The ssl module now contains OP_NO_RENEGOTIATION constant, available with
OpenSSL 1.1.0h or 1.1.1.
Note, OpenSSL 1.1.0h hasn't been released yet.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 67c4801663)
Co-authored-by: Christian Heimes <christian@python.org>
This is an initial version that likely requires much polishing. I'm adding it lay out the structure and so we have something to start working from.
(cherry picked from commit 98d50cb8f5)
Co-authored-by: Eric V. Smith <ericvsmith@users.noreply.github.com>
Also bump PendingDeprecationWarning to DeprecationWarning.
(cherry picked from commit 9eb40bc38d)
Co-authored-by: Matthias Bussonnier <bussonniermatthias@gmail.com>
Most of the parameters were added in 3.4.4 (b9bf913ab3), but this
change was not documented
(cherry picked from commit 0ded580403)
Co-authored-by: Romuald Brunet <romuald@chivil.com>
Clarify that flush is implied when the call to write contains a newline character.
(cherry picked from commit 7ffd4c58fa)
Co-authored-by: Elena Oat <oat.elena@gmail.com>
In fact, we now require a newer Sphinx version because APIs have moved around.
(cherry picked from commit acfb087f9f)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
Adds some working and markup fixes that I missed
in the initial commit for this issue.
(Follow-up to GH-6419)
(cherry picked from commit 1a5c4bdb6e)
Co-authored-by: Nick Coghlan <ncoghlan@gmail.com>
The pydoc CLI assumed -m pydoc would add the empty string
to sys.path, and hence got confused when it switched to
adding the full initial working directory instead.
This refactors the pydoc CLI path manipulation to be
more testable, and ensures it won't accidentally
remove the standard library directory containing
pydoc itself from sys.path.
(cherry picked from commit 82a9481059)
Co-authored-by: Nick Coghlan <ncoghlan@gmail.com>
The examples in argparse documentation use `error: too few arguments`
error message which was removed in this commit f97c59a in 2011.
(cherry picked from commit 04e8293465)
Co-authored-by: suic86 <marko.gabriel.cz@gmail.com>
* bpo-33201: Modernize "Extension types" doc
* Split tutorial and other topics
* Some small fixes
* Address some review comments
* Rename noddy* to custom* and shoddy to sublist
* Fix markup
(cherry picked from commit 1d80a56173)
Co-authored-by: Antoine Pitrou <pitrou@free.fr>
An entry of None in sys.path_importer_cache represents a negative/missing finder for a path, so clearing it out makes sense.
(cherry picked from commit 9e2be60634)
Py_UNICODE is deprecated since Python 3.3.
But the deprecation is missed in the c-api/arg document.
(cherry picked from commit 42ec190761)
Co-authored-by: INADA Naoki <methane@users.noreply.github.com>
Passing True as the `bind_and_activate` *do* immediately opening and binding to their socket.
(cherry picked from commit e6223579c8)
Co-authored-by: cocoatomo <cocoatomo77@gmail.com>
Historically, -m added the empty string as sys.path
zero, meaning it resolved imports against the current
working directory, the same way -c and the interactive
prompt do.
This changes the sys.path initialisation to add the
*starting* working directory as sys.path[0] instead,
such that changes to the working directory while the
program is running will have no effect on imports
when using the -m switch.
(cherry picked from commit d5d9e02dd3)
- new test case for pre-initialization of sys.warnoptions and sys._xoptions
- restored ability to call these APIs prior to Py_Initialize
- updated the docs for the affected APIs to make it clear they can be
called before Py_Initialize
- also enhanced the existing embedding test cases
to check for expected settings in the sys module
(cherry picked from commit bc77eff8b9)
Co-authored-by: Nick Coghlan <ncoghlan@gmail.com>
The result of host() was not empty when the network is constructed by a tuple containing an
integer mask and only 1 bit left for addresses.
(cherry picked from commit 10b134a07c)
Co-authored-by: Xiang Zhang <angwerzx@126.com>
Multi-phase initialized modules allow m_traverse to be called while the
module is still being initialized, so module authors may need to account
for that.
(cherry picked from commit c2b0b12d1a)
Co-authored-by: Marcel Plch <gmarcel.plch@gmail.com>
Replace example result of "5 through 9" with complete list: "5, 6, 7, 8, 9".
This format is more consistent with the surrounding examples.
