[3.10] gh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (GH-105174) (GH-105200) (#105204)
Upgrade builds to OpenSSL 1.1.1u.
This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t.
The Mac/BuildScript/build-installer.py was already updated.
Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.
Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting).
[3.10] [3.11] gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) (GH-104575) (#104592)
gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport. (people will see
that in the mainline /3/ docs)
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Illia Volochii <illia.volochii@gmail.com> Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
[3.10] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) (#104119)
gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067)
Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)
Ned Deily [Tue, 4 Apr 2023 18:42:10 +0000 (14:42 -0400)]
[3.10] gh-103207: Add instructions to the macOS installer welcome display on how to workaround the macOS 13 Ventura “The installer encountered an error” failure. (GH-103253)
Co-authored-by: Bernhard Wagner <github.comNotification20120125@xmlizer.net> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu> Co-authored-by: Éric <merwok@netwok.org>
Steve Dower [Wed, 29 Mar 2023 14:33:39 +0000 (15:33 +0100)]
gh-103097: Add workaround for Windows ARM64 compiler bug (GH-103098)
See https://developercommunity.visualstudio.com/t/Regression-in-MSVC-1433-1434-ARM64-co/10224361 for details of the issue. It only applies to version 14.34.
[3.10] GH-87235: Make sure "python /dev/fd/9 9</path/to/script.py" works on macOS (GH-99768) (#99817)
On macOS all file descriptors for a particular file in /dev/fd
share the same file offset, that is ``open("/dev/fd/9", "r")`` behaves
more like ``dup(9)`` than a regular open.
This causes problems when a user tries to run "/dev/fd/9" as a script
because zipimport changes the file offset to try to read a zipfile
directory. Therefore change zipimport to reset the file offset after
trying to read the zipfile directory.
(cherry picked from commit d08fb257698e3475d6f69bb808211d39e344e5b2)
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
* Regen zipimport
[3.10] GH-102711: Fix warnings found by clang (GH-102712) (#103076)
There are some warnings if build python via clang:
Parser/pegen.c:812:31: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
_PyPegen_clear_memo_statistics()
^
void
Parser/pegen.c:820:29: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
_PyPegen_get_memo_statistics()
^
void
[3.10] GH-95494: Fix transport EOF handling in OpenSSL 3.0 (GH-95495) (#103007)
GH-25309 enabled SSL_OP_IGNORE_UNEXPECTED_EOF by default, with a comment
that it restores OpenSSL 1.1.1 behavior, but this wasn't quite right.
That option causes OpenSSL to treat transport EOF as the same as
close_notify (i.e. SSL_ERROR_ZERO_RETURN), whereas Python actually has
distinct SSLEOFError and SSLZeroReturnError exceptions. (The latter is
usually mapped to a zero return from read.) In OpenSSL 1.1.1, the ssl
module would raise them for transport EOF and close_notify,
respectively. In OpenSSL 3.0, both act like close_notify.
Fix this by, instead, just detecting SSL_R_UNEXPECTED_EOF_WHILE_READING
and mapping that to the other exception type.
There doesn't seem to have been any unit test of this error, so fill in
the missing one. This had to be done with the BIO path because it's
actually slightly tricky to simulate a transport EOF with Python's fd
based APIs. (If you instruct the server to close the socket, it gets
confused, probably because the server's SSL object is still referencing
the now dead fd?)
(cherry picked from commit 420bbb783b43216cc897dc8914851899db37a31d)
Co-authored-by: David Benjamin <davidben@google.com>
gh-98608: Fix Failure-handling in new_interpreter() (gh-102658)
The error-handling code in new_interpreter() has been broken for a while. We hadn't noticed because those code mostly doesn't fail. (I noticed while working on gh-101660.) The problem is that we try to clear/delete the newly-created thread/interpreter using itself, which just failed. The solution is to switch back to the calling thread state first.
Nikita Sobolev [Fri, 17 Mar 2023 20:11:58 +0000 (23:11 +0300)]
[3.10] gh-102721: Improve coverage of `_collections_abc._CallableGenericAlias` (GH-102790)
This is a manual backport of https://github.com/python/cpython/pull/102722 but without `typing.py` changes and without `TypeVarTuple` case, because it was added in 3.11
[3.10] Remove misformatted exclamation marks in docs (GH-102694) (#102717)
Remove the exclamation mark from :program:`!foo` in .rst files because
it inadvertently shows up in the rendered HTML.
(Sphinx's cross-referencing roles use a '!' prefix to suppress
hyperlinking[1], but :program: is not a cross-referencing role so the
'!' is displayed verbatim.)
The exclamation marks in venv.rst were introduced in #98350. See
comments [2] and [3] for additional discussion.
Co-authored-by: Andre Hora <andrehora@users.noreply.github.com> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
gh-102703: Fix typo in modules tutorial documentation (GH-102707)
**Before**
This prevents directories with a common name, such as ``string``, unintentionally hiding ...
**After**
This prevents directories with a common name, such as ``string``, from unintentionally hiding ...
(cherry picked from commit 0a539b5db312d126ff45dd4aa6a53d40a292c512)
Co-authored-by: Robert Prater (B. Eng) <robcprater@gmail.com>
GH-102537: Handle check for PYTHONTZPATH failing in zoneinfo test (GH-102538)
It is possible but unlikely for the `python_tzpath_context` function to fail between the start of the `try` block and the point where `os.environ.get` succeeds, in which case `old_env` will be undefined. In this case, we want to take no action.
Practically speaking this will really only happen in an error condition anyway, so it doesn't really matter, but we should probably do it right anyway.
(cherry picked from commit 64bde502cf89963bc7382b03ea9e1c0967d22e35)
Co-authored-by: Paul Ganssle <1377457+pganssle@users.noreply.github.com>
As part of investigation issue https://github.com/python/cpython/issues/102433, I discovered what I believe to be an error where two classes `CI` and `DI` are not being used. The assertions beneath them act on `C` and `D`, duplicating existing assertions in this test.
(cherry picked from commit 7894bbe94ba319eb650f383cb5196424c77b2cfd)
gh-102356: Add thrashcan macros to filter object dealloc (GH-102426)
Add thrashcan macros to the deallocator of the filter objects to protect against deeply nested destruction of chains of nested filters.
(cherry picked from commit 66aa78cbe604a7c5731f074b869f92174a8e3b64)
Co-authored-by: Marta Gómez Macías <mgmacias@google.com>
Alex Waygood [Thu, 2 Mar 2023 16:45:01 +0000 (16:45 +0000)]
[3.10] Fix typos in documentation and comments (GH-102374) (#102377)
Fix typos in documentation and comments (GH-102374)
Found some duplicate `to`s in the documentation and some code comments and fixed them.
[Misc/NEWS.d/3.12.0a1.rst](https://github.com/python/cpython/blob/ed55c69ebd74178115cd8b080f7f8e7588cd5fda/Misc/NEWS.d/3.12.0a1.rst) also contains two duplicate `to`s, but I wasn't sure if it's ok to touch that file. Looks auto generated. I'm happy to amend the PR if requested. :)
Automerge-Triggered-By: GH:AlexWaygood Co-authored-by: Michael K <michael-k@users.noreply.github.com>
[3.10] gh-90744: Fix erroneous doc links in the sys module (GH-101319) (#102322)
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com> Co-authored-by: Brad Wolfe <brad.wolfe@gmail.com> Co-authored-by: Furkan Onder <furkanonder@protonmail.com>
Fix erroneous doc links in the sys module (#101319)
projects / thirdparty / Python / cpython.git / log
