summaryrefslogtreecommitdiff
path: root/Lib
Commit message (Collapse)AuthorAgeFilesLines
* bpo-38295: prevent test_relative_path of test_py_compile failure on macOS ↵Miss Islington (bot)2019-12-171-1/+1
| | | | | | | Catalina (GH-17636) (GH-17638) (cherry picked from commit bf3aa1060a29a05813abbe877193af16e3e7131e) Co-authored-by: Ned Deily <nad@python.org>
* Fix warnings in test_asyncio.test_base_events (GH-17577) (#17581)Miss Islington (bot)2019-12-121-3/+4
| | | | | | Co-authored-by: tirkarthi (cherry picked from commit 1988344a6bff253f017e053f69318ecf03587294) Co-authored-by: Kyle Stanley <aeros167@gmail.com>
* 3.6.10rc1v3.6.10rc1Ned Deily2019-12-111-1/+1
|
* [3.6] bpo-37228: Fix loop.create_datagram_endpoint()'s usage of SO_REUSEADDR ↵Kyle Stanley2019-12-112-24/+42
| | | | | | | | (GH-17311). (GH-17571) (cherry picked from commit ab513a38c98695f271e448fe2cb7c5e39eeaaaaf) Co-authored-by: Kyle Stanley <aeros167@gmail.com>
* bpo-38945: UU Encoding: Don't let newline in filename corrupt the output ↵Miss Islington (bot)2019-12-023-0/+20
| | | | | | | format (GH-17418) (GH-17444) (cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a) Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
* bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (#17343)Miss Islington (bot)2019-11-222-6/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) GH- Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) GH- Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 GH- Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): GH- Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was. (cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e) Co-authored-by: bcaller <bcaller@users.noreply.github.com>
* [3.6] bpo-38216, bpo-36274: Allow subclasses to separately override ↵Jason R. Coombs2019-09-282-10/+47
| | | | | | | validation and encoding behavior (GH-16448) (GH-16462) (cherry picked from commit 7774d7831e8809795c64ce27f7df52674581d298) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
* bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441)Victor Stinner2019-09-282-1/+18
| | | | | | Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering the document page as HTML. (cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa)
* bpo-34155: Dont parse domains containing @ (GH-13079) (GH-14826)Miss Islington (bot)2019-08-094-1/+36
| | | | | | | | | | | | | | | | | | | | | | Before: >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses (Address(display_name='', username='a', domain='malicious.org'),) >>> parseaddr('a@malicious.org@important.com') ('', 'a@malicious.org') After: >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses (Address(display_name='', username='', domain=''),) >>> parseaddr('a@malicious.org@important.com') ('', 'a@') https://bugs.python.org/issue34155 (cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9) Co-authored-by: jpic <jpic@users.noreply.github.com>
* bpo-37461: Fix infinite loop in parsing of specially crafted email headers ↵Miss Islington (bot)2019-08-012-0/+10
| | | | | | | | | | | (GH-14794) (GH-14817) Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994bd3e619cbaff97610a1cee8ffa87c672f5) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
* Fix infinite loop in email folding logic (GH-12732) (GH-14799)Miss Islington (bot)2019-07-213-6/+32
| | | | | | | | | | | | | As far as I can tell, this infinite loop would be triggered if: 1. The value being folded contains a single word (no spaces) longer than max_line_length 2. The max_line_length is shorter than the encoding's name + 9 characters. bpo-36564: https://bugs.python.org/issue36564 (cherry picked from commit f69d5c61981ea97d251db515c7ff280fcc17182d) Co-authored-by: Paul Ganssle <pganssle@users.noreply.github.com>
* bpo-34602: Avoid failures setting macOS stack resource limit (GH-14546) ↵Miss Islington (bot)2019-07-021-16/+0
| | | | | | | | | | | | | | | | | | | | | | (GH-14549) Under some conditions the earlier fix for bpo-18075, "Infinite recursion tests triggering a segfault on Mac OS X", now causes failures on macOS when attempting to change stack limit with resource.setrlimit resource.RLIMIT_STACK, like regrtest does when running the test suite. The reverted change had specified a non-default stack size when linking the python executable on macOS. As of macOS 10.14.4, the previous code causes a hard failure when running tests, although similar failures had been seen under some conditions under some earlier systems. Reverting the change to the interpreter stack size at link time helped for release builds but caused some tests to fail when built --with-pydebug. Try the opposite approach: continue to build the interpreter with an increased stack size on macOS and remove the failing setrlimit call in regrtest initialization. This will definitely avoid the resource.RLIMIT_STACK error and should have no, or fewer, side effects. (cherry picked from commit 5bbbc733e6cc0804f19b071944af8d4719e26ae6) Co-authored-by: Ned Deily <nad@python.org>
* 3.6.9rc1v3.6.9rc1Ned Deily2019-06-181-14/+14
|
* bpo-33529, email: Fix infinite loop in email header encoding (GH-12020) ↵Victor Stinner2019-06-173-14/+25
| | | | | (GH-14162) (cherry picked from commit c1f5667be1e3ec5871560c677402c1252c6018a6)
