summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* [3.6] bpo-39234: `enum.auto()` default initial value as 1 (GH-17878)backport-24bcefc-3.6YoSTEALTH2020-01-061-1/+1
| | | | | | | | | | | Updated as Eric mentioned "By default, the initial value starts at 1" https://bugs.python.org/issue39234 Automerge-Triggered-By: @ericvsmith. (cherry picked from commit 24bcefcb74231476b055bb6f0726642abeb10f04) Co-authored-by: YoSTEALTH <35307184+YoSTEALTH@users.noreply.github.com>
* Update copyright year in macOS installer license copy (GH-17806) (GH-17810)Ned Deily2020-01-021-25/+26
|
* [3.6] Bring Python into the next decade. (GH-17804)Benjamin Peterson2020-01-028-13/+9
| | | | | (cherry picked from commit 946b29ea0b3b386ed05e87e60b8617c9dc19cd53) Co-authored-by: Benjamin Peterson <benjamin@python.org>
* Post release updatesNed Deily2019-12-182-3/+3
|
* 3.6.10v3.6.10Ned Deily2019-12-184-6/+12
|
* bpo-38295: prevent test_relative_path of test_py_compile failure on macOS ↵Miss Islington (bot)2019-12-172-1/+2
| | | | | | | Catalina (GH-17636) (GH-17638) (cherry picked from commit bf3aa1060a29a05813abbe877193af16e3e7131e) Co-authored-by: Ned Deily <nad@python.org>
* bpo-39035: travis: Update image to xenial (GH-17622)Inada Naoki2019-12-161-3/+1
|
* [3.6] Add whatsnew for removal of asyncio.loop.create_datagram_endpoint()'s ↵Kyle Stanley2019-12-161-0/+10
| | | | | | | *reuse_address* parameter (GH-17595). (GH-17632) (cherry picked from commit f501db2b93a9d3d840b6fb38d6bdda8bcc400d4a) Co-authored-by: Kyle Stanley <aeros167@gmail.com>
* Fix warnings in test_asyncio.test_base_events (GH-17577) (#17581)Miss Islington (bot)2019-12-121-3/+4
| | | | | | Co-authored-by: tirkarthi (cherry picked from commit 1988344a6bff253f017e053f69318ecf03587294) Co-authored-by: Kyle Stanley <aeros167@gmail.com>
* Post release updatesNed Deily2019-12-112-3/+3
|
* 3.6.10rc1v3.6.10rc1Ned Deily2019-12-1113-30/+104
|
* [3.6] bpo-37228: Fix loop.create_datagram_endpoint()'s usage of SO_REUSEADDR ↵Kyle Stanley2019-12-114-29/+70
| | | | | | | | (GH-17311). (GH-17571) (cherry picked from commit ab513a38c98695f271e448fe2cb7c5e39eeaaaaf) Co-authored-by: Kyle Stanley <aeros167@gmail.com>
* bpo-38945: UU Encoding: Don't let newline in filename corrupt the output ↵Miss Islington (bot)2019-12-024-0/+21
| | | | | | | format (GH-17418) (GH-17444) (cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a) Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
* bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (#17343)Miss Islington (bot)2019-11-224-6/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) GH- Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) GH- Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 GH- Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): GH- Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was. (cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e) Co-authored-by: bcaller <bcaller@users.noreply.github.com>
* Update URL in macOS installer copy of license (GH-16905) (GH-16908)Miss Skeleton (bot)2019-10-231-1/+1
| | | | | (cherry picked from commit 01659ca62c4508518478a74615ac91c0009427ad) Co-authored-by: Ned Deily <nad@python.org>
* [3.6] Fix Zope URL (GH-16880) (GH-16904)Miss Skeleton (bot)2019-10-231-1/+1
| | | | | (cherry picked from commit dfe726b1ace03f206f45253b93ed7610473ae20f) Co-authored-by: Kyle Stanley <aeros167@gmail.com>
* Update doc switcher list for 3.8.0 (GH-16809) (GH-16812)Miss Islington (bot)2019-10-151-1/+1
| | | | | (cherry picked from commit 3f36043db22361500f52634f2b8de49dde0e7da9) Co-authored-by: Ned Deily <nad@python.org>
* Doc: 3.8 is now stable. (GH-16790) (GH-16793)Miss Islington (bot)2019-10-141-1/+1
| | | | | (cherry picked from commit 4504b4500d2a1a80c26b27b0bfff8b624d5ce06c) Co-authored-by: Julien Palard <julien@palard.fr>
* [3.6] bpo-38216, bpo-36274: Allow subclasses to separately override ↵Jason R. Coombs2019-09-283-10/+51
| | | | | | | validation and encoding behavior (GH-16448) (GH-16462) (cherry picked from commit 7774d7831e8809795c64ce27f7df52674581d298) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
* bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441)Victor Stinner2019-09-283-1/+21
| | | | | | Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering the document page as HTML. (cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa)
* [3.6] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-16410)Benjamin Peterson2019-09-2524-4842/+3973
| | | | Fixes CVE-2019-15903. See full changelog at https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes.. (cherry picked from commit 52b940803860e37bcc3f6096b2d24e7c20a0e807)
* [3.6] bpo-37461: Fix typo (inifite -> infinite) (#15432)GeeTransit2019-08-241-1/+1
