Victor Stinner [Tue, 21 May 2019 13:12:33 +0000 (15:12 +0200)]
bpo-30458: Disallow control chars in http URLs (GH-12755) (GH-13154) (GH-13315)
Disallow control chars in http URLs in urllib2.urlopen. This
addresses a potential security problem for applications that do not
sanity check their URLs where http request headers could be injected.
Disable https related urllib tests on a build without ssl (GH-13032)
These tests require an SSL enabled build. Skip these tests when
python is built without SSL to fix test failures.
Use httplib.InvalidURL instead of ValueError as the new error case's
exception. (GH-13044)
* test_urllib tests urllib.urlopen() which quotes the URL and so is
not vulerable to HTTP Header Injection.
* Add tests to test_urllib2 on urllib2.urlopen().
* Reject non-ASCII characters: range 0x80-0xff.
closes bpo-36755: Suppress noisy error output in test HTTPS server by default. (GH-13370)
TLS 1.3 has a more efficient handshake protocol. The client can reject the server's credentials and close the connection before the server has even finished writing out all of its initial data. Depending on whether the server finishes writing the rest of its handshake before the it sees the connection is reset, the server will read an empty line or see a ECONNRESET OSError. Nothing is really wrong here with the server or client, so just suppress the error output in the OSError case to fix the test.
This fix isn't required in Python 3 because clients that reject the server's certificate will shut down the TLS layer before closing the TCP connection.
Gregory P. Smith [Mon, 13 May 2019 20:16:34 +0000 (13:16 -0700)]
[2.7] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124) (GH-13253)
Modern Linux distros such as Debian Buster have default OpenSSL system
configurations that reject connections to servers with weak certificates
by default. This causes our test suite run with external networking
resources enabled to skip these tests when they encounter such a
failure.
Fixing the network servers is a separate issue.
(cherry picked from commit 2cc0223)
Changes to test_ssl.py required as 2.7 has legacy protocol tests.
The test_httplib.py change is omitted from this backport as
self-signed.pythontest.net's certificate was updated and the
test_nntplib.py change is not applicable on 2.7.
Toshio Kuratomi [Sun, 12 May 2019 20:47:19 +0000 (16:47 -0400)]
[2.7] closes bpo-14353: Fix detection of bind_textdomain_codeset in libintl. (GH-13265)
In Python-2.7, we were only searching for bind_textdomain_codeset in
libc. We should have also checked for it in libintl. This change from
Mel Flynn https://bugs.python.org/file24918/python27-configure.in.patch
fixes that.
The 2.7 tree also needed a certificate in the capath directory updated.
The filename for that was determined by `openssl x509 -in $cert.pem -subject_hash`.
Victor Stinner [Tue, 9 Apr 2019 16:01:17 +0000 (18:01 +0200)]
bpo-36560: Fix reference leak hunting in regrtest (GH-12744) (GH-12745)
Fix reference leak hunting in regrtest: compute also deltas (of
reference count and file descriptor count) during warmup, to ensure
that everything is initialized before starting to hunt reference
leaks.
Other changes:
* Replace gc.collect() with support.gc_collect() in clear_caches()
* dash_R() is now more quiet with --quiet option (don't display
progress).
* Precompute the full range for "for it in range(repcount):" to
ensure that the iteration doesn't allocate anything new.
* dash_R() now is responsible to call warm_caches().
bpo-36459: Fix a possible double PyMem_FREE() due to tokenizer.c's tok_nextc() (12601)
Remove the PyMem_FREE() call added in cb90c89. The buffer will be
freed when PyTokenizer_Free() is called on the tokenizer state.
(cherry picked from commit cda139d1ded6708665b53e4ed32ccc1d2627e1da)
Victor Stinner [Fri, 15 Mar 2019 15:03:44 +0000 (16:03 +0100)]
bpo-36235: Fix CFLAGS in distutils customize_compiler() (GH-12236) (GH-12349)
Fix CFLAGS in customize_compiler() of distutils.sysconfig: when the
CFLAGS environment variable is defined, don't override CFLAGS variable with
the OPT variable anymore.
Fix an unlikely memory leak on conversion from string to float in the
function _Py_dg_strtod() used by float(str), complex(str),
pickle.load(), marshal.load(), etc.
Fix an unlikely memory leak in _Py_dg_strtod() on "undfl:" label:
rewrite memory management in this function to always release all
memory before exiting the function. Initialize variables to NULL, and
set them to NULL after calling Bfree() at the "cont:" label.
Note: Bfree(NULL) is well defined: it does nothing.
stratakis [Thu, 14 Mar 2019 15:35:40 +0000 (16:35 +0100)]
[2.7] bpo-36289: Fix a possible reference leak in the io module (GH-12329)
Fix a reference leak in _bufferedreader_read_all():
_io.BufferedIOMixin.read() leaks a reference on 'data'
when it reads the whole file content but flush() fails.
Dima Pasechnik [Tue, 26 Feb 2019 10:41:15 +0000 (10:41 +0000)]
[2.7] bpo-36106: resolve sinpi name clash with libm (IEEE-754 violation). (GH-12027) (GH-12050)
The standard math library (libm) may follow IEEE-754 recommendation to
include an implementation of sinPi(), i.e. sinPi(x):=sin(pi*x).
And this triggers a name clash, found by FreeBSD developer
Steve Kargl, who worked on putting sinpi into libm used on FreeBSD
(it has to be named "sinpi", not "sinPi", cf. e.g.
https://en.cppreference.com/w/c/experimental/fpext4).
Tzu-ping Chung [Tue, 19 Feb 2019 03:06:10 +0000 (11:06 +0800)]
[2.7] bpo-1104: msilib.SummaryInfo.GetProperty() truncates the string by one character (GH-4517) (GH-11749)
Add one char to MsiSummaryInfoGetProperty() output
Based on the patch in [bpo-1104](https://bugs.python.org/issue1104) by Anthony Tuininga (atuining) and Mark McMahon (markm)
(cherry picked from commit 2de576e16d42ce43698d384d0dd46ba6cf165424)
stratakis [Fri, 15 Feb 2019 17:27:44 +0000 (18:27 +0100)]
[2.7] bpo-32947: Fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-8761) (GH-11876)
Backport of TLS 1.3 related fixes from 3.7.
Misc fixes and workarounds for compatibility with OpenSSL 1.1.1 from git
master and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
default. Some test cases only apply to TLS 1.2.
OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
1.3. The feature is enabled by default for maximum compatibility with
broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
it to verify default options
stratakis [Fri, 15 Feb 2019 14:24:11 +0000 (15:24 +0100)]
[2.7] bpo-28043: improved default settings for SSLContext (GH-10608)
The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE,
OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except
for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3)
are set by default. The initial cipher suite list contains only
HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
default.
Also update multissltests to test with latest OpenSSL.
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71) Co-authored-by: Christian Heimes <christian@python.org>
bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.
projects / thirdparty / Python / cpython.git / log
