[3.15] gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp() (GH-149648) (#149792)
gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp() (GH-149648)
ftpcp() called parse227() directly and passed the source server's
self-reported PASV IPv4 address to the target server's PORT command,
bypassing the CVE-2021-4189 fix that was applied only to FTP.makepasv().
A malicious source FTP server could use this to redirect the target
server's data connection to an arbitrary host:port (SSRF).
ftpcp() now uses the source server's actual peer address, honoring the
existing trust_server_pasv_ipv4_address opt-out, the same as makepasv().
[3.15] Link to existing rules in compound_stmts.rst (GH-149811) (GH-149836)
Link to existing rules in compound_stmts.rst (GH-149811)
In gh-138418, `!` was added to links to rules that don't exist in
the docs, in order to silence broken link warnings.
However, productionlist doesn't parse the `!`, which ends up in
the rendered documentation. (It's possible that gh-127835 broke
the `!` support.)
Replace the names with ones that appear in docs:
- `star_named_expression` in the grammar corresponds to
`flexible_expression` in the docs
- `star_named_expressions` in the grammar corresponds to
`flexible_expression_list` in the docs
- `named_expression` in the grammar corresponds to
`assignment_expression` in the docs
Having two sets of names isn't great of course. Consolidating them
is tracked in (subissues of) gh-127833.
(cherry picked from commit c37529293d1e05081cb4e8668162c76583b88007)
* Add re-entrant tests for gh-149504
* Add end-to-end integration test coverage
This ensures that future whitebox internal test changes do not regress the
public surface semantics.
* Implement a state class to process .pth and .start files
By using this state class and managing implicit and explicit batching, we make it structurally
impossible to get bitten by re-entrant site startup processing.
RFC 2047 Section 6.2 requires that "any 'linear-white-space' that
separates a pair of adjacent 'encoded-word's is ignored." The modern
header value parser correctly implements that for unstructured headers,
but had missed a case in structured headers. This could cause a parsed
address header to include extraneous spaces in a display-name.
Switch to @bitdancer's fix from review feedback. Recharacterize space
between ews as fws after parsing in get_phrase.
RDM: This fix is dependent on the fact that "subsequent" atoms will never have
leading whitespace because that's been consumed already. I don't think
it's worth adding extra code for the possibility of leading whitespace
because the parser won't produce it. It's a bit of parser fragility in the
face of code changes, but I think that's a minor concern given the
parser design (which is that it consumes whitespace greedily)
(cherry picked from commit 7a4c6dfb8839eb05fb87baf70364680e45001dd4)
Co-authored-by: Mike Edmunds <medmunds@gmail.com> Co-authored-by: R David Murray <rdmurray@bitdance.com>
[3.15] gh-148821: Add more strict tests for XML encodings (GH-149765) (GH-149770)
Exclude encodings like 'utf-8-sig', 'iso2022-jp' and 'hz' from the list of
supported encodings.
(cherry picked from commit fa2afa64d9467fb7362672ed603d29d8e246d240)
[3.15] gh-149496: Fix MacOSTest.test_default regression when BROWSER env var is set (GH-149579) (#149745)
gh-149496: Fix MacOSTest.test_default regression when BROWSER env var is set (GH-149579)
gh-149496: Fix MacOSTest.test_default failing when BROWSER env var is set
MacOSTest.test_default calls webbrowser.get() and asserts it returns a
MacOS instance. When BROWSER is set in the environment (e.g. BROWSER=open,
a common macOS workaround for the old osascript-based implementation),
register_standard_browsers() registers a GenericBrowser as the preferred
browser instead, causing the assertion to fail.
This is a regression introduced in gh-137586, which added MacOSTest and
moved test_default into it from MacOSXOSAScriptTest. MacOSXOSAScriptTest
had an identical setUp() guard added in gh-131254 specifically to fix this
same failure. The guard was not carried over to MacOSTest.
Add setUp() to MacOSTest to unset BROWSER for the duration of each test,
restoring the isolation that was already established as the correct pattern
for macOS webbrowser tests.
