Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:
- `xml.etree.ElementTree.XMLParser.flush`
- `xml.etree.ElementTree.XMLPullParser.flush`
- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`
- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`
- `xml.sax.expatreader.ExpatParser.flush`
Based on the "flush" idea from https://github.com/python/cpython/pull/115138#issuecomment-1932444270 .
### Notes
- Please treat as a security fix related to CVE-2023-52425.
Includes code suggested-by: Snild Dolkow <snild@sony.com>
and by core dev Serhiy Storchaka.
* Use new-style index directive ('module') - C API
* Use new-style index directive ('module') - Library
* Use new-style index directive ('module') - Reference
* Use new-style index directive ('module') - Tutorial
* Uncomment module removal in pairindextypes
* Use new-style index directive ('module') - C API
* Use new-style index directive ('module') - Library
* Use new-style index directive ('module') - Reference
The idea is to ensure that module `xml.parsers.expat.errors`
contains all known error codes and messages,
even when CPython is compiled or run with an outdated version of libexpat.
https://bugs.python.org/issue45321
The descriptions of the `codes` and `messages` dictionaries in
`xml.parsers.expat.errors` were swapped, and this commit swaps them
back. For example, `codes` maps string descriptions of errors to numeric
error codes, not the other way around.
* Use explicit numbering for footnotes referred by explicit number.
* Restore missed footnote reference in stdtypes.rst.
* Fix literal strings formatting in howto/urllib2.rst.
* Update susp-ignored.csv for zipapp.rst.
* Fix suspicious mark up in Misc/NEWS.
This changes the main documentation, doc strings, source code comments, and a
couple error messages in the test suite. In some cases the word was removed
or edited some other way to fix the grammar.
to parse more than one XML document per pyexpat xmlparser instance.
(Original patches by Hirokazu Yamamoto and Amaury Forgeot d'Arc, with
suggested wording by David Gutteridge)
svn+ssh://pythondev@svn.python.org/python/trunk
........
r61431 | vinay.sajip | 2008-03-16 22:35:58 +0100 (So, 16 Mär 2008) | 1 line
Clarified documentation on use of shutdown().
........
r61433 | mark.summerfield | 2008-03-17 09:28:15 +0100 (Mo, 17 Mär 2008) | 5 lines
Added a footnote to each pointing out that for XML output if an encoding
string is given it should conform to the appropriate XML standards---for
example, "UTF-8" is okay, but "UTF8" is not.
........
r61434 | eric.smith | 2008-03-17 12:01:01 +0100 (Mo, 17 Mär 2008) | 7 lines
Issue 2264: empty float presentation type needs to have at least one digit past the decimal point.
Added "Z" format_char to PyOS_ascii_formatd to support empty float presentation type.
Renamed buf_size in PyOS_ascii_formatd to more accurately reflect it's meaning.
Modified format.__float__ to use the new "Z" format as the default.
Added test cases.
........
r61435 | eric.smith | 2008-03-17 13:14:29 +0100 (Mo, 17 Mär 2008) | 2 lines
Reformated lines > 79 chars.
Deleted unused macro ISXDIGIT.
........
r61436 | jeffrey.yasskin | 2008-03-17 15:40:53 +0100 (Mo, 17 Mär 2008) | 13 lines
Allow Gnu gcc's to build python on OSX by removing -Wno-long-double,
-no-cpp-precomp, and -mno-fused-madd from configure.
* r22183 added -no-cpp-precomp, which
http://gcc.gnu.org/ml/gcc/2005-12/msg00368.html claims hasn't been
needed since gcc-3.1.
* r25607 added -Wno-long-double to avoid a warning in
Include/objimpl.h (issue 525481). The long double is still there,
but OSX 10.4's gcc no longer warns about it.
* r33666 fixed issue 775892 on OSX 10.3 by adding -mno-fused-madd,
which changed the sign of some float 0s. Tim Peters said it wasn't
a real issue anyway, and it no longer causes test failures.
Fixes issue #1779871.
........
r61439 | martin.v.loewis | 2008-03-17 17:31:57 +0100 (Mo, 17 Mär 2008) | 2 lines
Add Trent Nelson.
........
r61444 | travis.oliphant | 2008-03-17 18:36:12 +0100 (Mo, 17 Mär 2008) | 1 line
Add necessary headers to back-port new buffer protocol to Python 2.6
........
r61449 | gregory.p.smith | 2008-03-17 19:48:05 +0100 (Mo, 17 Mär 2008) | 8 lines
Force zlib.crc32 and zlib.adler32 to return a signed integer on all platforms
regardless of the native sizeof(long) used in the integer object.
