bpo-43562: fix test_ssl to skip on unreachable network (GH-24937) (GH-25047)
This test checks result code of the connection directly, so it never raises an exception that can be suppressed by `support.transient_internet`. Directly support skipping the test in case of unreachable network.
(cherry picked from commit 29c451c6989c3c94fa0a9facf187c24f3cbf2420)
Co-authored-by: Carl Meyer <carl@oddbird.net> Co-authored-by: Carl Meyer <carl@oddbird.net>
curses.update_lines_cols() is only defined when the curses library
provides either resizeterm() or resize_term() functions which are optional
and are not provided on AIX.
(cherry picked from commit c8b5738810516df5722caf049003e9b319427bec)
Co-authored-by: Michael Felt <aixtools@users.noreply.github.com>
bpo-42988: Remove the pydoc getfile feature (GH-25015)
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
Co-authored-by: Victor Stinner <vstinner@python.org>
It doesn't actually affect whether match_hostname() is called (it
never is in this context any longer), but whether hostname
verification occurs in the first place.
(cherry picked from commit 9798cef92b882cd82a338d3368eaf3c4a32f5c2d)
Co-authored-by: Ville Skyttä <ville.skytta@iki.fi>
bpo-43577: Fix deadlock with SSLContext._msg_callback and sni_callback (GH-24957)
OpenSSL copies the internal message callback from SSL_CTX->msg_callback to
SSL->msg_callback. SSL_set_SSL_CTX() does not update SSL->msg_callback
to use the callback value of the new context.
PySSL_set_context() now resets the callback and _PySSL_msg_callback()
resets thread state in error path.
Gregory P. Smith [Mon, 15 Mar 2021 19:04:49 +0000 (12:04 -0700)]
[3.8] bpo-43285 Make ftplib not trust the PASV response. (GH-24838) (GH-24881)
bpo-43285: Make ftplib not trust the PASV response.
The IPv4 address value returned from the server in response to the PASV command
should not be trusted. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the client network.
Instead of using the returned address, we use the IP address we're
already connected to. This is the strategy other ftp clients adopted,
and matches the only strategy available for the modern IPv6 EPSV command
where the server response must return a port number and nothing else.
For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
attribute on your `ftplib.FTP` instance to True..
(cherry picked from commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Fix a race condition of test_stress_modifying_handlers() of
test_signal: only raise signals while we are in the
catch_unraisable_exception() context manager.
Moreover, don't check if we received at least one
signal if at least one signal got ignored.
(cherry picked from commit 1fa17e8cc62775a2e34b158135ce8589f9394f03)
Co-authored-by: Victor Stinner <vstinner@python.org>
Antoine Pitrou [Sat, 6 Mar 2021 15:08:01 +0000 (16:08 +0100)]
[3.8] bpo-43406: Fix possible race condition where ``PyErr_CheckSignals`` tries to execute a non-Python signal handler (GH-24756) (GH-24762)
We can receive signals (at the C level, in `trip_signal()` in signalmodule.c) while `signal.signal` is being called to modify the corresponding handler. Later when `PyErr_CheckSignals()` is called to handle the given signal, the handler may be a non-callable object and would raise a cryptic asynchronous exception..
(cherry picked from commit 68245b7a1030287294c65c298975ab9026543fd2)
Co-authored-by: Antoine Pitrou <antoine@python.org>
bpo-43407: Clarify comparisons of time.monotonic() et al results (GH-24757)
Previous wording implied that only the result of call N and N+1 could be
meaningfully compared, whereas comparing call N and N+M is fine.
(cherry picked from commit ff5f05934db241dfafc604989b2de3487b09ca82)
Co-authored-by: Alex Willmer <alex@moreati.org.uk>
bpo-43316: gzip: CLI uses non-zero return code on error. (GH-24647)
Exit code is now 1 instead of 0. A message is printed to stderr instead of stdout. This is
the proper behaviour for a tool that can be used in scripts.