|
* bpo-34155: Dont parse domains containing @ (GH-13079) (GH-14826)Miss Islington (bot)2019-08-095-1/+37
| | | | | | | | | | | | | | | | | | | | | | Before: >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses (Address(display_name='', username='a', domain='malicious.org'),) >>> parseaddr('a@malicious.org@important.com') ('', 'a@malicious.org') After: >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses (Address(display_name='', username='', domain=''),) >>> parseaddr('a@malicious.org@important.com') ('', 'a@') https://bugs.python.org/issue34155 (cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9) Co-authored-by: jpic <jpic@users.noreply.github.com>
* bpo-37461: Fix infinite loop in parsing of specially crafted email headers ↵Miss Islington (bot)2019-08-013-0/+12
| | | | | | | | | | | (GH-14794) (GH-14817) Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994bd3e619cbaff97610a1cee8ffa87c672f5) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
* Fix infinite loop in email folding logic (GH-12732) (GH-14799)Miss Islington (bot)2019-07-214-6/+35
| | | | | | | | | | | | | As far as I can tell, this infinite loop would be triggered if: 1. The value being folded contains a single word (no spaces) longer than max_line_length 2. The max_line_length is shorter than the encoding's name + 9 characters. bpo-36564: https://bugs.python.org/issue36564 (cherry picked from commit f69d5c61981ea97d251db515c7ff280fcc17182d) Co-authored-by: Paul Ganssle <pganssle@users.noreply.github.com>
* bpo-37149: Replace dead link for online Tkinter reference (GH-14616)Ned Deily2019-07-081-2/+2
| | | | | | Also fix a name misspelling. Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
* Fix 3.6 documentation build for sphinx<1.6 (GH-14576)Anthony Sottile2019-07-031-1/+7
|
* Post release updatesNed Deily2019-07-022-3/+3
|
* 3.6.9v3.6.9Ned Deily2019-07-024-6/+20
|
* bpo-34602: Avoid failures setting macOS stack resource limit (GH-14546) ↵Miss Islington (bot)2019-07-024-16/+16
| | | | | | | | | | | | | | | | | | | | | | (GH-14549) Under some conditions the earlier fix for bpo-18075, "Infinite recursion tests triggering a segfault on Mac OS X", now causes failures on macOS when attempting to change stack limit with resource.setrlimit resource.RLIMIT_STACK, like regrtest does when running the test suite. The reverted change had specified a non-default stack size when linking the python executable on macOS. As of macOS 10.14.4, the previous code causes a hard failure when running tests, although similar failures had been seen under some conditions under some earlier systems. Reverting the change to the interpreter stack size at link time helped for release builds but caused some tests to fail when built --with-pydebug. Try the opposite approach: continue to build the interpreter with an increased stack size on macOS and remove the failing setrlimit call in regrtest initialization. This will definitely avoid the resource.RLIMIT_STACK error and should have no, or fewer, side effects. (cherry picked from commit 5bbbc733e6cc0804f19b071944af8d4719e26ae6) Co-authored-by: Ned Deily <nad@python.org>
* Put pyexpatns.h include back. bpo-37437 (GH-14542)Miss Islington (bot)2019-07-011-0/+4
| | | | | (cherry picked from commit 2cd07920bb7d2d319999394092190f37935dc421) Co-authored-by: Benjamin Peterson <benjamin@python.org>
* bpo-37437: Pass -Wno-unreachable-code when compiling expat. (GH-14470) ↵Miss Islington (bot)2019-06-291-2/+2
| | | | | | | (GH-14472) (cherry picked from commit 95da310078a9364bae9ab3f2ad9c71e34306a70c) Co-authored-by: Benjamin Peterson <benjamin@python.org>
* closes bpo-37437: Update vendorized expat to 2.2.7. (GH-14436)Miss Islington (bot)2019-06-277-32/+22
| | | | | (cherry picked from commit 3b03b09fc94425915c5b1225e9200a3a95bc827b) Co-authored-by: Benjamin Peterson <benjamin@python.org>
* Post release updatesNed Deily2019-06-182-3/+3
|
* 3.6.9rc1v3.6.9rc1Ned Deily2019-06-1820-52/+185
|
* bpo-33529, email: Fix infinite loop in email header encoding (GH-12020) ↵Victor Stinner2019-06-174-14/+27
| | | | | (GH-14162) (cherry picked from commit c1f5667be1e3ec5871560c677402c1252c6018a6)
* Doc: Remove an ugly space before a dot. (GH-14123) (GH-14130)Miss Islington (bot)2019-06-161-1/+1
| | | | | (cherry picked from commit 552951563cd5968d25e95306362e41f07d661a88) Co-authored-by: Julien Palard <julien@palard.fr>
* [3.6] Doc: Add an optional obsolete header. (GH-13638). (GH-13657)Julien Palard2019-06-152-0/+20
| | | | | (cherry picked from commit 46ed90dd014010703c7a3b2a61c4927644fa8210) Co-authored-by: Julien Palard <julien@palard.fr>
* [3.6] Doc fix: duplicate object description of email.message (GH-13742) ↵Ned Deily2019-06-131-0/+1
