[3.13] gh-144370: Disallow usage of control characters in status in wsgiref.handlers for security (GH-144371) (#145585)
gh-144370: Disallow usage of control characters in status in wsgiref.handlers for security (GH-144371)
Disallow usage of control characters in status in wsgiref.handlers
to prevent HTTP header injections.
(cherry picked from commit d931725bc850cd096f6703bc285e885f1e015f05)
Co-authored-by: Benedikt Johannes <benedikt.johannes.hofer@gmail.com> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Victor Stinner <vstinner@python.org>
[3.13] gh-122941: Fix test_launcher sporadic failures via py.ini isolation (GH-145090)
Adds _PYLAUNCHER_INIDIR as a private variable since the launcher is deprecated and not getting new features.
(cherry picked from commit 6cdbd7bc5d4ee63459d03a944477ea8671a05198)
[3.13] gh-143304: Fix ctypes.CDLL to honor handle parameter on POSIX systems (GH-143318) (GH-145173)
The handle parameter was being ignored in the POSIX implementation
of CDLL._load_library(), causing it to always call _dlopen() even
when a valid handle was provided. This was a regression introduced
in recent refactoring.
(cherry picked from commit 27ded243485670fa836c9bb421e37a6ef16eca8e)
Co-authored-by: Arjit Singh Grover <143692910+Koolvansh07@users.noreply.github.com> Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
[3.13] gh-145455: Show output of blurb & sphinx-build version commands (GH-145457) (GH-145462)
In gh-145455, an outdated dependency caused an import error that was not
printed out (`2>&1`); the message instead said that the tools are missing.
Don't redirect stderr, to show warnings and failures.
Also, switch `blurb` to output a version on a single line (`--version` rather
than `help`), and, and don't redirect stdout either.
This results in two version info lines being printed out. These get drowned
in typical Sphinx output, and can be helpful when debugging.
(cherry picked from commit f1de65b3669226d563802a32b78a2294e971151a)
Kumar Aditya [Sat, 28 Feb 2026 18:53:27 +0000 (00:23 +0530)]
[3.13] gh-142352: Fix asyncio start_tls() to transfer buffered data from StreamReader (GH-142354) (#145364)
[3.13] gh-142352: Fix `asyncio` `start_tls()` to transfer buffered data from StreamReader (GH-142354)
(cherry picked from commit 0598f4a8999b96409e0a2bf9c480afc76a876860)
The fix for gh-92081 (gh-92281) was unfortunately flawed, and broke whitespace handling for encoded word patterns that had previously been working correctly but had no corresponding tests, unfortunately in a way that made the resulting headers not RFC compliant, in such a way that Yahoo started rejecting the resulting emails. This fix was released in 3.14 alpha 1, 3.13 beta 2 and 3.12.5. This PR fixes the original problem in a way that does not break anything, and in fact fixes a small pre-existing bug (a spurious whitespace after the ':' of the header label if the header value is immediately wrapped on to the next line). (RDM)
(cherry picked from commit 0f7cd5544a4dd1d7cf892c93c661510d619caaa7)
[3.13] gh-137335: Fix unlikely name conflicts for named pipes in multiprocessing and asyncio on Windows (GH-137389) (GH-145171)
Since os.stat() raises an OSError for existing named pipe "\\.\pipe\...",
os.path.exists() always returns False for it, and tempfile.mktemp() can
return a name that matches an existing named pipe.
So, tempfile.mktemp() cannot be used to generate unique names for named
pipes. Instead, CreateNamedPipe() should be called in a loop with
different names until it completes successfully.
(cherry picked from commit d6a71f4690c702892644b1fbae90ae9ef733a8ab)
[3.13] gh-66305: Fix a hang on Windows in the tempfile module (GH-144672) (GH-145169)
It occurred when trying to create a temporary file or subdirectory in
a non-writable directory.
(cherry picked from commit ca66d3c40cd9ac1fb94dd7cd79ccb8fecf019527)
Bénédikt Tran [Sat, 21 Feb 2026 15:05:57 +0000 (16:05 +0100)]
[3.13] gh-143698: correctly check `scheduler` and `setpgroup` values for `os.posix_spawn[p]` (GH-143699) (#145074)
* [3.13] gh-143698: correctly check `scheduler` and `setpgroup` values for `os.posix_spawn[p]` (GH-143699)
Fix an issue where passing invalid arguments to `os.posix_spawn[p]` functions
raised a SystemError instead of a TypeError, and allow to explicitly use `None`
for `scheduler` and `setpgroup` as specified in the docs.
Stan Ulbrych [Sat, 21 Feb 2026 12:24:53 +0000 (12:24 +0000)]
[3.13] `compute-changes.py`: Fix & test `process_changed_files()` (GH-144674) (#145014)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> Co-authored-by: Chris Eibl <138194463+chris-eibl@users.noreply.github.com>
gh-144694: Fix re.Match.group() doc claiming [1..99] range limit (GH-144696)
The documentation incorrectly stated that numeric group arguments
must be in the range [1..99]. This limit was removed in Python 3.5
(bpo-22437). Replace with "a positive integer" since the next
sentence already documents the IndexError for out-of-range values.