This somewhat odd behavior of returning a signed is maintained in 2.x for
compatibility reasons of always returning an integer rather than a long object.
Fixes Issue1202 for Python 2.6
........
r61450 | neal.norwitz | 2008-03-17 20:02:45 +0100 (Mo, 17 Mär 2008) | 3 lines
Use a buffer large enough to ensure we don't overrun, even if the value
is outside the range we expect.
........
r61453 | steven.bethard | 2008-03-17 20:33:11 +0100 (Mo, 17 Mär 2008) | 1 line
Document unicode.isnumeric() and unicode.isdecimal() (issue2326)
........
r61458 | neal.norwitz | 2008-03-17 21:22:43 +0100 (Mo, 17 Mär 2008) | 5 lines
Issue 2321: reduce memory usage (increase the memory that is returned
to the system) by using pymalloc for the data of unicode objects.
Will backport.
........
r61465 | martin.v.loewis | 2008-03-17 22:55:30 +0100 (Mo, 17 Mär 2008) | 2 lines
Add David Wolever.
........
r61468 | gregory.p.smith | 2008-03-18 01:20:01 +0100 (Di, 18 Mär 2008) | 3 lines
Fix the IOError message text when opening a file with an invalid filename.
Error reported by Ilan Schnell.
........
r61471 | brett.cannon | 2008-03-18 02:00:07 +0100 (Di, 18 Mär 2008) | 2 lines
Convert test_strftime, test_getargs, and test_pep247 to use unittest.
........
r61472 | jeffrey.yasskin | 2008-03-18 02:09:59 +0100 (Di, 18 Mär 2008) | 2 lines
Fix build on platforms that don't have intptr_t. Patch by Joseph Armbruster.
........
r61473 | brett.cannon | 2008-03-18 02:50:25 +0100 (Di, 18 Mär 2008) | 2 lines
Convert test_dummy_threading and test_dbm to unittest.
........
r61474 | brett.cannon | 2008-03-18 02:58:56 +0100 (Di, 18 Mär 2008) | 2 lines
Move test_extcall to doctest.
........
r61480 | brett.cannon | 2008-03-18 04:46:22 +0100 (Di, 18 Mär 2008) | 2 lines
test_errno was a no-op test; now it actually tests things and uses unittest.
........
r61483 | brett.cannon | 2008-03-18 05:09:00 +0100 (Di, 18 Mär 2008) | 3 lines
Remove our implementation of memmove() and strerror(); both are in the C89
standard library.
........
r61484 | brett.cannon | 2008-03-18 05:16:06 +0100 (Di, 18 Mär 2008) | 2 lines
The output directory for tests that compare against stdout is now gone!
........
r61488 | jeffrey.yasskin | 2008-03-18 05:29:35 +0100 (Di, 18 Mär 2008) | 2 lines
Block the "socket.ssl() is deprecated" warning from test_socket_ssl.
........
r61495 | jeffrey.yasskin | 2008-03-18 05:56:06 +0100 (Di, 18 Mär 2008) | 4 lines
Speed test_thread up from 51.328s to 0.081s by reducing its sleep times. We
still sleep at all to make it likely that all threads are active at the same
time.
........
r61496 | jeffrey.yasskin | 2008-03-18 06:12:41 +0100 (Di, 18 Mär 2008) | 4 lines
Speed up test_dict by about 10x by only checking selected dict literal sizes,
instead of every integer from 0 to 400. Exhaustive testing wastes time without
providing enough more assurance that the code is correct.
........
r61498 | neal.norwitz | 2008-03-18 06:20:29 +0100 (Di, 18 Mär 2008) | 1 line
Try increasing the timeout to reduce the flakiness of this test.
........
r61503 | brett.cannon | 2008-03-18 06:43:04 +0100 (Di, 18 Mär 2008) | 2 lines
Improve the error message for a test that failed on the S-390 Debian buildbot.
........
r61504 | jeffrey.yasskin | 2008-03-18 06:45:40 +0100 (Di, 18 Mär 2008) | 3 lines
Add a -S/--slow flag to regrtest to have it print the 10 slowest tests with
their times.
........
r61507 | neal.norwitz | 2008-03-18 07:03:46 +0100 (Di, 18 Mär 2008) | 1 line
Add some info to the failure messages
........
r61509 | trent.nelson | 2008-03-18 08:02:12 +0100 (Di, 18 Mär 2008) | 1 line
Issue 2286: bump up the stack size of the 64-bit debug python_d.exe to 2100000. The default value of 200000 causes a stack overflow at 1965 iterations of r_object() in marshal.c, 35 iterations before the 2000 limit enforced by MAX_MARSHAL_STACK_DEPTH.
