* bpo-29613: Added support for SameSite cookies
Implemented as per draft
https://tools.ietf.org/html/draft-west-first-party-cookies-07
* Documented SameSite
And suggestions by members.
* Missing space :(
* Updated News and contributors
* Added version changed details.
* Fix in documentation
* fix in documentation
* Clubbed test cases for same attribute into single.
* Updates
* Style nits + expand tests
* review feedback
test_asyncio hangs indefinitely on macOS 10.13.2+ on `read_pty_output()`
using the KqueueSelector. Closing `proto.transport` (as is done in
`write_pty_output()`) seems to fix it.
(cherry picked from commit 12f74d8608)
Co-authored-by: Nathan Henrie <n8henrie@users.noreply.github.com>
Also, re-enable test_read_pty_output on macOS.
Creating backup files with ~ suffix can be undesirable in some environment,
such as when building RPM packages. Instead of requiring the user to remove
those files manually, option -n was added, that simply disables this feature.
-n was selected because 2to3 has the same option with this behavior.
* Prevent low-grade poplib REDOS (CVE-2018-1060)
The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.
Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.
A 2KB evil response from the mail server would result in small slowdowns
(milliseconds vs. microseconds) accumulated over many apop calls.
This is a potential DOS vector via accumulated slowdowns.
Replace it with a similar non-vulnerable regex.
The new regex is RFC compliant.
The old regex was non-compliant in edge cases.
* Prevent difflib REDOS (CVE-2018-1061)
The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.
Replace it with an equivalent non-vulnerable regex.
Also introduce unit and REDOS tests for difflib.
Co-authored-by: Tim Peters <tim.peters@gmail.com>
Co-authored-by: Christian Heimes <christian@python.org>
Make test.support.temp_cwd() fork-safe. The context manager test.support.temp_cwd() no longer removes the temporary directory when executing in a process other than the parent it entered from.
If a forked child exits the context manager it won't do the cleanup.
* Add coro.cr_origin and sys.set_coroutine_origin_tracking_depth
* Use coroutine origin information in the unawaited coroutine warning
* Stop using set_coroutine_wrapper in asyncio debug mode
* In BaseEventLoop.set_debug, enable debugging in the correct thread
Even though Python marks any handles it opens as non-inheritable there
is still a race when using `subprocess.Popen` since creating a process
with redirected stdio requires temporarily creating inheritable handles.
By implementing support for `subprocess.Popen(close_fds=True)` we fix
this race.
In order to implement this we use PROC_THREAD_ATTRIBUTE_HANDLE_LIST
which is available since Windows Vista. Which allows to pass an explicit
list of handles to inherit when creating a process.
This commit also adds `STARTUPINFO.lpAttributeList["handle_list"]`
which can be used to control PROC_THREAD_ATTRIBUTE_HANDLE_LIST
directly.
Always pass -1, or INFTIM where defined, to the poll() system call when
a negative timeout is passed to the poll.poll([timeout]) method in the
select module. Various OSes throw an error with arbitrary negative
values.
* bpo-27584: New addition of vSockets to the python socket module
Support for AF_VSOCK on Linux only
* bpo-27584: Fixes for V2
Fixed syntax and naming problems.
Fixed #ifdef AF_VSOCK checking
Restored original aclocal.m4
* bpo-27584: Fixes for V3
Added checking for fcntl and thread modules.
* bpo-27584: Fixes for V4
Fixed white space error
* bpo-27584: Fixes for V5
Added back comma in (CID, port).
* bpo-27584: Fixes for V6
Added news file.
socket.rst now reflects first Linux introduction of AF_VSOCK.
Fixed get_cid in test_socket.py.
Replaced PyLong_FromLong with PyLong_FromUnsignedLong in socketmodule.c
Got rid of extra AF_VSOCK #define.
Added sockaddr_vm to sock_addr.
* bpo-27584: Fixes for V7
Minor cleanup.
* bpo-27584: Fixes for V8
Put back #undef AF_VSOCK as it is necessary when vm_sockets.h is not installed.
* Added support for CAN_ISOTP protocol
* Added unit tests for CAN ISOTP
* Updated documentation for ISO-TP protocol
* Removed trailing whitespace in documentation
* Added blurb NEWS.d file
* updated Misc/ACKS
* Fixed broken unit test that was using isotp const outside of skippable section
* Removed dependecy over third party project
* Added implementation for getsockname + unit tests
* Missing newline at end of ACKS file
* Accidentally inserted a type in ACKS file
* Followed tiran changes review #1 recommendations
* Added spaces after comma
PEP 523 introduced _PyEval_EvalFrameDefault which inlines PyEval_EvalFrameEx on
non-debug shared builds. This breaks the ability to use py-bt, py-up, and
a few other Python-specific gdb integrations.
This patch fixes the problem by only looking for _PyEval_EvalFrameDefault
frames.
test_gdb passes on both a debug and a non-debug build.
Original patch by Bruno "Polaco" Penteado.
