Note: This change is not effective on Microsoft Windows.
Cookies can store sensitive information and should therefore be protected
against unauthorized third parties. This is also described in issue #79096.
The filesystem permissions are currently set to 644, everyone can read the
file. This commit changes the permissions to 600, only the creater of the file
can read and modify it. This improves security, because it reduces the attack
surface. Now the attacker needs control of the user that created the cookie or
a ways to circumvent the filesystems permissions.
This change is backwards incompatible. Systems that rely on world-readable
cookies will breake. However, one could argue that those are misconfigured in
the first place.
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Pascal Wittmann <mail@pascal-wittmann.de>
Co-authored-by: Christian Heimes <christian@python.org>
* gh-93575: Use correct way to calculate PyUnicode struct sizes
* Add comment to keep test_sys and test_unicode in sync
* Fix case code < 256.
(cherry picked from commit 5442561c1a)
Co-authored-by: Christian Heimes <christian@python.org>
All install targets use the "all" target as synchronization point to
prevent race conditions with PGO builds. PGO builds use recursive make,
which can lead to two parallel `./python setup.py build` processes that
step on each others toes.
"test" targets now correctly compile PGO build in a clean repo.
(cherry picked from commit 243ed5439c)
Co-authored-by: Christian Heimes <christian@python.org>
These are currently broken as they refer to :meth:`Path.relative_to` rather than :meth:`PurePath.relative_to`, and `relative_to` is a method on `PurePath`.
(cherry picked from commit 8ef7929baf)
Co-authored-by: jacksonriley <52106215+jacksonriley@users.noreply.github.com>
(cherry picked from commit f0d0be3493)
Co-authored-by: Sean Fleming
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Character ranges with upper bound less that lower bound (e.g. [c-a])
are now interpreted as empty ranges, for compatibility with other glob
pattern implementations. Previously it was re.error.
(cherry picked from commit 0902c3d8ed)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 713eb184b5)
Co-authored-by: Neil Schemenauer <nas-github@arctrix.com>
Co-authored-by: Neil Schemenauer <nas-github@arctrix.com>
Add C++ overloads for _Py_CAST_impl() to handle 0/NULL. This will allow
C++ extensions that pass 0 or NULL to macros using _Py_CAST() to
continue to compile. Without this, you get an error like:
invalid ‘static_cast’ from type ‘int’ to type ‘_object*’
The modern way to use a NULL value in C++ is to use nullptr. However,
we want to not break extensions that do things the old way.
Co-authored-by: serge-sans-paille
(cherry picked from commit 8bcc3fa345)
Co-authored-by: Neil Schemenauer <nas-github@arctrix.com>
Co-authored-by: Neil Schemenauer <nas-github@arctrix.com>
When a `_PathParents` object has a drive or a root, the length of the
object is *one less* than than the length of `self._parts`, which resulted
in an off-by-one error when `path.parents[-n]` was fed through to
`self._parts[:-n - 1]`. In particular, `path.parents[-1]` was a malformed
path object with spooky properties.
This is addressed by adding `len(self)` to negative indices.
(cherry picked from commit f32e6b48d1)
Co-authored-by: Barney Gale <barney.gale@gmail.com>
- Mark more ``umask()`` cases
- ``dup()`` is not supported
- ``/dev/null`` is not available
- document missing features
- mark more modules as not available
(cherry picked from commit 069c96f84c)
Co-authored-by: Christian Heimes <christian@python.org>
(cherry picked from commit ee70c70aa9)
Co-authored-by: Eric V. Smith <ericvsmith@users.noreply.github.com>
Co-authored-by: Eric V. Smith <ericvsmith@users.noreply.github.com>
VOC has been archived by the BeeWare project, and they are instead
embedding CPython, rather than transpiling to Java bytecode.
(cherry picked from commit bb900712a5)
Co-authored-by: Carl Bordum Hansen <carl@bordum.dk>
Miss Islington (bot)
Łukasz Langa
Christian Heimes
Irit Katriel
Ken Jin
Pablo Galindo