… regression test. (GH-96717) (#98195)

gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717)

A regression would still absolutely fail and even a flaky pass isn't
harmful as it'd fail most of the time across our N system test runs.

Windows has a low resolution timer and CI systems are prone to odd
timing so this just gives more leeway to avoid flakiness.
(cherry picked from commit 11e3548)

Co-authored-by: Gregory P. Smith <greg@krypto.org>

…arams (GH-91993) (GH-98191)

gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
(cherry picked from commit b9509ba)

Co-authored-by: Petr Viktorin <encukou@gmail.com>

) (#97634)

Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44)

…97629)

Fix multiplying a list by an integer (list *= int): detect the
integer overflow when the new allocated length is close to the
maximum size.  Issue reported by Jordan Limor.

list_resize() now checks for integer overflow before multiplying the
new allocated length by the list item size (sizeof(PyObject*)).
(cherry picked from commit a5f092f)

Co-authored-by: Victor Stinner <vstinner@python.org>

…7576)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)

Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d39)

Co-authored-by: Dong-hee Na <donghee.na@python.org>

…GH-96874) (GH-96877) (GH-97836)

[3.9] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

Co-authored-by: Ned Deily <nad@python.org>
(cherry picked from commit 4118813)

Co-authored-by: Victor Stinner <vstinner@python.org>

(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <steve.dower@python.org>

Co-authored-by: Inada Naoki <songofacandy@gmail.com>
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

This makes 3.7 doc builds similar to later releases,
simplifying build tooling.

…6504)

Converting between `int` and `str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
raises a `ValueError` if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
Limitation` documentation.  The default limit is 4300
digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

…GH-96498)

Previous to commit ee171a2 the logline was working because of self.info() (now
deprecated) defaults to an empty message.

Co-authored-by: Xtreak <tirkarthi@users.noreply.github.com>

* Add ABI and generated files checks to CI.

This includes checking in an initial Abigail ABI definition for 3.7.

* Backport ctypes test_macholib fix from b29d0a5.

This is required for the 3.7 tree to pass on modern macOS.

* annotate test_bad_password @requires_zlib.

I don't know why, but macOS in 3.7 CI is failing to build the zlib
module these days so it's exposing this test that didn't have the
proper `@requires_zlib` annotation.

Getting it to build with zlib and other things that are now wrongly
"missing" in the 3.7 CI setup would be nice, but probably involves
invasive backporting of parts of
b29d0a5
by a macOS domain expert.

Not worth it.

* disable MachOTest.test_find unless macOS 11+ support is backported.

This test also appears to require changes to
Lib/ctypes/macholib/dyld.py to work in the existing macOS CI config.
I'm just skipping it, backporting that would be a feature.
Not going to happen in 3.7.

There may be a way to configure macOS CI to use an older macOS and
toolchain instead as an alternate option.  Someone else can figure
that out if so.  This branch only lives for another 9 months per
https://peps.python.org/pep-0537/

* LOL at my typo

Co-authored-by: Ned Deily <nad@python.org>

GH-21806) (GH-92342)

On Git 2.28, "git diff master..." (3 dots) no longer works when
"fetch --depth=1" is used, whereas it works on Git 2.26.

Replace "..." (3 dots) with ".." (2 dots) in the "git diff" command
computing the list of modified files between the base branch and the
PR branch.
(cherry picked from commit eaa5517)

Co-authored-by: Victor Stinner <vstinner@python.org>

* Add ABI and generated files checks to CI.
* Fix the Windows CI config.

This matches what 3.8 did in 899eb41.

This fixes the test failure with Tk 6.8.10 which is caused by changes to how Tk rounds the `from`, `to` and `tickinterval` arguments. This PR uses `noconv` if the patchlevel is greater than or equal to 8.6.10 (credit to Serhiy for this idea as it is much simpler than what I previously proposed).

Going into more detail for those who want it, the Tk change was made in [commit 591f68c](tcltk/tk@591f68c) and means that the arguments listed above are rounded relative to the value of `from`. However, when rounding the `from` argument ([line 623](https://github.com/tcltk/tk/blob/591f68cb382525b72664c6fecaab87742b6cc87a/generic/tkScale.cGH-L623)), it is rounded relative to itself (i.e. rounding `0`) and therefore the assigned value for `from` is always what is given (no matter what values of `from` and `resolution`).

Automerge-Triggered-By: @pablogsal
(cherry picked from commit aecf036)

Co-authored-by: E-Paine <63801254+E-Paine@users.noreply.github.com>

…94347) (GH-95314)

Three test cases were failing on FreeBSD with latest OpenSSL.
(cherry picked from commit 1bc86c2)

Co-authored-by: Christian Heimes <christian@python.org>

…h-94833)

(cherry picked from commit 07374cc)

Co-authored-by: Dong-hee Na <donghee.na@python.org>

…ic links (GH-94416) (GH-94496)

(cherry picked from commit 80aaeab)

Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>

…3879) (GH-94095)

Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Co-authored-by: Gregory P. Smith <greg@krypto.org>

…H-31885) (GH-94126)

Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
(cherry picked from commit d36954b)

Co-authored-by: Illia Volochii <illia.volochii@gmail.com>

…GH-93149)

Also while there, clarify a few things about why we reduce the hash to 32 bits.

Co-authored-by: Eli Libman <eli@hyro.ai>
Co-authored-by: Yury Selivanov <yury@edgedb.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c1f5c90)

…ters (GH-92334)

(cherry picked from commit c908dc5)

Co-authored-by: Sergey Fedoseev <fedoseev.sergey@gmail.com>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

…GH-92600)

…-91937)

Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>.
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
(cherry picked from commit f7641a2)

(cherry picked from commit 17dbb6b)

Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

(cherry picked from commit 08cfe07)

Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

There was a typo, we were checking if the "GITHUB_BASE_REF" string
literal was empty instead of the $GITHUB_BASE_REF value. When
$GITHUB_BASE_REF is empty, the action that triggered the run was not a
pull request, so we always run the full test suite.

Signed-off-by: Filipe Laíns <lains@riseup.net>
(cherry picked from commit 4ac923f)

GH-32241) (GH-32251)

(cherry picked from commit 6066739)

Co-authored-by: Zachary Ware <zach@python.org>

…other platforms (GH-32182)

…H-32111)