........
r61510 | trent.nelson | 2008-03-18 08:32:47 +0100 (Di, 18 Mär 2008) | 5 lines
The behaviour of winsound.Beep() seems to differ between different versions of Windows when there's either:
a) no sound card entirely
b) legacy beep driver has been disabled
c) the legacy beep driver has been uninstalled
Sometimes RuntimeErrors are raised, sometimes they're not. If _have_soundcard() returns False, don't expect winsound.Beep() to raise a RuntimeError, as this clearly isn't the case, as demonstrated by the various Win32 XP buildbots.
........
r61515 | martin.v.loewis | 2008-03-18 13:20:15 +0100 (Di, 18 Mär 2008) | 2 lines
norwitz-amd64 (gentoo) has EREMOTEIO.
........
r61516 | martin.v.loewis | 2008-03-18 13:45:37 +0100 (Di, 18 Mär 2008) | 2 lines
Add more Linux error codes.
........
r61517 | martin.v.loewis | 2008-03-18 14:05:03 +0100 (Di, 18 Mär 2008) | 2 lines
Add WSA errors.
........
r61518 | martin.v.loewis | 2008-03-18 14:16:05 +0100 (Di, 18 Mär 2008) | 2 lines
Note that the stderr output of the test is intentional.
........
svn+ssh://pythondev@svn.python.org/python/trunk
........
r59844 | raymond.hettinger | 2008-01-07 21:56:05 +0100 (Mon, 07 Jan 2008) | 1 line
Use get() instead of pop() for the optimized version of _replace().
........
r59847 | raymond.hettinger | 2008-01-07 22:33:51 +0100 (Mon, 07 Jan 2008) | 1 line
Documentation nits.
........
r59849 | raymond.hettinger | 2008-01-08 03:02:05 +0100 (Tue, 08 Jan 2008) | 1 line
Expand comment.
........
r59850 | raymond.hettinger | 2008-01-08 03:24:15 +0100 (Tue, 08 Jan 2008) | 1 line
Docs on named tuple's naming conventions and limits of subclassing
........
r59851 | christian.heimes | 2008-01-08 04:40:04 +0100 (Tue, 08 Jan 2008) | 1 line
It's verbose, not debug
........
r59852 | facundo.batista | 2008-01-08 13:25:20 +0100 (Tue, 08 Jan 2008) | 4 lines
Issue #1757: The hash of a Decimal instance is no longer affected
by the current context. Thanks Mark Dickinson.
........
r59853 | andrew.kuchling | 2008-01-08 15:30:55 +0100 (Tue, 08 Jan 2008) | 1 line
Patch 1137: allow assigning to .buffer_size attribute of PyExpat.parser objects
........
r59854 | andrew.kuchling | 2008-01-08 15:56:02 +0100 (Tue, 08 Jan 2008) | 1 line
Patch 1114: fix compilation of curses module on 64-bit AIX, and any other LP64 platforms where attr_t isn't a C long
........
r59856 | thomas.heller | 2008-01-08 16:15:09 +0100 (Tue, 08 Jan 2008) | 5 lines
Use relative instead of absolute filenames in the C-level tracebacks.
This prevents traceback prints pointing to files in this way:
File "\loewis\25\python\Modules\_ctypes\callbacks.c", line 206, in 'calling callback function'
........
r59857 | christian.heimes | 2008-01-08 16:46:10 +0100 (Tue, 08 Jan 2008) | 2 lines
Added __enter__ and __exit__ functions to HKEY object
Added ExpandEnvironmentStrings to the _winreg module.
........
r59858 | georg.brandl | 2008-01-08 17:18:26 +0100 (Tue, 08 Jan 2008) | 2 lines
Fix markup errors from r59857 and clarify key.__enter__/__exit__ docs
........
r59860 | georg.brandl | 2008-01-08 20:42:30 +0100 (Tue, 08 Jan 2008) | 2 lines
Better method for associating .py files with the interpreter.
........
r59862 | facundo.batista | 2008-01-08 22:10:12 +0100 (Tue, 08 Jan 2008) | 9 lines
Issue 846388. Adds a call to PyErr_CheckSignals to
SRE_MATCH so that signal handlers can be invoked during
long regular expression matches. It also adds a new
error return value indicating that an exception
occurred in a signal handler during the match, allowing
exceptions in the signal handler to propagate up to the
main loop. Thanks Josh Hoyt and Ralf Schmitt.
........