* bpo-36742: Corrects fix to handle decomposition in usernames (GH-13812) ↵Miss Islington (bot)2019-06-042-8/+9
| | | | | | | (GH-13814) (cherry picked from commit 8d0ef0b5edeae52960c7ed05ae8a12388324f87e) Co-authored-by: Steve Dower <steve.dower@python.org>
* bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13513)Victor Stinner2019-05-282-1/+19
| | | | | | | | | CVE-2019-9948: Avoid file reading by disallowing local-file:// and local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of urllib.request. Co-Authored-By: SH <push0ebp@gmail.com> (cherry picked from commit 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587) (cherry picked from commit 34bab215596671d0dec2066ae7d7450cd73f638b)
* [3.6] bpo-35925: Skip SSL tests that fail due to weak external certs or old ↵Gregory P. Smith2019-05-282-8/+65
| | | | | | | | | | | | | | | | | | | | | | | TLS (GH-13124) (GH-13252) * [3.6] bpo-35925: Skip SSL tests that fail due to weak external certs. (GH-13124) Modern Linux distros such as Debian Buster have default OpenSSL system configurations that reject connections to servers with weak certificates by default. This causes our test suite run with external networking resources enabled to skip these tests when they encounter such a failure. Fixing the network servers is a separate issue.. (cherry picked from commit 2cc0223f43a1ffd59c887a73e2b0ce5202f3be90) Co-authored-by: Gregory P. Smith <greg@krypto.org> * Also skip ssl tests that fail when the system rejects TLSv1. * Remove the test_httplib change; server was updated. self-signed.pythontest.net was updated so the test_httplib change is no longer necessary.
* bpo-32947: test_ssl fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-11612)Victor Stinner2019-05-281-0/+15
| | | | | | | Backport partially commit 529525fb5a8fd9b96ab4021311a598c77588b918: complete the previous partial backport (commit 2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826. Co-Authored-By: Christian Heimes <christian@python.org>
* [3.6] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192) ↵Gregory P. Smith2019-05-081-14/+32
| | | | | | | | | | | | (GH-13198) We updated the server, our testsuite must match. https://bugs.python.org/issue36816 ✈️ CLE -> DEN ✈️ GH-pycon2019 (cherry picked from commit 6bd81734de0b73f1431880d6a75fb71bcbc65fa1) Co-authored-by: Gregory P. Smith <greg@krypto.org>
* bpo-30458: Disallow control chars in http URLs. (GH-12755) (GH-13155)Miro Hrončok2019-05-083-1/+74
| | | | | | | | | | Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected. Disable https related urllib tests on a build without ssl (GH-13032) These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures. Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044) Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
* bpo-36742: Fixes handling of pre-normalization characters in urlsplit() ↵Miss Islington (bot)2019-05-022-4/+13
| | | | | | | (GH-13017) (GH-13024) (cherry picked from commit d537ab0ff9767ef024f26246899728f0116b1ec3) Co-authored-by: Steve Dower <steve.dower@python.org>
* [3.6] bpo-36216: Add check for characters in netloc that normalize to ↵Steve Dower2019-03-122-0/+40
| | | | separators (GH-12201) (GH-12215)
* bpo-35647: Fix path check in cookiejar (GH-11436) (GH-12268)Miss Islington (bot)2019-03-122-5/+33
| | | Co-authored-by: Xtreak <tir.karthi@gmail.com>
* bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) ↵Miss Islington (bot)2019-03-092-2/+41
| | | | | | | | (GH-12260) Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan. (cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14) Co-authored-by: Xtreak <tir.karthi@gmail.com>
* bpo-27313: Avoid test_ttk_guionly ComboboxTest fail with macOS Cocoa Tk ↵Miss Islington (bot)2019-02-241-1/+6
| | | | | | | (GH-12011) (GH-12013) (cherry picked from commit aeca373b339e0ea9739536ce6b43bd90f3b89873) Co-authored-by: Ned Deily <nad@python.org>
* Make sure file object is close if socket.create_connection fails (GH-11334) ↵Miss Islington (bot)2019-01-171-5/+4
| | | | | | | | (GH-11351) The problem affects _testWithTimeoutTriggeredSend in test_socket.py. (cherry picked from commit 1f511e1af060e98fb789319a96076c06e7f98135) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* bpo-35601: Alleviate race condition when waiting for SIGALRM in test_asyncio ↵Miss Islington (bot)2019-01-171-1/+3
| | | | | | | | | (GH-11337) (GH-11348) There is a race condition regarding signal delivery in test_signal_handling_args for test_asyncio.test_events.KqueueEventLoopTests. The signal can be received at any moment outside the time window provided in the test. The fix is to wait for the signal to be received instead with a bigger timeout. (cherry picked from commit 5471420faa84519530f29b08f2b042b2288e3e96) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (GH-11573)Miss Islington (bot)2019-01-152-0/+44
| | | | | | | | | | | | Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue35746 (cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) Co-authored-by: Christian Heimes <christian@python.org>
* Revert "bpo-24746: Avoid stripping trailing whitespace in doctest fancy diff ↵Senthil Kumaran2019-01-102-47/+3
| | | | | (GH-10639) (GH-11477)" (GH-11509) This reverts commit 5d9ae8b9df8371dd65514e0d60b561fd37056986 which was merged to 3.6 in error.