(cherry picked from commit 83d7062d2d)
Co-authored-by: Steven M. Vascellaro <S.Vascellaro@gmail.com>
`int` fails back to `__trunc__` is `__int__` isn't defined, so cover
that in the docs.
(cherry picked from commit 308eab979d)
Co-authored-by: Eric Appelt <eric.appelt@gmail.com>
* fix a typo: documention -> documentation
* fix the type of IPv?Network.hostmask
* add documentation about IPv?Network.netmask
* fix IPv6Network constructor doc that extended netmasks are not supported
(cherry picked from commit e405096ea9)
Co-authored-by: Xiang Zhang <angwerzx@126.com>
* Add What's New entry for addition of datetime.timezone to the C API
Closes bpo-10381
* Add what's new entry for date and datetime optimizations
Closes bpo-32403
(cherry picked from commit 5bd04f964b)
Co-authored-by: Paul Ganssle <pganssle@users.noreply.github.com>
OpenSSL 1.1 has introduced a new API to set the minimum and maximum
supported protocol version. The API is easier to use than the old
OP_NO_TLS1 option flags, too.
Since OpenSSL has no call to set minimum version to highest supported,
the implementation emulate maximum_version = MINIMUM_SUPPORTED and
minimum_version = MAXIMUM_SUPPORTED by figuring out the minumum and
maximum supported version at compile time.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 698dde16f6)
Co-authored-by: Christian Heimes <christian@python.org>
Direct instantiation of SSLSocket and SSLObject objects is now prohibited.
The constructors were never documented, tested, or designed as public
constructors. The SSLSocket constructor had limitations. For example it was
not possible to enabled hostname verification except was
ssl_version=PROTOCOL_TLS_CLIENT with cert_reqs=CERT_REQUIRED.
SSLContext.wrap_socket() and SSLContext.wrap_bio are the recommended API
to construct SSLSocket and SSLObject instances. ssl.wrap_socket() is
also deprecated.
The only test case for direct instantiation was added a couple of days
ago for IDNA testing.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 9d50ab563d)
Co-authored-by: Christian Heimes <christian@python.org>
The ssl module function ssl.wrap_socket() has been de-emphasized
and deprecated in favor of the more secure and efficient
SSLContext.wrap_socket() method.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 90f05a527c)
Co-authored-by: Christian Heimes <christian@python.org>
* bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes
Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and
TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
default. Some test cases only apply to TLS 1.2. Other tests currently
fail because the threaded or async test servers stop after failure.
I'm going to address these issues when OpenSSL 1.1.1 reaches beta.
OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
1.3. The feature is enabled by default for maximum compatibility with
broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
it to verify default options.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 05d9fe32a1)
Co-authored-by: Christian Heimes <christian@python.org>
Dropped the part that says: "For objects that do not provide sequence protocol".
(cherry picked from commit 7a1e1786f9)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
The 'optimization' is for space in the executable file, not for run time.
(cherry picked from commit 186b606d8a)
Co-authored-by: Cheryl Sabella <cheryl.sabella@gmail.com>
The ssl module now detects missing NPN support in LibreSSL.
Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org>
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 6cdb7954b0)
Co-authored-by: Christian Heimes <christian@python.org>
Previously, the ssl module stored international domain names (IDNs)
as U-labels. This is problematic for a number of reasons -- for
example, it made it impossible for users to use a different version
of IDNA than the one built into Python.
After this change, we always convert to A-labels as soon as possible,
and use them for all internal processing. In particular, server_hostname
attribute is now an A-label, and on the server side there's a new
sni_callback that receives the SNI servername as an A-label rather than
a U-label.
(cherry picked from commit 11a1493bc4)
Co-authored-by: Christian Heimes <christian@python.org>
`whilst` and `while` are both english words, `whilst` is not as commonly used.
This can be confusing to readers whose primary language is not english.
(cherry picked from commit 98f42aac23)
Co-authored-by: Mariatta <Mariatta@users.noreply.github.com>
It's bad form to pin to an old version of TLS. ssl.SSLContext has the right
protocol default, so let's not pass anyway.
(cherry picked from commit e9edee0b65)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
If the directory already exists, it will be re-used.
