| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
(GH-102953) (#104548)
Backport of c8c3956d905e019101038b018129a4c90c9c9b8f
|
|
|
| |
(cherry picked from commit 89d9ff0f48c51a85920c7372a7df4a2204e32ea5)
|
|
|
|
|
|
|
|
|
| |
(GH-102630) (GH-102667)
(cherry picked from commit 61479d46848bc7a7f9b571b0b09c4a4b4436d839)
Co-authored-by: Blind4Basics <32236948+Blind4Basics@users.noreply.github.com>
Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM>
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
|
|
|
|
|
|
|
| |
Fixes CVE-2023-0286 (High) and a couple of Medium security issues.
https://www.openssl.org/news/secadv/20230207.txt
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Ned Deily <nad@python.org>
|
|
|
|
|
| |
appropriate macOS SDK (GH-102307)
[3.8] Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK.
|
|
|
|
|
| |
(#102095)
[3.8] gh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI issue (gh-102079)
|
|
|
|
|
|
| |
Windows (GH-101286) (#101710)
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Steve Dower <steve.dower@microsoft.com>
|
|
|
| |
(cherry picked from commit 46521826cb1883e29e4640f94089dd92c57efc5b)
|
|
|
|
|
| |
(cherry picked from commit ea232716d3de1675478db3a302629ba43194c967)
Co-authored-by: Owain Davies <116417456+OTheDev@users.noreply.github.com>
|
|
|
|
| |
(#101258)
|
|
|
|
|
| |
(cherry picked from commit c22a55c8b4f142ff679880ec954691d5920b7845)
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
|
|
|
|
|
|
|
| |
(cherry picked from commit 1cf3d78c92eb07dc09d15cc2e773b0b1b9436825)
(cherry picked from commit 88fe8d701af3316c8869ea18ea1c7acec6f68c04)
Co-authored-by: Jeremy Paige <ucodery@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
|
|
|
|
|
| |
(cherry picked from commit 30a6cc418a60fccb91ba574b552203425e594c47)
Co-authored-by: Ned Deily <nad@python.org>
Co-authored-by: HARSHA VARDHAN <75431678+Thunder-007@users.noreply.github.com>
|
|
|
|
|
|
|
|
|
|
| |
* [3.8] Update copyright years to 2023. (gh-100848).
(cherry picked from commit 11f99323c2ae0ec428c370a335695e3d8d4afc1d)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
* Update additional copyright years to 2023.
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-100002) (#100033)
* gh-100001: Omit control characters in http.server stderr logs. (GH-100002)
Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
(cherry picked from commit d8ab0a4dfa48f881b4ac9ab857d2e9de42f72828)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
* also escape \s (backport of PR #100038).
* add versionadded and remove extraneous 'to'
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
|
|
|
|
|
|
|
| |
via the gc module (GH-99373) (GH-99661)
(cherry picked from commit 7b98207aa46bd637d07a7c4a84e998726b74acde)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-99231)
There was an unnecessary quadratic loop in idna decoding. This restores
the behavior to linear.
(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d)
(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].
[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
[2]: https://mouha.be/sha-3-buffer-overflow/
Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3)
Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
|
|
|
|
|
|
|
| |
Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.
Co-authored-by: Shaun Walbridge <shaun.walbridge@gmail.com>
(cherry picked from commit 3e07f827b359617664ad0880f218f17ae4483299)
|
|
|
|
|
|
|
|
|
| |
(GH-91993) (#98192)
gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
(cherry picked from commit b9509ba7a9c668b984dab876c7926fe1dc5aa0ba)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
regression test. (GH-96717) (#98197)
gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717)
A regression would still absolutely fail and even a flaky pass isn't
harmful as it'd fail most of the time across our N system test runs.
Windows has a low resolution timer and CI systems are prone to odd
timing so this just gives more leeway to avoid flakiness.
(cherry picked from commit 11e3548fd1d3445ccde971d613633b58d73c3016)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-96874) (GH-96877) (GH-97835)
[3.9] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877)
When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.
