| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Updated as Eric mentioned "By default, the initial value starts at 1"
https://bugs.python.org/issue39234
Automerge-Triggered-By: @ericvsmith.
(cherry picked from commit 24bcefcb74231476b055bb6f0726642abeb10f04)
Co-authored-by: YoSTEALTH <35307184+YoSTEALTH@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
(cherry picked from commit 946b29ea0b3b386ed05e87e60b8617c9dc19cd53)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
|
| |
|
| |
|
|
|
|
|
|
|
| |
Catalina (GH-17636) (GH-17638)
(cherry picked from commit bf3aa1060a29a05813abbe877193af16e3e7131e)
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
|
|
|
|
| |
*reuse_address* parameter (GH-17595). (GH-17632)
(cherry picked from commit f501db2b93a9d3d840b6fb38d6bdda8bcc400d4a)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
|
|
|
|
|
| |
Co-authored-by: tirkarthi
(cherry picked from commit 1988344a6bff253f017e053f69318ecf03587294)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
(GH-17311). (GH-17571)
(cherry picked from commit ab513a38c98695f271e448fe2cb7c5e39eeaaaaf)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
|
|
|
|
|
|
| |
format (GH-17418) (GH-17444)
(cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a)
Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).
LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.
The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to
\d+-\w+-\d+(\s*\s*\s*)$
Therefore, a long sequence of spaces can trigger bad performance.
Matching a malicious string such as
LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")
caused catastrophic backtracking.
The fix removes ambiguity about which \s* should match a particular
space.
You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.
from http.server import BaseHTTPRequestHandler, HTTPServer
def make_set_cookie_value(n_spaces):
spaces = " " * n_spaces
expiry = f"1-c-1{spaces}!"
return f"b;Expires={expiry}"
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
self.log_request(204)
self.send_response_only(204) GH- Don't bother sending Server and Date
n_spaces = (
int(self.path[1:]) GH- Can GET e.g. /100 to test shorter sequences
if len(self.path) > 1 else
65506 GH- Max header line length 65536
)
value = make_set_cookie_value(n_spaces)
for i in range(99): GH- Not necessary, but we can have up to 100 header lines
self.send_header("Set-Cookie", value)
self.end_headers()
if __name__ == "__main__":
HTTPServer(("", 44020), Handler).serve_forever()
This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.
Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :
import http.cookiejar, urllib.request
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
r = opener.open("http://localhost:44020/")
The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):
import requests
requests.get("http://localhost:44020/")
* Regression test for http.cookiejar REDoS
If we regress, this test will take a very long time.
* Improve performance of http.cookiejar.ISO_DATE_RE
A string like
"444444" + (" " * 2000) + "A"
could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
(cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e)
Co-authored-by: bcaller <bcaller@users.noreply.github.com>
|
|
|
|
|
| |
(cherry picked from commit 01659ca62c4508518478a74615ac91c0009427ad)
Co-authored-by: Ned Deily <nad@python.org>
|
|
|
|
|
| |
(cherry picked from commit dfe726b1ace03f206f45253b93ed7610473ae20f)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
|
|
|
|
| |
(cherry picked from commit 3f36043db22361500f52634f2b8de49dde0e7da9)
Co-authored-by: Ned Deily <nad@python.org>
|
|
|
|
|
| |
(cherry picked from commit 4504b4500d2a1a80c26b27b0bfff8b624d5ce06c)
Co-authored-by: Julien Palard <julien@palard.fr>
|
|
|
|
|
|
|
| |
validation and encoding behavior (GH-16448) (GH-16462)
(cherry picked from commit 7774d7831e8809795c64ce27f7df52674581d298)
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
|
|
|
|
|
|
| |
Escape the server title of xmlrpc.server.DocXMLRPCServer
when rendering the document page as HTML.
(cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa)
|
|
|
|
| |
Fixes CVE-2019-15903. See full changelog at https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes..
(cherry picked from commit 52b940803860e37bcc3f6096b2d24e7c20a0e807)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
>>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses
(Address(display_name='', username='a', domain='malicious.org'),)
>>> parseaddr('a@malicious.org@important.com')
('', 'a@malicious.org')
After:
>>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses
(Address(display_name='', username='', domain=''),)
>>> parseaddr('a@malicious.org@important.com')
('', 'a@')
https://bugs.python.org/issue34155
(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
Co-authored-by: jpic <jpic@users.noreply.github.com>
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-14794) (GH-14817)
Some crafted email header would cause the get_parameter method to run in an
infinite loop causing a DoS attack surface when parsing those headers. This
patch fixes that by making sure the DQUOTE character is handled to prevent
going into an infinite loop.
(cherry picked from commit a4a994bd3e619cbaff97610a1cee8ffa87c672f5)
Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As far as I can tell, this infinite loop would be triggered if:
1. The value being folded contains a single word (no spaces) longer than
max_line_length
2. The max_line_length is shorter than the encoding's name + 9
characters.
bpo-36564: https://bugs.python.org/issue36564
(cherry picked from commit f69d5c61981ea97d251db515c7ff280fcc17182d)
Co-authored-by: Paul Ganssle <pganssle@users.noreply.github.com>
|
|
|
|
|
|
| |
Also fix a name misspelling.
