Commits · python/cpython

…GH-93149) Also while there, clarify a few things about why we reduce the hash to 32 bits. Co-authored-by: Eli Libman <eli@hyro.ai> Co-authored-by: Yury Selivanov <yury@edgedb.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl> (cherry picked from commit c1f5c90)

…ters (GH-92334) (cherry picked from commit c908dc5) Co-authored-by: Sergey Fedoseev <fedoseev.sergey@gmail.com> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

…GH-92600)

…-91937) Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>. Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com> (cherry picked from commit f7641a2)

(cherry picked from commit 17dbb6b) Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

(cherry picked from commit 08cfe07) Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

There was a typo, we were checking if the "GITHUB_BASE_REF" string literal was empty instead of the $GITHUB_BASE_REF value. When $GITHUB_BASE_REF is empty, the action that triggered the run was not a pull request, so we always run the full test suite. Signed-off-by: Filipe Laíns <lains@riseup.net> (cherry picked from commit 4ac923f)

GH-32241) (GH-32251) (cherry picked from commit 6066739) Co-authored-by: Zachary Ware <zach@python.org>

…other platforms (GH-32182)

…H-32111)

…fix (GH-31920) (GH-31925) (cherry picked from commit 7088120) Co-authored-by: Steve Dower <steve.dower@python.org>

…nSSL 1.1.1n. (GH-31911)

…GH-31907)

…th recent versions of clang. (GH-28845) (GH-31890) Change the configure logic to function properly on macOS when the compiler outputs a platform triplet for option --print-multiarch. The Apple Clang included with Xcode 13.3 now supports --print-multiarch causing configure to fail without this change. Co-authored-by: Ned Deily <nad@python.org> (cherry picked from commit 9c47667) Co-authored-by: David Bohman <debohman@gmail.com>

…H-31882) This reverts commit 0fbab8a as it breaks test_bdb and test_distutils with installed Pythons.

(cherry picked from commit c99ac3c) Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net>

(cherry picked from commit d87f1b7) Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net>

(cherry picked from commit 176835c) Co-authored-by: Steve Dower <steve.dower@python.org>

…16-3189 and CVE-2019-12900 (GH-31732) (GH-31735)

…ctly uses the install path during repair (GH-31730)

…1573) Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo". (cherry picked from commit e2e7256) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

(cherry picked from commit 1935e1c) Co-authored-by: Dong-hee Na <donghee.na@python.org>

Automerge-Triggered-By: GH:benjaminp (cherry picked from commit ba00f0d) Co-authored-by: Benjamin Peterson <benjamin@python.org>

…) (GH-31418) The libexpat 2.4.1 upgrade from introduced the following new exported symbols: * `testingAccountingGetCountBytesDirect` * `testingAccountingGetCountBytesIndirect` * `unsignedCharToPrintable` * `XML_SetBillionLaughsAttackProtectionActivationThreshold` * `XML_SetBillionLaughsAttackProtectionMaximumAmplification` We need to adjust [Modules/expat/pyexpatns.h](https://github.com/python/cpython/blob/master/Modules/expat/pyexpatns.h) (The newer libexpat upgrade has no new symbols). Automerge-Triggered-By: GH:gpshead (cherry picked from commit 6312c10) Co-authored-by: Yilei "Dolee" Yang <yileiyang@google.com>

Curly brackets were never allowed in namespace URIs according to RFC 3986, and so-called namespace-validating XML parsers have the right to reject them a invalid URIs. libexpat >=2.4.5 has become strcter in that regard due to related security issues; with ET.XML instantiating a namespace-aware parser under the hood, this test has no future in CPython. References: - https://datatracker.ietf.org/doc/html/rfc3968 - https://www.w3.org/TR/xml-names/ Also, test_minidom.py: Support Expat >=2.4.5 (cherry picked from commit 2cae938) Co-authored-by: Sebastian Pipping <sebastian@pipping.org>