(cherry picked from commit 45c47d26c230086163ac1ef0aa9f955f794fb69c)
Co-authored-by: Jeff Lyon <146767590+secengjeff@users.noreply.github.com>
[3.15] gh-139808: Add branch protections for aarch64 in asm_trampoline.S (GH-130864) (#149730)
gh-139808: Add branch protections for aarch64 in asm_trampoline.S (GH-130864)
Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S.
The BTI flag must be applied in assembler sources for this class
of attacks to be mitigated on newer aarch64 processors.
See also:
https://sourceware.org/annobin/annobin.html/Test-branch-protection.html
and
https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/enabling-pac-and-bti-on-aarch64
(cherry picked from commit da8477b25c6124c961306d4d7cd5ec7dafda6be4)
Co-authored-by: stratakis <cstratak@redhat.com> Co-authored-by: Victor Stinner <vstinner@python.org>
Sam Gross [Mon, 11 May 2026 18:23:39 +0000 (18:23 +0000)]
[3.15] gh-145235: Make dict watcher API thread-safe for free-threaded builds (gh-145233) (#149690)
In free-threaded builds, concurrent calls to PyDict_AddWatcher, PyDict_ClearWatcher, PyDict_Watch, and PyDict_Unwatch can race on the shared callback array and the per-dict watcher tags. This change adds a mutex to serialize watcher registration and removal, atomic operations for tag updates, and atomic acquire/release synchronization for callback dispatch in _PyDict_SendEvent.
[3.15] gh-149486: tarfile.data_filter: validate written link target (GH-149487) (GH-149553)
gh-149486: tarfile.data_filter: validate written link target (GH-149487)
The data filter rewrote linknames with normpath() but ran the
containment check against the un-normalised value, and computed a
symlink's directory before stripping trailing slashes. Both let a
crafted archive create links pointing outside the destination. Also
reject link members that resolve to the destination directory itself,
which could otherwise replace it with a symlink and redirect all
subsequent members.
[3.15] gh-149430: Fix edge-cases in `profiling.sampling` outputs (GH-149431) (#149602)
gh-149430: Fix edge-cases in `profiling.sampling` outputs (GH-149431)
The line highlights on the heatmap are driven by the URL hash and the
`:target` selector. When clicking a caller/callee link for the line that
was already selected, the hash doesn't change, so the browser keeps the
existing target state and doesn't restart the animation. Due to this the
highlight only works the first time.
With this fix, line navigation goes through JavaScript. If the target
URL already points to the current location, the highlight is replayed by
clearing the animation, forcing style recalculation, and restoring it.
The `baseline_self` variable isn't initialized for structural elided
roots. This variable is accessed later unconditionally and leads to a
crash.
The child process ends up being invoked with `--diff_flamegraph` instead
of the correct argument.
(cherry picked from commit 9587726a3ebbcdb780e3f15c9e016e3a28c646e3)
Co-authored-by: László Kiss Kollár <kiss.kollar.laszlo@gmail.com>
[3.15] gh-149474: use `Py_fopen` in `Binary{Reader,Writer}` for audit hook and path-like support (GH-149524) (#149586)
gh-149474: use `Py_fopen` in `Binary{Reader,Writer}` for audit hook and path-like support (GH-149524)
(cherry picked from commit 354ef336e4cd48cf0c02bc9a0c642adf5d543184)
[3.15] gh-146445: Update CODEOWNERS for Android and iOS migration to Platforms directory (GH-149543) (#149545)
gh-146445: Update CODEOWNERS for Android and iOS migration to Platforms directory (GH-149543)
(cherry picked from commit 5b58fbc07c8173df98ce6d378ded1bc605997c3f)
Victor Stinner [Thu, 7 May 2026 09:47:08 +0000 (11:47 +0200)]
gh-149202: Don't use -fno-omit-frame-pointer on ppc64le (#149485)
The power ABI specification requires that compilers maintain a back
chain by default, so unwinding already works without a dedicated
frame pointer. Don't use -fno-omit-frame-pointer on ppc64le.
