The deprecation originally slated for 3.9 was deferred to 3.10
(bpo-39674, GH-18545) and the documentation on the 3.8 release was
updated accordingly (GH-18748). However the deprecation notice in
the code was left as is, and still indicates deprecation with 3.9.
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391)
Fix Regular Expression Denial of Service (ReDoS) vulnerability in
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
has quadratic worst-case complexity and it allows cause a denial of
service when identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the HTTP server.
(cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1)
bpo-43745: Actually updates Windows release to OpenSSL 1.1.1k. (GH-25213)
Earlier releases were mislabelled and included 1.1.1i again.
The tag/directory name is updated to ensure that builds get the fresh bits. However, the openssl-bin-1.1.1k tag in the repository has been forcibly updated, so fresh builds will be fine even without this change.
(cherry picked from commit 611aa39142f156508945ac312724474c493a6691)
Co-authored-by: Steve Dower <steve.dower@python.org>
bpo-42225: IDLE - document two unix-related problems. (GH-25078)
1. Bad IP masquerade rules can prevent startup.
2. X cannot handle some complex colored chars.
(cherry picked from commit 1b4a9c7956d5dc64f8002f62bf0faae2d1892f90)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
bpo-43562: fix test_ssl to skip on unreachable network (GH-24937) (GH-25047)
This test checks result code of the connection directly, so it never raises an exception that can be suppressed by `support.transient_internet`. Directly support skipping the test in case of unreachable network.
(cherry picked from commit 29c451c6989c3c94fa0a9facf187c24f3cbf2420)
Co-authored-by: Carl Meyer <carl@oddbird.net> Co-authored-by: Carl Meyer <carl@oddbird.net>
curses.update_lines_cols() is only defined when the curses library
provides either resizeterm() or resize_term() functions which are optional
and are not provided on AIX.
(cherry picked from commit c8b5738810516df5722caf049003e9b319427bec)
Co-authored-by: Michael Felt <aixtools@users.noreply.github.com>
bpo-42988: Remove the pydoc getfile feature (GH-25015)
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
Co-authored-by: Victor Stinner <vstinner@python.org>
It doesn't actually affect whether match_hostname() is called (it
never is in this context any longer), but whether hostname
verification occurs in the first place.
(cherry picked from commit 9798cef92b882cd82a338d3368eaf3c4a32f5c2d)
Co-authored-by: Ville Skyttä <ville.skytta@iki.fi>
bpo-43577: Fix deadlock with SSLContext._msg_callback and sni_callback (GH-24957)
OpenSSL copies the internal message callback from SSL_CTX->msg_callback to
SSL->msg_callback. SSL_set_SSL_CTX() does not update SSL->msg_callback
to use the callback value of the new context.
PySSL_set_context() now resets the callback and _PySSL_msg_callback()
resets thread state in error path.
Gregory P. Smith [Mon, 15 Mar 2021 19:04:49 +0000 (12:04 -0700)]
[3.8] bpo-43285 Make ftplib not trust the PASV response. (GH-24838) (GH-24881)
bpo-43285: Make ftplib not trust the PASV response.
The IPv4 address value returned from the server in response to the PASV command
should not be trusted. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the client network.
Instead of using the returned address, we use the IP address we're
already connected to. This is the strategy other ftp clients adopted,
and matches the only strategy available for the modern IPv6 EPSV command
where the server response must return a port number and nothing else.
For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
attribute on your `ftplib.FTP` instance to True..
(cherry picked from commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Fix a race condition of test_stress_modifying_handlers() of
test_signal: only raise signals while we are in the
catch_unraisable_exception() context manager.
Moreover, don't check if we received at least one
signal if at least one signal got ignored.