(cherry picked from commit cc3df6368d4f3f6c9c9b716876c7e7b79c7abf3f)
bpo-43293: Doc: move note about GIL to top of threading module (GH-24622)
The note about the GIL was buried pretty deep in the threading documentation,
and this made it hard for first time users to discover why their attempts
at using threading to parallelizing their application did not work.
bpo-43283: Add IDLE doc paragraph about print speed (GH-24615) (GH-24632)
Printing to IDLE's Shell is often slower than printing to a system
terminal, but it can be made faster by pre-formatting a single
string before printing.
(cherry picked from commit 2827e8a177c2a6584fada594bca6829c53a2872f) Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Unittest discovery support namespace package as start
directory. But it doesn't find namespace package in
the start directory automatically.
Otherwise, unittest discovery search into unexpected
directories like `vendor/` or `node_modules/`.
(cherry picked from commit 5a4aa4c03e27ca5007b86c9c1ee62c77ad08a120)
bpo-43283: Rearrange some IDLE doc paragraphs. (GH-24604)
In the Running User Code section, gather together paragraphs about two
processes and the sys.stdstream replacements, preparing to add another.
(cherry picked from commit 4cf7bb8e22bf37e6d65bf4cb5618d09c4a8ad612)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
This lease on this domain has lapsed. This not only makes these dead links, but a potential attack vector for readers of python.org as the domain can be obtained by an untrustworthy party.
I considered redirecting these links to http://mingw-w64.org/ which is a maintained fork of mingw, but beyond my unfamiliarity with the exact level of compatibility, at the time of this PR that site had an expired cert and so is not much of a vulnerability fix.
Senthil Kumaran [Mon, 15 Feb 2021 18:15:02 +0000 (10:15 -0800)]
[3.8] bpo-42967: only use '&' as a query string separator (GH-24297) (#24529)
* bpo-42967: only use '&' as a query string separator (#24297)
bpo-42967: [security] Address a web cache-poisoning issue reported in
urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default
instead of both ";" and "&" as allowed in earlier versions. An optional
argument seperator with default value "&" is added to specify the
separator.
Co-authored-by: Éric Araujo <merwok@netwok.org> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Co-authored-by: Éric Araujo <merwok@netwok.org>
(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
* [3.8] bpo-42967: only use '&' as a query string separator (GH-24297)
bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.
Co-authored-by: Éric Araujo <merwok@netwok.org> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Co-authored-by: Éric Araujo <merwok@netwok.org>.
(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
* Update correct version information.
* fix docs and make logic clearer
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com> Co-authored-by: Fidget-Spinner <28750310+Fidget-Spinner@users.noreply.github.com>
bpo-42773: fix tests not being run on pushes (GH-24004)
There was a typo, we were checking if the "GITHUB_BASE_REF" string
literal was empty instead of the $GITHUB_BASE_REF value. When
$GITHUB_BASE_REF is empty, the action that triggered the run was not a
pull request, so we always run the full test suite.
bpo-23544: Disable IDLE Stack Viewer when running user code (GH-17163) (#24366)
Starting stack viewer when user code is running, including when Debugger is active, hangs or crashes IDLE.
Co-authored-by: Zackery Spytz <zspytz@gmail.com> Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
(cherry picked from commit 23a567c11ca36eedde0e119443c85cc16075deaf)
bpo-43013: Fix old tkinter module names in idlelib (GH-24326)
Lowercase 'tkColorChooser', 'tkFileDialog', 'tkSimpleDialog', and
'tkMessageBox' and remove 'tk'. Just lowercase 'tkFont' as 'font'
is already used. Adjust import.
(cherry picked from commit 879986d8a932c4524cb6ff822afc9537de16e28d)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
bpo-43013: Update idlelib code to 3.x (GH-24315) (#24317)
Remove 9 remaining '(object)' occurrences in class headers in idlelib
and 25 '()' occurrences in idlelib.idle_test class headers.
(cherry picked from commit 8dfe15625e6ea4357a13fec7989a0e6ba2bf1359) Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Co-authored-by: Éric Araujo <merwok@netwok.org> Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu> Co-authored-by: Tal Einat <532281+taleinat@users.noreply.github.com>
(cherry picked from commit 644d52818a6391535e5838fd57d58ffcb1163056)
Co-authored-by: Борис Верховский <boris.verk@gmail.com>
projects / thirdparty / Python / cpython.git / log