(cherry picked from commit 85021bc2477f3ab394172b6dda3110e59f4777dd)
[3.13] gh-144601: Use `_testmultiphase` instead of `_testsinglephase` in `test_importlib` (GH-144769) (GH-144877)
[3.14] gh-144601: Use `_testmultiphase` instead of `_testsinglephase` in `test_importlib` (GH-144769)
(cherry picked from commit d1486623263adea6a5138453bacad36a50c14e95)
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
[3.13] gh-144833: Fix use-after-free in SSL module when SSL_new() fails (GH-144843) (#144859)
gh-144833: Fix use-after-free in SSL module when SSL_new() fails (GH-144843)
In newPySSLSocket(), when SSL_new() returns NULL, Py_DECREF(self)
was called before _setSSLError(get_state_ctx(self), ...), causing
a use-after-free. Additionally, get_state_ctx() was called with
self (PySSLSocket*) instead of sslctx (PySSLContext*), which is
a type confusion bug.
Fix by calling _setSSLError() before Py_DECREF() and using
sslctx instead of self for get_state_ctx().
(cherry picked from commit c91638ca0671b8038831f963ed44e66cdda006a2)
Co-authored-by: Ramin Farajpour Cami <ramin.blackhat@gmail.com>
[3.13] gh-144787: [tests] Allow TLS v1.2 to be minimum version (GH-144790) (#144792)
gh-144787: [tests] Allow TLS v1.2 to be minimum version (GH-144790)
Allow TLS v1.2 to be minimum version
Updates test_min_max_version to allow TLS v1.2 to be minimum version if
TLS 1.0 and 1.1 are disabled in OpenSSL.
(cherry picked from commit d625f7da33bf8eb57fb7e1a05deae3f68bf4d00f)
Co-authored-by: Colin McAllister <colinmca242@gmail.com>
[3.13] gh-144706: Warn against using synchronization primitives within signal handlers (GH-144736) (GH-144768)
gh-144706: Warn against using synchronization primitives within signal handlers (GH-144736)
(cherry picked from commit 945bf8ce1bf7ee3881752c2ecc129e35ab818477)
Serhiy Storchaka [Thu, 12 Feb 2026 17:18:48 +0000 (19:18 +0200)]
[3.13] gh-80667: Fix case-sensitivity of some Unicode literal escapes (GH-107281) (GH-144754)
Lookup for CJK ideograms and Hangul syllables is now case-insensitive,
as is the case for other character names.
(cherry picked from commit e66f4a5a9c7ce744030d6352bf5575639b1096cc)
Serhiy Storchaka [Thu, 12 Feb 2026 08:35:09 +0000 (10:35 +0200)]
[3.13] gh-84424: Use numeric_changed for UCD.numeric (GH-19457) (GH-144732)
This was causing ucd_3_2_0.numeric() to pick up only decimal
changes between Unicode 3.2.0 and the current version.
(cherry picked from commit 3e0322ff16f47caa3e273d453f007d3918b8ac80)
gh-143650: Fix importlib race condition on import failure (GH-143651)
Fix a race condition where a thread could receive a partially-initialized
module when another thread's import fails. The race occurs when:
1. Thread 1 starts importing, adds module to sys.modules
2. Thread 2 sees the module in sys.modules via the fast path
3. Thread 1's import fails, removes module from sys.modules
4. Thread 2 returns a stale module reference not in sys.modules
The fix adds verification after the "skip lock" optimization in both Python
and C code paths to check if the module is still in sys.modules. If the
module was removed (due to import failure), we retry the import so the
caller receives the actual exception from the import failure rather than
a stale module reference.
[3.13] gh-144492: Fix `process_changed_files` outputs for `reusable-{macos, wasi}.yml` (GH-144518) (#144634)
gh-144492: Fix `process_changed_files` outputs for `reusable-{macos, wasi}.yml` (GH-144518)
Fix `process_changed_files` double-processing reusable-{macos, wasi] ending up with incorrect outputs
(cherry picked from commit fd190d1fa1a34bb8d533d05263ea744a051b7529)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
[3.13] gh-144330: Initialize classmethod and staticmethod in new (GH-144498) (#144537)
[3.14] gh-144330: Initialize classmethod and staticmethod in new (GH-144498)
gh-144330: Initialize classmethod and staticmethod in new
Initialize cm_callable and sm_callable to None in classmethod and
staticmethod constructor.
(cherry picked from commit 160810de89477836f2fde7139f7ab0670399efff)
Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Aniket Singh Yadav <singhyadavaniket43@gmail.com> Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
[3.13] gh-75572: Speed up test_xpickle (GH-144393) (GH-144404)
Run a long living subprocess which handles multiple requests instead of
running a new subprocess for each request.
(cherry picked from commit 29acc08c8dad664cd5713cb392e5beba65724c10)
projects / thirdparty / Python / cpython.git / log