(cherry picked from commit e8eb972514)
Co-authored-by: TROUVERIE Joachim <joachim.trouverie@linoame.fr>
Adapt documentation for `copyright` and `credits` to reality. Previously, the documentation implied that all each of `copyright`,
`credits`, and `license`, would print a message to call the object in order to see the full text. In reality, only `license` exhibits this
behaviour, and `copyright` and `credit` print their full text either when printed, displayed, or called.
(cherry picked from commit 243d6d7126)
Co-authored-by: Gerrit Holl <gerrit.holl@gmail.com>
There was an extra dash in the example for re.sub().
(cherry picked from commit b65cb163d6)
Co-authored-by: xpvpc <32843902+xpvpc@users.noreply.github.com>
Remove pkg_add -r python from FreeBSD installation section.
Moved to OpenBSD.
(cherry picked from commit 3384d38d51)
Co-authored-by: Eitan Adler <grimreaper@users.noreply.github.com>
This note incorrectly stated that "Base64 has an expansion factor of 6
to 4" (it is actually 4 to 3). It was decided to remove the note.
(cherry picked from commit 88c38a4049)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Describe *text* as an alias for *universal_newlines* in more places that people are likely to be referred to.
(cherry picked from commit e14c010378)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
The new link is given in a red box on the old page.
(cherry picked from commit 8d1f2f4038)
Co-authored-by: sblondon <sblondon@users.noreply.github.com>
`arg_name` and `element_index` are defined as `digit`+ instead of `integer`.
(cherry picked from commit 7a561afd2c)
Co-authored-by: Mariatta <Mariatta@users.noreply.github.com>
Fixes the documentation for `subprocess.check_output()` not mentioning that the encoding and errors parameters were added in 3.6.
(cherry picked from commit fc1ce810f1)
Co-authored-by: Brice Gros <brice-gros@users.noreply.github.com>
When `__getattr__` is implemented, attribute lookup will always fall back to that,
even if the initial failure comes from `__getattribute__` or a descriptor's `__get__`
method (including property methods).
(cherry picked from commit d1f318105b)
Co-authored-by: Cheryl Sabella <cheryl.sabella@gmail.com>
Changed the definition of width and precision from "integer" to "digit+" in format mini-language doc.
(cherry picked from commit 8b5fa289fd)
Co-authored-by: nathankerr96 <nathankerr96@gmail.com>
Fix typos found by codespell in docs, docstrings, and comments.
(cherry picked from commit c3d9508ff2)
Co-authored-by: Leo Arias <leo.arias@canonical.com>
Modify RE examples in documentation to use raw strings to prevent DeprecationWarning.
Add text to REGEX HOWTO to highlight the deprecation. Approved by Serhiy Storchaka.
(cherry picked from commit 66771422d0)
Co-authored-by: Cheryl Sabella <cheryl.sabella@gmail.com>
This reverts commit 72a0d218dc.
The reverted commit had a few issues so it was unanimously decided
to undo it. See the bpo issue for details.
(cherry picked from commit 383b32fe10)
Co-authored-by: Yury Selivanov <yury@magic.io>
The f-string example for using datetime format specifier does not match the given output.
Changed the format from %b to %B so it matches the output of "January".
This allows the compression level to be specified when writing zipfiles
(for the entire file *and* overridden on a per-file basis).
Contributed by Bo Bayles
Fix socket(fileno=fd) by auto-detecting the socket's family, type,
and proto from the file descriptor. The auto-detection can be overruled
by passing in family, type, and proto explicitly.
Without the fix, all socket except for TCP/IP over IPv4 are basically broken:
>>> s = socket.create_connection(('www.python.org', 443))
>>> s
<socket.socket fd=3, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('2003:58:bc4a:3b00:56ee:75ff:fe47:ca7b', 59730, 0, 0), raddr=('2a04:4e42:1b::223', 443, 0, 0)>
>>> socket.socket(fileno=s.fileno())
<socket.socket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('2003:58:bc4a:3b00::%2550471192', 59730, 0, 2550471192), raddr=('2a04:4e42:1b:0:700c:e70b:ff7f:0%2550471192', 443, 0, 2550471192)>
Signed-off-by: Christian Heimes <christian@python.org>
Until now Python used a hard coded white list of default TLS cipher
suites. The old approach has multiple downsides. OpenSSL's default
selection was completely overruled. Python did neither benefit from new
cipher suites (ChaCha20, TLS 1.3 suites) nor blacklisted cipher suites.
For example we used to re-enable 3DES.
