| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
| |
Fixes CVE-2019-15903. See full changelog at https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes.
|
|
|
|
|
|
| |
validation and encoding behavior (GH-16448) (#16475)
* [3.5] bpo-38216, bpo-36274: Allow subclasses to separately override validation and encoding behavior (GH-16448)
|
|
|
|
|
|
| |
(cherry picked from commit 2db96ae7444880d66d4ef65abab8a5e6ff328711)
Co-authored-by: Julien Palard <julien@palard.fr>
(cherry picked from commit 23a98abd4256f931ed89b65ec6babd4f06dbff97)
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
headers (GH-14794) (#15446)
* [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)
Some crafted email header would cause the get_parameter method to run in an
infinite loop causing a DoS attack surface when parsing those headers. This
patch fixes that by making sure the DQUOTE character is handled to prevent
going into an infinite loop.
(cherry picked from commit a4a994bd3e619cbaff97610a1cee8ffa87c672f5)
Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
Co-Authored-By: Ashwin Ramaswami <aramaswamis@gmail.com>
|
|
|
|
|
|
|
|
| |
(GH-13814) (#14772)
(cherry picked from commit 8d0ef0b5edeae52960c7ed05ae8a12388324f87e)
Co-authored-by: Steve Dower <steve.dower@python.org>
(cherry picked from commit fd1771dbdd28709716bd531580c40ae5ed814468)
|
|
|
|
|
| |
(#12694)
Some test_ssl and test_asyncio tests were written for OpenSSL 1.0 and TLS 1.0, but fail with OpenSSL 1.1.1 and TLS 1.3. Fixing these requires backporting new ssl flags like ssl.OP_NO_TLSv1_3 or ssl.OP_NO_COMPRESSION, which is inappropriate at this stage in Python 3.5's lifetime. Moreover, it's not really worth it: the code works fine, the problem is just in the tests. This patch disables those problematic tests when Python 3.5 is built using newer versions of OpenSSL.
|
|
|
|
|
|
| |
https://bugs.python.org/issue34155
(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
Co-authored-by: jpic <jpic@users.noreply.github.com>
|
|
|
|
|
|
|
|
|
|
| |
Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
Disable https related urllib tests on a build without ssl (GH-13032)
These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.
Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)
Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
|
|
|
|
| |
(GH-13017) (#13042)
|
|
|
|
|
|
|
|
|
| |
(GH-13505) (#13510)
CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
Co-Authored-By: SH <push0ebp@gmail.com>
|
|
|
|
| |
C89 for loops in backported pickle patch (#12622)
|
|
|
|
|
|
|
|
|
|
|
|
| |
* [3.5] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192)
We updated the server, our testsuite must match.
https://bugs.python.org/issue36816
✈️ CLE -> DEN ✈️ GH-pycon2019
(cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
|
|
|
|
|
|
| |
* [3.5] Doc: Add an optional obsolete header. (GH-13638).
(cherry picked from commit 46ed90dd014010703c7a3b2a61c4927644fa8210)
Co-authored-by: Julien Palard <julien@palard.fr>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
(GH-10258) (#12281)
Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
Co-authored-by: Xtreak <tir.karthi@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Refactor cookie path check as per RFC 6265
* Add tests for prefix match of path
* Add news entry
* Fix set_ok_path and refactor tests
* Use slice for last letter
(cherry picked from commit 0e1f1f01058bd4a9b98cfe443214adecc019a38c)
|
|
|
|
| |
(GH-12201) (#12223)
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(#12144)
Starting with glibc 2.27.9000-xxx, sigaddset() can return EINVAL for some
reserved signal numbers between 1 and NSIG. The `range(1, NSIG)` idiom
is commonly used to select all signals for blocking with `pthread_sigmask`.
So we ignore the sigaddset() return value until we expose sigfillset()
to provide a better idiom.
(cherry picked from commit 25038ec)
Co-authored-by: Antoine Pitrou <pitrou@free.fr>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-33127: Compatibility patch for LibreSSL 2.7.0 (GH-6210)
LibreSSL 2.7 introduced OpenSSL 1.1.0 API. The ssl module now detects
LibreSSL 2.7 and only provides API shims for OpenSSL < 1.1.0 and
LibreSSL < 2.7.
Documentation updates and fixes for failing tests will be provided in
another patch set.
Signed-off-by: Christian Heimes <christian@python.org>
|
|
|
|
|
|
|
|
| |
The xml.sax and xml.dom.domreg modules now obey
sys.flags.ignore_environment.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 223e501fb9c2b6ae21b96054e20c4c31d94a5d96)
|
|
|
|
|
| |
(GH-9261) (#11869)
(cherry picked from commit a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.
Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas
Edet of Cisco.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
|
|
|
|
|
|
| |
On Travis CI, FTP tests of test_urllib2net randomly fail with "425
Security: Bad IP connecting".
(cherry picked from commit c11b3b19a5b022c6c229043d37f9a9fd06f22500)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)
The C accelerated _elementtree module now initializes hash randomization
salt from _Py_HashSecret instead of libexpat's default CPRNG.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue34623
(cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b)
Co-authored-by: Christian Heimes <christian@python.org>
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
| |
Clarify the documentation for the CALL_FUNCTION_* bytecodes. They changed in 3.5 in subtle ways and the documentation has never been correct, much less clear.
|
| |
|
| |
|
|
|
|
|
|
| |
* bpo-33001: Minimal fix to prevent buffer overrun in os.symlink
* Remove invalid test
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Prevent low-grade poplib REDOS (CVE-2018-1060)
The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.
Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.
A 2KB evil response from the mail server would result in small slowdowns
(milliseconds vs. microseconds) accumulated over many apop calls.
This is a potential DOS vector via accumulated slowdowns.
Replace it with a similar non-vulnerable regex.
The new regex is RFC compliant.
The old regex was non-compliant in edge cases.
* Prevent difflib REDOS (CVE-2018-1061)
The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.
Replace it with an equivalent non-vulnerable regex.
Also introduce unit and REDOS tests for difflib.
Co-authored-by: Tim Peters <tim.peters@gmail.com>
Co-authored-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac)
|
| |
|
| |
|
| |
|
|\ |
|
| | |
|