Mention that the function implicitly creates new event loop only if called from the main thread.
(cherry picked from commit 2c49becc69c05934996a00b902e4a4f089b91954)
Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
bpo-38400 Don't check for NULL linked list pointers in _PyObject_IsFreed (GH-16630)
Some objects like Py_None are not initialized with conventional means
that prepare the circular linked list pointers, leaving them unlinked
from the rest of the objects. For those objects, NULL pointers does
not mean that they are freed, so we need to skip the check in those
cases.
(cherry picked from commit 36e33c360ed7716a2b5ab2b53210da81f8ce1295)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
bpo-39348: Fix code highlight for the SOCK_NONBLOCK example (GH-18018)
The previous double colon was wrongly place directly after Therefore.
Which produced a block without syntax highlighting. This fixes it
by separating the double colon from the text. As a result, sphinx now
properly highlights the python code.
Vinay Sajip [Sun, 12 Jan 2020 20:55:54 +0000 (20:55 +0000)]
[3.7] bpo-16575: Disabled checks for union types being passed by value. (GH-17960) (GH-17970)
Although the underlying libffi issue remains open, adding these
checks have caused problems in third-party projects which are in
widespread use. See the issue for examples.
This affects both shallow and deep copying.
My idea for a fix is to add property objects to the list of "atomic" objects in the copy module.
These already include types like functions and type objects.
I also added property objects to the unit tests test_copy_atomic and test_deepcopy_atomic. This is my first PR, and it's highly likely I've made some mistake, so please be kind :)
[3.7] Add test cases for dataclasses. (GH-17909) (GH-17920)
* Add test cases for dataclasses.
* Add test for repr output of field.
* Add test for ValueError to be raised when both default and default_factory are passed.
(cherry picked from commit eef1b027ab70704bcaa60a089e4ae1592c504b86)
bpo-39152: add missing ttk.Scale.configure return value (GH-17815)
tkinter.ttk.Scale().configure([name]) now returns a configuration tuple for name
or a list thereof for all options. Based on patch Giovanni Lombardo.
(cherry picked from commit 5ea7bb25e3b192d6c49a49c9e3b316f8559602aa)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Dong-hee Na [Tue, 31 Dec 2019 04:15:10 +0000 (13:15 +0900)]
[3.7] bpo-38588: Fix possible crashes in dict and list when calling P… (GH-17765)
* [3.7] bpo-38588: Fix possible crashes in dict and list when calling PyObject_RichCompareBool (GH-17734)
Take strong references before calling PyObject_RichCompareBool to protect against the case
where the object dies during the call..
(cherry picked from commit 2d5bf568eaa5059402ccce9ba5a366986ba27c8a)
Co-authored-by: Dong-hee Na <donghee.na92@gmail.com>
* methane's suggestion
bpo-34118: memoryview, range, and tuple are classes (GH-17761)
Tag memoryview, range, and tuple as classes, the same as list, etcetera, in
the library manual built-in functions list.
(cherry picked from commit ee9ff05ec22ecd47dbffdd361967ccd55963dad2)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Minor C API documentation improvements. (GH-17698)
The added parentheses around the PyIter_Next assignment suppress the following warning which gcc throws without:
```
warning: using the result of an assignment as a condition without parentheses [-Wparentheses]
```
The other change is a typo fix
(cherry picked from commit 5c7ed7550ec2da16d7679e538fcd7c1a5631811f)
Co-authored-by: William Ayd <william.ayd@icloud.com>
Fix test_ressources_gced_in_workers() of test_concurrent_futures:
explicitly stop the manager to prevent leaking a child process
running in the background after the test completes.
Pablo Galindo [Fri, 13 Dec 2019 14:04:14 +0000 (14:04 +0000)]
[3.7] bpo-39031: Include elif keyword when producing lineno/col-offset info for if_stmt (GH-17582) (#17584)
When parsing an "elif" node, lineno and col_offset of the node now point to the "elif" keyword and not to its condition, making it consistent with the "if" node.
bpo-39006: Fix asyncio when the ssl module is missing (GH-17524)
Fix asyncio when the ssl module is missing: only check for
ssl.SSLSocket instance if the ssl module is available.
(cherry picked from commit 82b4950b5e92bec343a436b3f9c116400b66e1b9)
Co-authored-by: Victor Stinner <vstinner@python.org>
array.array: Document that tostring() and fromstring() deprecated
aliases will be removed in Python 3.9.