Co-authored-by: Cyril Jouve <jv.cyril@gmail.com>

…7.1 (GH-31476)

Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl>. (cherry picked from commit 3fc5d84)

…8037) Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com> Co-authored-by: Łukasz Langa <lukasz@langa.pl> (cherry picked from commit 0897253)

GH-27946) (GH-27975) Various date parsing utilities in the email module, such as email.utils.parsedate(), are supposed to gracefully handle invalid input, typically by raising an appropriate exception or by returning None. The internal email._parseaddr._parsedate_tz() helper used by some of these date parsing routines tries to be robust against malformed input, but unfortunately it can still crash ungracefully when a non-empty but whitespace-only input is passed. This manifests as an unexpected IndexError. In practice, this can happen when parsing an email with only a newline inside a ‘Date:’ header, which unfortunately happens occasionally in the real world. Here's a minimal example: $ python Python 3.9.6 (default, Jun 30 2021, 10:22:16) [GCC 11.1.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import email.utils >>> email.utils.parsedate('foo') >>> email.utils.parsedate(' ') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.9/email/_parseaddr.py", line 176, in parsedate t = parsedate_tz(data) File "/usr/lib/python3.9/email/_parseaddr.py", line 50, in parsedate_tz res = _parsedate_tz(data) File "/usr/lib/python3.9/email/_parseaddr.py", line 72, in _parsedate_tz if data[0].endswith(',') or data[0].lower() in _daynames: IndexError: list index out of range The fix is rather straight-forward: guard against empty lists, after splitting on whitespace, but before accessing the first element. (cherry picked from commit 989f6a3) Co-authored-by: wouter bolsterlee <wouter@bolsterl.ee>

Commits on Apr 4, 2022

bpo-47194 : Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (

GH-32241) (GH-32251) (cherry picked from commit 6066739) Co-authored-by: Zachary Ware <zach@python.org>

miss-islington and zware committed Apr 4, 2022

387f93c

Commits on Mar 29, 2022

bpo-47138 : Ensure Windows docs build uses the same pinned version as …

…other platforms (GH-32182)

zooba committed Mar 29, 2022

d97497b

Commits on Mar 28, 2022

bpo-47138 : Fix documentation build by pinning Jinja version to 3.0.3 (G…

…H-32111)

m-aciek committed Mar 28, 2022

25f00bf

Commits on Mar 14, 2022

Revert "bpo-46986 : Upgrade bundled setuptools to 60.9.3 (GH-31820 )" (G…

…H-31882) This reverts commit 0fbab8a as it breaks test_bdb and test_distutils with installed Pythons.

ned-deily committed Mar 14, 2022

80cc10f

Commits on Feb 23, 2022

bpo-46794 : Bump up the libexpat version into 2.4.6 (GH-31487 ) (GH-31521 )

(cherry picked from commit 1935e1c) Co-authored-by: Dong-hee Na <donghee.na@python.org>

miss-islington and corona10 committed Feb 23, 2022

15d7594

Commits on Jan 2, 2022

bpo-41028 : use generic version links in Docs index.

ned-deily committed Jan 2, 2022

811f65b

Commits on Sep 4, 2021

Post release updates

ned-deily committed Sep 4, 2021

d5650a1

3.7.12

ned-deily committed Sep 4, 2021

1f97973

Commits on May 23, 2022

Commits on May 10, 2022

Commits on May 6, 2022

Commits on Apr 4, 2022

Commits on Mar 29, 2022

Commits on Mar 28, 2022

Commits on Mar 16, 2022

Commits on Mar 15, 2022

Commits on Mar 14, 2022

Commits on Mar 13, 2022

Commits on Mar 7, 2022

Commits on Feb 25, 2022

Commits on Feb 23, 2022

Commits on Feb 21, 2022

Commits on Jan 2, 2022

Commits on Sep 4, 2021

Commits on Aug 31, 2021

Commits on Aug 30, 2021