For Python macOS framework builds, update all Info.plist files to be more
compliant with current Apple guidelines. Original patch contributed by
Martinus Verburg.
gh-142295: Update CFBundleShortVersionString in Mac framework Info.plist (#143064)
Updated macOS framework Info.plist to use x.y.z format for CFBundleShortVersionString to comply with Apple guidelines. Patch contributed by Martinus Verburg.
Zachary Ware [Wed, 6 May 2026 16:04:42 +0000 (11:04 -0500)]
gh-124111: Only set TCLSH_NATIVE for AMD64/ARM64 (GH-149443)
The Tcl 9 makefile.vc now uses TCLSH_NATIVE during the build process,
not just the installation. We had been setting it to the installed
location of the x86 tclsh.exe, which does not yet exist when the x86
build process needs it. That build doesn't actually need TCLSH_NATIVE,
though (there's a check specifically allowing TCLSH to be used if
MACHINE is IX86 and TCLSH_NATIVE is undefined), so don't set it.
Zachary Ware [Wed, 6 May 2026 15:44:47 +0000 (10:44 -0500)]
Rewrite RTD configuration to use build.jobs rather than build.commands (GH-149429)
As part of this conversion, we now ensure that we're comparing against the
merge-base of the PR branch and the base branch when checking whether an RTD
build is worthwhile, deepening the history of the base branch by up to 500
commits if necessary. If the merge-base can't be found or there are merge
conflicts with the head of the base branch, the build is skipped since it would
give a warped perception of the actual changes anyway.
This unfortunately does nothing about RTD preview comments comparing against
the wrong base, other than skipping builds that shouldn't produce any diff at
all thus avoiding the comment.
gh-149202: Fix frame pointer unwinding on s390x and ARM (GH-149362)
-fno-omit-frame-pointer is not enough to make every target walkable by the
simple manual frame pointer unwinder.
The helper used by test_frame_pointer_unwind used to assume the frame pointer
named a two-word record where fp[0] was the previous frame pointer and fp[1]
was the return address. That is only the generic layout used by some targets.
This patch keeps that default, but moves the slots behind named offsets so
architecture-specific layouts can describe where the backchain and return
address really live.
On s390x, GCC and Clang do not emit a usable backchain unless -mbackchain is
enabled. Without it, the unwinder stops at the current C frame and the test
reports no Python frames. Once backchains are present, the helper must also
stop at the current thread's known C stack bounds; otherwise it can follow the
final backchain far enough to dereference an invalid frame and segfault.
For Linux s390x backchain frames, the documented z/Architecture stack-frame
layout saves r14, the return-address register, at byte offset 112 from the
frame pointer, so read the return address from that named slot instead of fp[1].
The 112-byte offset comes from Linux's s390 debugging documentation: its Stack
Frame Layout table shows z/Architecture backchain frames with the backchain at
offset 0 and saved r14 of the caller function at offset 112:
https://www.kernel.org/doc/html/v5.3/s390/debugging390.html#stack-frame-layout
This helper remains scoped to Linux s390x backchain frames. GNU SFrame's s390x
notes state that the s390x ELF ABI does not generally mandate where RA and FP
are saved, or whether they are saved at all:
https://sourceware.org/binutils/docs/sframe-spec.html#s390x
As Jens Remus noted, -fno-omit-frame-pointer is not needed when -mbackchain is
present.
On 32-bit ARM, GCC defaults to Thumb mode on common armhf toolchains. The Thumb
prologue keeps the saved frame pointer and link register at offsets that depend
on the generated frame, which breaks the fp[0]/fp[1] walk used by the helper.
Use -marm when it is supported for frame-pointer builds, and teach the helper
the GCC ARM-mode slots where the previous frame pointer is at fp[-1] and the
saved LR return address is at fp[0].
Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org>
Jeff Lyon [Wed, 6 May 2026 13:56:17 +0000 (06:56 -0700)]
gh-137586: Replace 'osascript' with 'open' on macOS in webbrowser (#146439)
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
projects / thirdparty / Python / cpython.git / log