(cherry picked from commit e841ffc915e82e5ea6e3b473205417d63494808d)
Co-authored-by: Ned Deily <nad@python.org>
(cherry picked from commit 41188134bd2120f0cedd681ed88743c11c7f3742)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
|
|
|
|
|
|
|
| |
Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 41351662bcd21672d8ccfa62fe44d72027e6bcf8)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
|
|
|
|
|
| |
gh-96577: Fixes buffer overrun in _msi module (GH-96633)
(cherry picked from commit 4114bcc9ef7595a07196bcecf9c7d6d39f57f64d)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
|
|
|
|
|
|
|
| |
gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006)
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
(cherry picked from commit 10e3d398c31cc1695752fc52bc6ca2ce9ef6237e)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gh-97616: list_resize() checks for integer overflow (GH-97617)
Fix multiplying a list by an integer (list *= int): detect the
integer overflow when the new allocated length is close to the
maximum size. Issue reported by Jordan Limor.
list_resize() now checks for integer overflow before multiplying the
new allocated length by the list item size (sizeof(PyObject*)).
(cherry picked from commit a5f092f3c469b674b8d9ccbd4e4377230c9ac7cf)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-97633)
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.
Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.
Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
|
|
|
|
|
|
| |
issues (GH-96728)
Co-authored-by: roy reznik <royreznik@gmail.com>
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Correctly pre-check for int-to-str conversion
Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)
The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.
The justification for the current check. The C code check is:
```c
max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10
```
In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:
$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$
From this it follows that
$$\frac{M}{3L} < \frac{s-1}{10}$$
hence that
$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
So
$$2^{L(s-1)} > 10^M.$$
But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.
<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
|
|
|
|
|
| |
(cherry picked from commit 07374cce52abb7fd39729dc1b646ca3029b64c64)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
|
|
|
|
|
|
|
|
| |
(GH-95313)
Three test cases were failing on FreeBSD with latest OpenSSL.
(cherry picked from commit 1bc86c26253befa006c0f52eebb6ed633c7d1e5c)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
| |
Co-authored-by: Carter Dodd <carter.dodd@gmail.com>
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c8556bcf6c0b05ac46bd74880626a2853e7c99a1)
|
|
|
|
|
|
|
| |
links (GH-94416) (GH-94495)
(cherry picked from commit 80aaeabb8bd1e6b49598a7e23e0f8d99b3fcecaf)
Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
|
|
|
|
|
|
|
|
|
| |
(GH-31885) (GH-94124)
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
(cherry picked from commit d36954b7ead06daead3dcf9b0dd9f8002eab508f)
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-94094)
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).
Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
|
|
|
|
| |
(cherry picked from commit 56b5daf15970be449d44e91f08db84c698ac5506)
Co-authored-by: Stanley <46876382+slateny@users.noreply.github.com>
|
|
|
|
|
| |
(cherry picked from commit 2985feac4e02d590bb78bcce9e30864be53280ac)
Co-authored-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-93066) (#93148)
Also while there, clarify a few things about why we reduce the hash to 32 bits.
Co-authored-by: Eli Libman <eli@hyro.ai>
Co-authored-by: Yury Selivanov <yury@edgedb.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c1f5c903a7e4ed27190488f4e33b00d3c3d952e5)
|
|
|
|
|
|
|
|
|
| |
(#92333)
(cherry picked from commit c908dc5b4798c311981bd7e1f7d92fb623ee448b)
Co-authored-by: Sergey Fedoseev <fedoseev.sergey@gmail.com>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
|
|
|
|
|
|
|
| |
(GH-32241) (GH-32250)
(cherry picked from commit 6066739ff7794e54c98c08b953a699cbc961cd28)
Co-authored-by: Zachary Ware <zach@python.org>
|
|
|
|
|
|
|
|
| |
(GH-92605)
(cherry picked from commit 45e1721d100bab09510ccf9da49f14ca5cc268f4)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
|
|
|
|
|
|
|
|
| |
* Update Sphinx bpo role to use redirect URI. (GH-32342)
* [3.8] Update Sphinx bpo role to use redirect URI. (GH-32342).
(cherry picked from commit 08cfe079503ffd19d8b7ab324f0fdb1c6b150ca8)
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
|
|
|
|
|
|
|
| |
(cherry picked from commit 17dbb6bc10ca8a8b602335414c047294f00afcbe)
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* gh-91888: Add a :gh: role to the documentation (GH-91889).
* [3.8] gh-91888: add a `:gh:` role to the documentation (GH-91889)
* Add a new :gh:`...` role for GitHub issues.
* Fix a GitHub id to use the :gh: role.
* Add Misc/NEWS entry.
* Refactoring and rephrasing.
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>.
(cherry picked from commit f7641a2ffec243e5f600028a84debe9028a9ee44)
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
* Fix use of the default role in NEWS entry
|