(cherry picked from commit 1fa17e8cc62775a2e34b158135ce8589f9394f03)
Co-authored-by: Victor Stinner <vstinner@python.org>
Antoine Pitrou [Sat, 6 Mar 2021 15:08:01 +0000 (16:08 +0100)]
[3.8] bpo-43406: Fix possible race condition where ``PyErr_CheckSignals`` tries to execute a non-Python signal handler (GH-24756) (GH-24762)
We can receive signals (at the C level, in `trip_signal()` in signalmodule.c) while `signal.signal` is being called to modify the corresponding handler. Later when `PyErr_CheckSignals()` is called to handle the given signal, the handler may be a non-callable object and would raise a cryptic asynchronous exception..
(cherry picked from commit 68245b7a1030287294c65c298975ab9026543fd2)
Co-authored-by: Antoine Pitrou <antoine@python.org>
bpo-43407: Clarify comparisons of time.monotonic() et al results (GH-24757)
Previous wording implied that only the result of call N and N+1 could be
meaningfully compared, whereas comparing call N and N+M is fine.
(cherry picked from commit ff5f05934db241dfafc604989b2de3487b09ca82)
Co-authored-by: Alex Willmer <alex@moreati.org.uk>
bpo-43316: gzip: CLI uses non-zero return code on error. (GH-24647)
Exit code is now 1 instead of 0. A message is printed to stderr instead of stdout. This is
the proper behaviour for a tool that can be used in scripts.
(cherry picked from commit cc3df6368d4f3f6c9c9b716876c7e7b79c7abf3f)
bpo-43293: Doc: move note about GIL to top of threading module (GH-24622)
The note about the GIL was buried pretty deep in the threading documentation,
and this made it hard for first time users to discover why their attempts
at using threading to parallelizing their application did not work.
bpo-43283: Add IDLE doc paragraph about print speed (GH-24615) (GH-24632)
Printing to IDLE's Shell is often slower than printing to a system
terminal, but it can be made faster by pre-formatting a single
string before printing.
(cherry picked from commit 2827e8a177c2a6584fada594bca6829c53a2872f) Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Unittest discovery support namespace package as start
directory. But it doesn't find namespace package in
the start directory automatically.
Otherwise, unittest discovery search into unexpected
directories like `vendor/` or `node_modules/`.
(cherry picked from commit 5a4aa4c03e27ca5007b86c9c1ee62c77ad08a120)
bpo-43283: Rearrange some IDLE doc paragraphs. (GH-24604)
In the Running User Code section, gather together paragraphs about two
processes and the sys.stdstream replacements, preparing to add another.
(cherry picked from commit 4cf7bb8e22bf37e6d65bf4cb5618d09c4a8ad612)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
This lease on this domain has lapsed. This not only makes these dead links, but a potential attack vector for readers of python.org as the domain can be obtained by an untrustworthy party.
I considered redirecting these links to http://mingw-w64.org/ which is a maintained fork of mingw, but beyond my unfamiliarity with the exact level of compatibility, at the time of this PR that site had an expired cert and so is not much of a vulnerability fix.
Senthil Kumaran [Mon, 15 Feb 2021 18:15:02 +0000 (10:15 -0800)]
[3.8] bpo-42967: only use '&' as a query string separator (GH-24297) (#24529)
* bpo-42967: only use '&' as a query string separator (#24297)
bpo-42967: [security] Address a web cache-poisoning issue reported in
urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default
instead of both ";" and "&" as allowed in earlier versions. An optional
argument seperator with default value "&" is added to specify the
separator.
Co-authored-by: Éric Araujo <merwok@netwok.org> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Co-authored-by: Éric Araujo <merwok@netwok.org>
(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
* [3.8] bpo-42967: only use '&' as a query string separator (GH-24297)
bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.
Co-authored-by: Éric Araujo <merwok@netwok.org> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Co-authored-by: Éric Araujo <merwok@netwok.org>.
(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
* Update correct version information.
* fix docs and make logic clearer
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com> Co-authored-by: Fidget-Spinner <28750310+Fidget-Spinner@users.noreply.github.com>
projects / thirdparty / Python / cpython.git / log