* Revert "Add Bruno Penteado to ACKS (#3091)"
This reverts commit f978405b3f.
* Revert "bpo-30983: eval frame rename in pep 0523 broke gdb's python extension (#2803)"
This reverts commit 2e0f4db114.
* Make error message more informative
Replace assertions in error-reporting code with more-informative version that doesn't cause confusion over where and what the error is.
* Additional clarification + get travis to check
* Change from SystemError to TypeError
As suggested in PR comment by @pitrou, changing from SystemError; TypeError appears appropriate.
* NEWS file installation; ACKS addition (will do my best to justify it by additional work)
bpo-31072: Add a filter argument to zipapp.create_archive (GH-3021)
* Add an include_file argument to allow callers to decide which files to include
* Document the new argument
Adds a new 'Pip not installed' section that covers
running `ensurepip` manually, and also references
the relevant section of the Python Packaging User
Guide.
* Add 'parens' style to highlight both opener and closer.
* Make 'default' style, which is not default, a synonym for 'opener'.
* Make time-delay work the same with all styles.
* Add help for config dialog extensions tab, including parenmatch.
* Add new tests.
Original patch by Charles Wohlganger.
New error condition paths were introduced, which did not decrement
`key2` and `val2` objects. Therefore, decrement references before
jumping to the error label.
Signed-off-by: Eric N. Vander Weele <ericvw@gmail.com>
Leading whitespace was incorrectly dropped during folding of certain lines in the _header_value_parser's folding algorithm. This makes the whitespace handling code consistent.
Bug didn't manifest itself when importing a module with source as .py files are always the first on the search path. The issue only showed up in bytecode-only packages where the calculated file path would be ``__init__.py/__init__.pyc``.
Patch by Alexandru Ardelean.
The current regex based splitting produces a wrong result. For example::
http://abc#@def
Web browsers parse that URL as ``http://abc/#@def``, that is, the host
is ``abc``, the path is ``/``, and the fragment is ``#@def``.
Several class attributes have been added to calendar.HTMLCalendar that allow customization of the CSS classes used in the resulting HTML. This can be done by subclasses HTMLCalendar and overwriting those class attributes (Patch by Oz Tiram).
test_thread: setUp() now uses support.threading_setup() and
support.threading_cleanup() to wait until threads complete to avoid
random side effects on following tests.
Co-Authored-By: Grzegorz Grzywacz <grzegorz.grzywacz@nazwa.pl>
* bpo-29243: Fix Makefile with respect to --enable-optimizations
When using the Profile Guided Optimization (./configure --enable-optimizations)
Python is built not only during `make` but rebuilt again during `make test`,
`make install` and others. This patch fixes the issue.
Note that this fix produces no change at all in the Makefile if configure is
run witout --enable-optimizations.
* !squash
The reference to administrative data was confusing to readers,
so this simplifies the note to explain that deep copying may copy
more then you intended, such as data that you expected to be
shared between copies.
* change LBYL key lookup to dict.setdefault
The ``results`` was constructed as a defaultdict and we could simply
delete the check ``if key not in results``. However, I think it's safer
to use dict.setdefault as I'm not sure whether the caller expects a
regular dict or defaultdict.
* add name to the acknowledgements file
* use defaultdict to make the key-lookup cleaner
The Windows-specific subprocess.STARTUPINFO class now accepts
keyword-only arguments to its constructor to set the various
data attributes.
Patch by Subhendu Ghosh.
* bpo-16285: Update urllib quoting to RFC 3986
urllib.parse.quote is now based on RFC 3986, and hence
includes `'~'` in the set of characters that is not escaped
by default.
Patch by Christian Theune and Ratnadeep Debnath.
- Add 'preferred' argument to webbrowser.register
- Use xdg-settings to specify preferred X browser
The first change replaces the existing undocumented tri-state
'try_order' parameter with the documented boolean keyword-only
'preferred' parameter. Setting it to True places the browser at the
front of the list, preferring it as the return to a subsequent get() call.
The second change adds a private `_os_preferred_browser` setting
and then uses that to make the default browser reported by
`xdg-settings` first in the try list when running under X (or
another environment that sets the `DISPLAY` variable).
This avoids the problem where the first entry in the tryorder
queue otherwise defaults to xdg-open, which doesn't support
the "new window" option.
* Wrong parameter name, 'group_by' instead of 'key_type'
* Don't round up numbers when explaining the examples. If they exactly match
what can be read in the script output, it is to easier to understand
(4.8 MiB vs 4855 KiB)
* Fix incorrect method link that was pointing to another module
Patch written by Loic Pefferkorn.
Patch by Masayuki Yamamoto, reviewed and rebased by Erik Bray.
This is a first step on the long road toward resupporting Cygwin, which does
not provide siginfo_t.si_band.
Tested on macOS 10.11 dtrace, Ubuntu 16.04 SystemTap, and libbcc.