(cherry picked from commit 0381ea79ac2da03179c8512c581cac588b69cff9)
Co-authored-by: Victor Stinner <vstinner@python.org>
bpo-38547: Fix test_pty if the process is the session leader (GH-17519)
Fix test_pty: if the process is the session leader, closing the
master file descriptor raises a SIGHUP signal: simply ignore SIGHUP
when running the tests.
(cherry picked from commit a1838ec2592e5082c75c77888f2a7a3eb21133e5)
Co-authored-by: Victor Stinner <vstinner@python.org>
bpo-38669: patch.object now raises a helpful error (GH17511)
This means a clearer message is now shown when patch.object is called with two string arguments, rather than a class and a string argument.
(cherry picked from commit cd90a52983db34896a6335a572d55bdda274778f)
bpo-36820: Break unnecessary cycle in socket.py, codeop.py and dyld.py (GH-13135)
Break cycle generated when saving an exception in socket.py, codeop.py and dyld.py as they keep alive not only the exception but user objects through the ``__traceback__`` attribute.
bpo-38965: Fix faulthandler._stack_overflow() on GCC 10 (GH-17467)
Use the "volatile" keyword to prevent tail call optimization
on any compiler, rather than relying on compiler specific pragma.
(cherry picked from commit 8b787964e0a647caa0558b7c29ae501470d727d9)
Co-authored-by: Victor Stinner <vstinner@python.org>
Extra newlines are removed at the end of non-shell files. If the file only has newlines after stripping other trailing whitespace, all are removed, as is done by patchcheck.py.
(cherry picked from commit 6bf644ec82f14cceae68278dc35bafb00875efae)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
bpo-38686: fix HTTP Digest handling in request.py (GH-17045)
* fix HTTP Digest handling in request.py
There is a bug triggered when server replies to a request with `WWW-Authenticate: Digest` where `qop="auth,auth-int"` rather than mere `qop="auth"`. Having both `auth` and `auth-int` is legitimate according to the `qop-options` rule in §3.2.1 of [[https://www.ietf.org/rfc/rfc2617.txt|RFC 2617]]:
> qop-options = "qop" "=" <"> 1GH-qop-value <">
> qop-value = "auth" | "auth-int" | token
> **qop-options**: [...] If present, it is a quoted string **of one or more** tokens indicating the "quality of protection" values supported by the server. The value `"auth"` indicates authentication; the value `"auth-int"` indicates authentication with integrity protection
This is description confirmed by the definition of the [//n//]`GH-`[//m//]//rule// extended-BNF pattern defined in §2.1 of [[https://www.ietf.org/rfc/rfc2616.txt|RFC 2616]] as 'a comma-separated list of //rule// with at least //n// and at most //m// items'.
When this reply is parsed by `get_authorization`, request.py only tests for identity with `'auth'`, failing to recognize it as one of the supported modes the server announced, and claims that `"qop 'auth,auth-int' is not supported"`.
closes bpo-29275: Remove Y2K reference from time module docs (GH-17321)
The Y2K reference is not needed as it only points out that Python's use
of C standard functions doesn't generally suffer from Y2K issues; the
point regarding conventions for conversion of 2-digit years in
:func:`strptime` is still valid.
(cherry picked from commit 42bc60ead39c7be9f6bb7329977826e962f601eb)
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).
LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.
The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to
\d+-\w+-\d+(\s*\s*\s*)$
Therefore, a long sequence of spaces can trigger bad performance.
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
self.log_request(204)
self.send_response_only(204) GH- Don't bother sending Server and Date
n_spaces = (
int(self.path[1:]) GH- Can GET e.g. /100 to test shorter sequences
if len(self.path) > 1 else
65506 GH- Max header line length 65536
)
value = make_set_cookie_value(n_spaces)
for i in range(99): GH- Not necessary, but we can have up to 100 header lines
self.send_header("Set-Cookie", value)
self.end_headers()
if __name__ == "__main__":
HTTPServer(("", 44020), Handler).serve_forever()
This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.
Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :
import http.cookiejar, urllib.request
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
r = opener.open("http://localhost:44020/")
The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):
If we regress, this test will take a very long time.
* Improve performance of http.cookiejar.ISO_DATE_RE
A string like
"444444" + (" " * 2000) + "A"
could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
(cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e)
projects / thirdparty / Python / cpython.git / log