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-14549)
Under some conditions the earlier fix for bpo-18075, "Infinite recursion
tests triggering a segfault on Mac OS X", now causes failures on macOS
when attempting to change stack limit with resource.setrlimit
resource.RLIMIT_STACK, like regrtest does when running the test suite.
The reverted change had specified a non-default stack size when linking
the python executable on macOS. As of macOS 10.14.4, the previous
code causes a hard failure when running tests, although similar
failures had been seen under some conditions under some earlier
systems. Reverting the change to the interpreter stack size at link
time helped for release builds but caused some tests to fail when
built --with-pydebug. Try the opposite approach: continue to build
the interpreter with an increased stack size on macOS and remove
the failing setrlimit call in regrtest initialization. This will
definitely avoid the resource.RLIMIT_STACK error and should have
no, or fewer, side effects.
(cherry picked from commit 5bbbc733e6cc0804f19b071944af8d4719e26ae6)
Co-authored-by: Ned Deily <nad@python.org>
|
|
|
|
|
| |
(cherry picked from commit 2cd07920bb7d2d319999394092190f37935dc421)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
|
|
|
|
|
|
|
| |
(GH-14472)
(cherry picked from commit 95da310078a9364bae9ab3f2ad9c71e34306a70c)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
|
|
|
|
|
| |
(cherry picked from commit 3b03b09fc94425915c5b1225e9200a3a95bc827b)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
|
| |
|
| |
|
|
|
|
|
| |
(GH-14162)
(cherry picked from commit c1f5667be1e3ec5871560c677402c1252c6018a6)
|
|
|
|
|
| |
(cherry picked from commit 552951563cd5968d25e95306362e41f07d661a88)
Co-authored-by: Julien Palard <julien@palard.fr>
|
|
|
|
|
| |
(cherry picked from commit 46ed90dd014010703c7a3b2a61c4927644fa8210)
Co-authored-by: Julien Palard <julien@palard.fr>
|
|
|
|
| |
(GH-14041)
|
|
|
|
|
|
|
| |
(GH-13923)
(cherry picked from commit ee171a26c1169abfae534b08acc0d95c6e45a22a)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
|
|
|
|
|
| |
(cherry picked from commit 59e7bbcaa4d0d556591f774c5ea4869c41fa95b0)
Co-authored-by: Julien Palard <julien@palard.fr>
|
|
|
|
|
|
|
| |
(GH-13814)
(cherry picked from commit 8d0ef0b5edeae52960c7ed05ae8a12388324f87e)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
|
|
|
|
|
|
|
|
| |
CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
Co-Authored-By: SH <push0ebp@gmail.com>
(cherry picked from commit 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587)
(cherry picked from commit 34bab215596671d0dec2066ae7d7450cd73f638b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TLS (GH-13124) (GH-13252)
* [3.6] bpo-35925: Skip SSL tests that fail due to weak external certs. (GH-13124)
Modern Linux distros such as Debian Buster have default OpenSSL system
configurations that reject connections to servers with weak certificates
by default. This causes our test suite run with external networking
resources enabled to skip these tests when they encounter such a failure.
Fixing the network servers is a separate issue..
(cherry picked from commit 2cc0223f43a1ffd59c887a73e2b0ce5202f3be90)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
* Also skip ssl tests that fail when the system rejects TLSv1.
* Remove the test_httplib change; server was updated.
self-signed.pythontest.net was updated so the test_httplib change is
no longer necessary.
|
|
|
|
|
|
|
| |
Backport partially commit 529525fb5a8fd9b96ab4021311a598c77588b918:
complete the previous partial backport (commit
2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826.
Co-Authored-By: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-13198)
We updated the server, our testsuite must match.
https://bugs.python.org/issue36816
✈️ CLE -> DEN ✈️ GH-pycon2019
(cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
|
|
|
|
|
|
|
|
|
| |
Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
Disable https related urllib tests on a build without ssl (GH-13032)
These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.
Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)
Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
|
|
|
|
|
|
|
| |
(GH-13017) (GH-13024)
(cherry picked from commit d537ab0ff9767ef024f26246899728f0116b1ec3)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
|
|
|
|
|
|
| |
(GH-12910)
(cherry picked from commit 56ed86490cb8221c874d432461d77702437f63e5)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-13014)
Under some conditions the earlier fix for bpo-18075, "Infinite recursion
tests triggering a segfault on Mac OS X", now causes failures on macOS
when attempting to change stack limit with resource.setrlimit
resource.RLIMIT_STACK, like regrtest does when running the test suite.
The reverted change had specified a non-default stack size when linking
the python executable on macOS. As of macOS 10.14.4, the previous
code causes a hard failure when running tests, although similar
failures had been seen under some conditions under some earlier
systems. For now, revert the original change and resume using
the default stack size when linking the interpreter.
(cherry picked from commit 883dfc668f9730b00928730035b5dbd24b9da2a0)
Co-authored-by: Ned Deily <nad@python.org>
|