diff --git a/Doc/whatsnew/2.7.rst b/Doc/whatsnew/2.7.rst index 6a73fc8aee3..be8bac60155 100644 --- a/Doc/whatsnew/2.7.rst +++ b/Doc/whatsnew/2.7.rst @@ -722,6 +722,10 @@ Some smaller changes made to the core Python language are: Integer division is also more accurate in its rounding behaviours. (Also implemented by Mark Dickinson; :issue:`1811`.) +* Implicit coercion for complex numbers has been removed; the interpreter + will no longer ever attempt to call a :meth:`__coerce__` method on complex + objects. (Removed by Meador Inge and Mark Dickinson; :issue:`5211`.) + * The :meth:`str.format` method now supports automatic numbering of the replacement fields. This makes using :meth:`str.format` more closely resemble using ``%s`` formatting:: @@ -1102,6 +1106,10 @@ changes, or look through the Subversion logs for all the details. statement, has been deprecated, because the :keyword:`with` statement now supports multiple context managers. +* The :mod:`cookielib` module now ignores cookies that have an invalid + version field, one that doesn't contain an integer value. (Fixed by + John J. Lee; :issue:`3924`.) + * The :mod:`copy` module's :func:`~copy.deepcopy` function will now correctly copy bound instance methods. (Implemented by Robert Collins; :issue:`1515`.) @@ -2073,6 +2081,28 @@ Changes to Python's build process and to the C API include: :cfunc:`PyOS_ascii_strtod` and :cfunc:`PyOS_ascii_atof` functions are now deprecated. +* New function: :cfunc:`PySys_SetArgvEx` sets the value of + ``sys.argv`` and can optionally update ``sys.path`` to include the + directory containing the script named by ``sys.argv[0]`` depending + on the value of an *updatepath* parameter. + + This function was added to close a security hole for applications + that embed Python. The old function, :cfunc:`PySys_SetArgv`, would + always update ``sys.path``, and sometimes it would add the current + directory. This meant that, if you ran an application embedding + Python in a directory controlled by someone else, attackers could + put a Trojan-horse module in the directory (say, a file named + :file:`os.py`) that your application would then import and run. + + If you maintain a C/C++ application that embeds Python, check + whether you're calling :cfunc:`PySys_SetArgv` and carefully consider + whether the application should be using :cfunc:`PySys_SetArgvEx` + with *updatepath* set to false. + + Security issue reported as `CVE-2008-5983 + `_; + discussed in :issue:`5753`, and fixed by Antoine Pitrou. + * New macros: the Python header files now define the following macros: :cmacro:`Py_ISALNUM`, :cmacro:`Py_ISALPHA`, @@ -2281,6 +2311,10 @@ Other Changes and Fixes thread switching latency, and IO processing bandwidth when performing several tasks using a varying number of threads. +* The :file:`Tools/i18n/msgfmt.py` script now understands plural + forms in :file:`.po` files. (Fixed by Martin von Löwis; + :issue:`5464`.) + * When importing a module from a :file:`.pyc` or :file:`.pyo` file with an existing :file:`.py` counterpart, the :attr:`co_filename` attributes of the resulting code objects are overwritten when the @@ -2415,6 +2449,14 @@ For C extensions: :cfunc:`PyOS_ascii_strtod` and :cfunc:`PyOS_ascii_atof` functions, which are now deprecated. +For applications that embed Python: + +* The :cfunc:`PySys_SetArgvEx` function was added, letting + applications close a security hole when the existing + :cfunc:`PySys_SetArgv` function was used. Check whether you're + calling :cfunc:`PySys_SetArgv` and carefully consider whether the + application should be using :cfunc:`PySys_SetArgvEx` with + *updatepath* set to false. .. ======================================================================