* bpo-24746: Avoid stripping trailing whitespace in doctest fancy diff ↵Miss Islington (bot)2019-01-092-3/+47
| | | | | | | (GH-10639) (#11477) (cherry picked from commit cbb16459934eaf29c7c7d362939cd05550b2f21f) Co-authored-by: Sanyam Khurana <8039608+CuriousLearner@users.noreply.github.com>
* 3.6.8finalv3.6.8Ned Deily2018-12-231-1/+1
|
* [3.6] bpo-35257: Avoid leaking LTO linker flags into distutils (GH-10900) ↵Victor Stinner2018-12-203-2/+4
| | | | | | | | | | | (GH-11265) When compiling 3rd party C extensions, the linker flags used by the compiler for the interpreter and the stdlib modules, will get leaked into distutils. In order to avoid that, the PY_CORE_LDFLAGS and PY_LDFLAGS_NODIST are introduced to keep those flags separated. (cherry picked from commit cf10a750f4b50b6775719cfb17bee00bc3a9c60b)
* [3.6] bpo-31715 Add mimetype for extension .mjs (GH-3908) (GH-10976)Myles Borins2018-12-201-0/+1
| | | (cherry picked from commit 0854b92cd2)
* 3.6.8rc1v3.6.8rc1Ned Deily2018-12-111-103/+93
|
* bpo-35412: Skip test_multiprocessing_fork and ↵Miss Islington (bot)2018-12-112-0/+7
| | | | | | | | test_multiprocessing_forkserver on Windows (GH-11086) Forkserver and fork are not available on Windows and therefore these test must be skipped. (cherry picked from commit a932d0b496767b5aac14191cbc17093e502b6cb4) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* bpo-35426: Eliminate race condition in test_interprocess_signal (GH-11087)Miss Islington (bot)2018-12-111-22/+18
| | | | | | The test only except SIGUSR1Exception inside wait_signal(), but the signal can be sent during subprocess_send_signal() call. (cherry picked from commit 2ab2afd387084ba38a37f5944fcb0675113b64dc) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* [3.6] bpo-33747: Avoid mutating the global sys.modules dict in unittest.mock ↵Miss Islington (bot)2018-12-111-11/+16
| | | | | | | | | | | tests (GH-8520) (GH-11032) (cherry picked from commit 3cf74384b53b998fa846dc2590cedf9ad2a0d5fd) Co-authored-by: Anirudha Bose <ani07nov@gmail.com> https://bugs.python.org/issue33747
* bpo-35050: AF_ALG length check off-by-one error (GH-10058) (GH-11070)Victor Stinner2018-12-101-0/+18
| | | | | | | | | The length check for AF_ALG salg_name and salg_type had a off-by-one error. The code assumed that both values are not necessarily NULL terminated. However the Kernel code for alg_bind() ensures that the last byte of both strings are NULL terminated. Signed-off-by: Christian Heimes <christian@python.org> (cherry picked from commit 2eb6ad8578fa9d764c21a92acd8e054e3202ad19)
* bpo-35052: Fix handler on xml.dom.minidom.cloneNode() (GH-11061) (GH-11067)Victor Stinner2018-12-102-4/+55
| | | | | | | | | | | | Fix xml.dom.minidom cloneNode() on a document with an entity: pass the correct arguments to the user data handler of an entity (fix an old copy/paste mistake). Bug spotted and fix proposed by Charalampos Stratakis, initial reproducer written by Petr Viktorin. Co-Authored-By: Charalampos Stratakis <cstratak@redhat.com> Co-Authored-By: Petr Viktorin <encukou@gmail.com> (cherry picked from commit 8e0418688906206fe59bd26344320c0fc026849e)
* bpo-33725: skip test_multiprocessing_fork on macOS (GH-11043)Miss Islington (bot)2018-12-081-0/+3
| | | | | (cherry picked from commit ac218bc5dbfabbd61c76ce8a17de088611e21981) Co-authored-by: Ned Deily <nad@python.org>
* bpo-35330: Don't call the wrapped object if `side_effect` is set (GH11034)Miss Islington (bot)2018-12-082-11/+132