| | | | (GH-14041)
* Stop using deprecated logging API in Sphinx suspicious checker (GH-9875) ↵Miss Islington (bot)2019-06-081-4/+6
| | | | | | | (GH-13923) (cherry picked from commit ee171a26c1169abfae534b08acc0d95c6e45a22a) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* Doc: Python 3.9 in sidebar and version switcher. (GH-13824) (GH-13827)Miss Islington (bot)2019-06-042-2/+4
| | | | | (cherry picked from commit 59e7bbcaa4d0d556591f774c5ea4869c41fa95b0) Co-authored-by: Julien Palard <julien@palard.fr>
* bpo-36742: Corrects fix to handle decomposition in usernames (GH-13812) ↵Miss Islington (bot)2019-06-042-8/+9
| | | | | | | (GH-13814) (cherry picked from commit 8d0ef0b5edeae52960c7ed05ae8a12388324f87e) Co-authored-by: Steve Dower <steve.dower@python.org>
* bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13513)Victor Stinner2019-05-283-1/+22
| | | | | | | | | CVE-2019-9948: Avoid file reading by disallowing local-file:// and local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of urllib.request. Co-Authored-By: SH <push0ebp@gmail.com> (cherry picked from commit 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587) (cherry picked from commit 34bab215596671d0dec2066ae7d7450cd73f638b)
* [3.6] bpo-35925: Skip SSL tests that fail due to weak external certs or old ↵Gregory P. Smith2019-05-283-8/+66
| | | | | | | | | | | | | | | | | | | | | | | TLS (GH-13124) (GH-13252) * [3.6] bpo-35925: Skip SSL tests that fail due to weak external certs. (GH-13124) Modern Linux distros such as Debian Buster have default OpenSSL system configurations that reject connections to servers with weak certificates by default. This causes our test suite run with external networking resources enabled to skip these tests when they encounter such a failure. Fixing the network servers is a separate issue.. (cherry picked from commit 2cc0223f43a1ffd59c887a73e2b0ce5202f3be90) Co-authored-by: Gregory P. Smith <greg@krypto.org> * Also skip ssl tests that fail when the system rejects TLSv1. * Remove the test_httplib change; server was updated. self-signed.pythontest.net was updated so the test_httplib change is no longer necessary.
* bpo-32947: test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-11612)Victor Stinner2019-05-282-0/+16
| | | | | | | Backport partially commit 529525fb5a8fd9b96ab4021311a598c77588b918: complete the previous partial backport (commit 2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826. Co-Authored-By: Christian Heimes <christian@python.org>
* [3.6] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) ↵Gregory P. Smith2019-05-082-14/+33
| | | | | | | | | | | | (GH-13198) We updated the server, our testsuite must match. https://bugs.python.org/issue36816 ✈️ CLE -> DEN ✈️ GH-pycon2019 (cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* bpo-30458: Disallow control chars in http URLs. (GH-12755) (GH-13155)Miro Hrončok2019-05-084-1/+75
| | | | | | | | | | Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected. Disable https related urllib tests on a build without ssl (GH-13032) These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures. Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044) Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
* bpo-36742: Fixes handling of pre-normalization characters in urlsplit() ↵Miss Islington (bot)2019-05-023-4/+14
| | | | | | | (GH-13017) (GH-13024) (cherry picked from commit d537ab0ff9767ef024f26246899728f0116b1ec3) Co-authored-by: Steve Dower <steve.dower@python.org>
* bpo-9194: Fix the bounds checking in winreg.c's fixupMultiSZ() (GH-12687) ↵Miss Islington (bot)2019-05-021-1/+1
| | | | | | | (GH-12910) (cherry picked from commit 56ed86490cb8221c874d432461d77702437f63e5) Co-authored-by: Zackery Spytz <zspytz@gmail.com>
* bpo-34602: Avoid failures setting macOS stack resource limit (GH-13011) ↵Miss Islington (bot)2019-04-293-12/+3
| | | | | | | | | | | | | | | | | (GH-13014) Under some conditions the earlier fix for bpo-18075, "Infinite recursion tests triggering a segfault on Mac OS X", now causes failures on macOS when attempting to change stack limit with resource.setrlimit resource.RLIMIT_STACK, like regrtest does when running the test suite. The reverted change had specified a non-default stack size when linking the python executable on macOS. As of macOS 10.14.4, the previous code causes a hard failure when running tests, although similar failures had been seen under some conditions under some earlier systems. For now, revert the original change and resume using the default stack size when linking the interpreter. (cherry picked from commit 883dfc668f9730b00928730035b5dbd24b9da2a0) Co-authored-by: Ned Deily <nad@python.org>
View Lorry Controller Status