.
The fix removes ambiguity about which \s* should match a particular
space.
You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.
from http.server import BaseHTTPRequestHandler, HTTPServer
def make_set_cookie_value(n_spaces):
spaces = " " * n_spaces
expiry = f"1-c-1{spaces}!"
return f"b;Expires={expiry}"
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
self.log_request(204)
self.send_response_only(204) # Don't bother sending Server and Date
n_spaces = (
int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences
if len(self.path) > 1 else
65506 # Max header line length 65536
)
value = make_set_cookie_value(n_spaces)
for i in range(99): # Not necessary, but we can have up to 100 header lines
self.send_header("Set-Cookie", value)
self.end_headers()
if __name__ == "__main__":
HTTPServer(("", 44020), Handler).serve_forever()
This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.
Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :
import http.cookiejar, urllib.request
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
r = opener.open("http://localhost:44020/")
The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):
import requests
requests.get("http://localhost:44020/")
* Regression test for http.cookiejar REDoS
If we regress, this test will take a very long time.
* Improve performance of http.cookiejar.ISO_DATE_RE
A string like
"444444" + (" " * 2000) + "A"
could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
(cherry picked from commit 1b779bf)
Commits on Dec 01, 2019
(cherry picked from commit fdafa1d) Co-authored-by: idomic <michael.ido@gmail.com>
Commits on Dec 03, 2019
Commits on Dec 17, 2019
Commits on Dec 25, 2019
Commits on Dec 31, 2019
Commits on Jan 03, 2020
(cherry picked from commit 32f1443) Co-authored-by: Ned Deily <nad@python.org>
Commits on Jan 04, 2020
Commits on Jan 07, 2020
(cherry picked from commit f4800b8) Co-authored-by: Inada Naoki <songofacandy@gmail.com>
Commits on Mar 19, 2020
Showing you all comments on commits in this comparison.
This comment has been minimized.
This comment has been minimized.
abhishpaliwal
commented on bb8071a
Jul 19, 2019
•
|
Any one tested the test_urllib2.py as its getting failed when we run "run-ptest". Below are the logs: ERROR: test_url_with_control_char_rejected (test.test_urllib2.MiscTests)Traceback (most recent call last): ======================================================================
|
This file was deleted.
This file was deleted.