Largely based by an initial patch by Jesús Cea Avión, with some
influence from Dave Malcolm's SystemTap patch and Nikhil Benesch's
unification patch.
Things deliberately left out for simplicity:
- ustack helpers, I have no way of testing them at this point since
they are Solaris-specific
- PyFrameObject * in function__entry/function__return, this is
SystemTap-specific
- SPARC support
- dynamic tracing
- sys module dtrace facility introspection
All of those might be added later.
When the body object is a file, its size is no longer determined with
fstat(), since that can report the wrong result (e.g. reading from a pipe).
Instead, determine the size using seek(), or fall back to chunked encoding
for unseekable files.
Also, change the logic for detecting text files to check for TextIOBase
inheritance, rather than inspecting the “mode” attribute, which may not
exist (e.g. BytesIO and StringIO). The Content-Length for text files is no
longer determined ahead of time, because the original logic could have been
wrong depending on the codec and newline translation settings.
Patch by Demian Brecht and Rolf Krahl, with a few tweaks by me.
Multi-phase extension module import now correctly allows the
``m_methods`` field to be used to add module level functions
to instances of non-module types returned from ``Py_create_mod``.
Patch by Xiang Zhang.
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue #27568 Reported and patch contributed by Rémi Rampin.
The dependendency on the $(PGEN) variable must only be
set when not cross-compiling. When cross-compiling,
$(PGEN) will not be used, so no need to build it.
Patch by Thomas Perl.
As part of the update, the documentation was updated to normalize
around the term "virtual environment" instead of relying too heavily
on "venv" for the same meaning and leading to inconsistent usage of
either.
Thanks to Steve Piercy for the patch.
Issue #26839: On Linux, os.urandom() now calls getrandom() with GRND_NONBLOCK
to fall back on reading /dev/urandom if the urandom entropy pool is not
initialized yet. Patch written by Colm Buckley.
inspect.signature now reports the implicit ``.0`` parameters generated by
the compiler for comprehension and generator expression scopes as if they
were positional-only parameters called ``implicit0``.
Patch by Jelle Zijlstra.
Issue #27057: Fix os.set_inheritable() on Android, ioctl() is blocked by
SELinux and fails with EACCESS. The function now falls back to fcntl().
Patch written by Michał Bednarski.
Issue #26804: urllib.request will prefer lower_case proxy environment variables
over UPPER_CASE or Mixed_Case ones.
Patch contributed by Hans-Peter Jansen. Reviewed by Martin Panter and Senthil Kumaran.
Issue #26799: Fix python-gdb.py: don't get once C types when the Python code
is loaded, but get C types on demande. The C types can change if
python-gdb.py is loaded before the Python executable.
Patch written by Thomas Ilsche.
Issue #26801: Fix error handling in shutil.get_terminal_size(), catch
AttributeError instead of NameError. Patch written by Emanuel Barry.
test_shutil: skip the functional test using "stty size" command if
os.get_terminal_size() is missing.
sblondon
Łukasz Langa
Serhiy Storchaka
Alex Gaynor
Marcel Plch
hui shang
Ned Deily
jab
Miro Hrončok
Jamie Davis
Sergey Fedoseev
Anselm Kruis
Eddie Elizondo
Zackery Spytz
Alan D Moore
Bar Harel
Bo Bayles
embg
mwidjaja
Nathaniel J. Smith
Neil Aspinall
Segev Finer
Licht Takeuchi
Mandeep Singh
Berker Peksag
Antoine Pitrou
stratakis
Alexander Belopolsky
jlacoline
Zane Bitter
Riccardo Coccioli
Feanil Patel
Pablo Galindo
caavery
Lisa Hewus Fresh
Pier-Yves Lessard
Yaron de Leeuw
Victor Stinner
Allen W. Smith, Ph.D
Jeffrey Rackauckas
Shane Harvey
Nicholas
Utkarsh Upadhyay
Osvaldo Santana Neto
wohlganger
Eric N. Vander Weele
Joel Hillacre
Alexandru Ardelean
postmasters
Motoki Naruse
mircea-cosbuc
Roy Williams
Denis Osipov
Antoine Pietri
Oz N Tiram
Jamiel Almeida
Johan Liu
Garvit Khatri
Jason Fried
csabella
Mariatta
torsava
Eijebong
bladebryan
Dong-hee Na
Nick Coghlan
Sanyam Khurana
Stuart Berg
cocoatomo
Michael Selik
s-sanjay
Christophe Zeitouny
Michael Seifert
Sayan Chowdhury
Subhendu Ghosh
Ratnadeep Debnath
David Steele
Mark Dickinson
Steve Dower
Raymond Hettinger
Xiang Zhang
Martin Panter
R David Murray
Zachary Ware
Terry Jan Reedy
Alexander Belopolsky
Mark Dickinson
Christian Heimes
Guido van Rossum
Yury Selivanov
Senthil Kumaran
Ethan Furman
Xavier de Gaye
Brett Cannon
Robert Collins
Ezio Melotti