| | | | | | | | | | | | | | | | | | | | | | | | | * tests: Further validate `wraps` functionality in `unittest.mock.Mock` Add more tests to validate how `wraps` interacts with other features of mocks. * Don't call the wrapped object if `side_effect` is set When a object is wrapped using `Mock(wraps=...)`, if an user sets a `side_effect` in one of their methods, return the value of `side_effect` and don't call the original object. * Refactor what to be called on `mock_call` When a `Mock` is called, it should return looking up in the following order: `side_effect`, `return_value`, `wraps`. If any of the first two return `mock.DEFAULT`, lookup in the next option. It makes no sense to check for `wraps` returning default, as it is supposed to be the original implementation and there is nothing to fallback to. (cherry picked from commit f05df0a4b679d0acfd0b1fe6187ba2d553b37afa) Co-authored-by: Mario Corchero <mariocj89@gmail.com>
* bpo-22005: Fixed unpickling instances of datetime classes pickled by Python ↵Miss Islington (bot)2018-12-072-4/+150
| | | | | | | | 2. (GH-11017) (GH-11022) (GH-11024) encoding='latin1' should be used for successful decoding. (cherry picked from commit 8452ca15f41061c8a6297d7956df22ab476d4df4) (cherry picked from commit 0d5730e6437b157f4aeaf5d2e67abca23448c29a)
* bpo-34864: warn if "Prefer tabs when opening documents" set to "Always" ↵Miss Islington (bot)2018-12-064-9/+67
| | | | | | | | | | | | | | | | (GH-10464) * bpo-34864: warn if "Prefer tabs when opening documents" set to "Always" * add NEWS entry * address code review comments * address second code review comments * Add entry for idlelib/NEWS.txt. (cherry picked from commit 9ebe8794f003dadfff578a066ea503a3e37ffe1d) Co-authored-by: Tal Einat <taleinat+github@gmail.com>
* bpo-33023: Fix NotImplemented to NotImplementedError. (GH-10934). (GH-11001)Serhiy Storchaka2018-12-063-5/+11
| | | | (cherry picked from commit 42b1d6127bd8595522a78a75166ebb9fba74a6a2)
* bpo-35363: test_eintr uses print(flush=True) (GH-10990)Miss Islington (bot)2018-12-061-2/+3
| | | | | (cherry picked from commit 0644b33821b70efbf0ac1ec1fb8729b05796564a) Co-authored-by: Victor Stinner <vstinner@redhat.com>
* bpo-35424: test_multiprocessing: join 3 pools (GH-10986)Miss Islington (bot)2018-12-061-0/+3
| | | | | | | | | Join 3 pools in these tests: * test.test_multiprocessing_spawn.WithProcessesTestPool.test_context * test.test_multiprocessing_spawn.WithProcessesTestPool.test_traceback (cherry picked from commit 388c8c208d9d09bd28289c1e4776b947d4d0f0f0) Co-authored-by: Victor Stinner <vstinner@redhat.com>
* bpo-35384: The repr of ctypes.CArgObject no longer fails for non-ascii ↵Miss Islington (bot)2018-12-061-0/+1
| | | | | | | character. (GH-10863) (cherry picked from commit 3ffa8b9ba190101f674a0e524e482a83ed09cccd) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [3.6] bpo-34162: Update idlelib NEWS to 2018-12-05 (GH-10964) (GH-10979)Terry Jan Reedy2018-12-061-2/+40
| | | Cherry-picked from 6ea9d54.
* bpo-33709: test_ntpath and test_posixpath fail in Windows with ACP!=1252. ↵Miss Islington (bot)2018-12-051-1/+5
| | | | | | | (GH-7278) (cherry picked from commit 8752dfbd1f0c96ca09cdacabaf0d0f8c3895b6ce) Co-authored-by: native-api <ivan_pozdeev@mail.ru>
* [3.6] Revert "bpo-34172: multiprocessing.Pool leaks resources after being ↵Victor Stinner2018-12-062-57/+24
| | | | | deleted (GH-8450) (GH-9677)" (GH-10969) This reverts commit 07b96a95db78eff3557d1bfed1df9ebecc40815b.
View Lorry Controller Status