Python now defaults to OpenSSL DEFAULT cipher suite selection and black
lists all unwanted ciphers. Downstream vendors can override the default
cipher list with --with-ssl-default-suites.
Signed-off-by: Christian Heimes <christian@python.org>
socketserver.ForkingMixIn.server_close() and
socketserver.ThreadingMixIn.server_close() now waits until all child
processes and non-daemonic threads complete.
bpo-31399: Let OpenSSL verify hostname and IP
The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses.
* Remove match_hostname calls
* Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host()
* Add documentation for OpenSSL 1.0.2 requirement
* Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform.
* Add hostname_checks_common_name
Signed-off-by: Christian Heimes <christian@python.org>
The hmac module now has hmac.digest(), which provides an optimized HMAC
digest for short messages. hmac.digest() is up to three times faster
than hmac.HMAC().digest().
Signed-off-by: Christian Heimes <christian@python.org>
Make it clear that setting __class__ on a module has worked since 3.5,
but support for __getattr__ and __dir__ on module instances requires 3.7+
Patch by Cheryl Sabella.
* Document `from __future__ import annotations`
* Provide plumbing and tests for `from __future__ import annotations`
* Implement unparsing the AST back to string form
This is required for PEP 563 and as such only implements a part of the
unparsing process that covers expressions.
* bpo-32662: Implement Server.start_serving() and Server.serve_forever()
New methods:
* Server.start_serving(),
* Server.serve_forever(), and
* Server.is_serving().
Add 'start_serving' keyword parameter to loop.create_server() and
loop.create_unix_server().
* Add timezone to datetime C API
* Add documentation for timezone C API macros
* Add dedicated tests for datetime type check macros
* Remove superfluous C API test
* Drop support for TimeZoneType in datetime C API
* Expose UTC singleton to the datetime C API
* Update datetime C-API documentation to include links
* Add reference count information for timezone constructors
To support reproducible builds, the setting of of SOURCE_DATE_EPOCH triggers the py_compile module -- and by extension, compileall -- to forcibly compile with hash-based .pyc files. This eliminates the possibility of timestamp-based .pyc files which vary between builds.
PyUnicode_DecodeLocaleAndSize(), PyUnicode_DecodeLocale() and
PyUnicode_EncodeLocale() now use always use the UTF-8 encoding on
Android, instead of the current locale encoding.
On Android API 19, mbstowcs() and wcstombs() are broken and cannot be
used.
* bpo-31801: Enum: add _ignore_ as class option
_ignore_ is a list, or white-space seperated str, of names that will not
be candidates for members; these names, and _ignore_ itself, are removed
from the final class.
* bpo-31801: Enum: add documentation for _ignore_
* bpo-31801: Enum: remove trailing whitespace
* bpo-31801: Enum: fix bulleted list format
* bpo-31801: add version added for _ignore_
* Add coro.cr_origin and sys.set_coroutine_origin_tracking_depth
* Use coroutine origin information in the unawaited coroutine warning
* Stop using set_coroutine_wrapper in asyncio debug mode
* In BaseEventLoop.set_debug, enable debugging in the correct thread
* Add _Py_GetLocaleconvNumeric() function: decode decimal_point and
thousands_sep fields of localeconv() from the LC_NUMERIC encoding,
rather than decoding from the LC_CTYPE encoding.
* Modify locale.localeconv() and "n" formatter of str.format() (for
int, float and complex to use _Py_GetLocaleconvNumeric()
internally.
Modify locale.localeconv(), time.tzname, os.strerror() and other
functions to ignore the UTF-8 Mode: always use the current locale
encoding.
Changes:
* Add _Py_DecodeLocaleEx() and _Py_EncodeLocaleEx(). On decoding or
encoding error, they return the position of the error and an error
message which are used to raise Unicode errors in
PyUnicode_DecodeLocale() and PyUnicode_EncodeLocale().
* Replace _Py_DecodeCurrentLocale() with _Py_DecodeLocaleEx().
* PyUnicode_DecodeLocale() now uses _Py_DecodeLocaleEx() for all
cases, especially for the strict error handler.
* Add _Py_DecodeUTF8Ex(): return more information on decoding error
and supports the strict error handler.
* Rename _Py_EncodeUTF8_surrogateescape() to _Py_EncodeUTF8Ex().
* Replace _Py_EncodeCurrentLocale() with _Py_EncodeLocaleEx().
* Ignore the UTF-8 mode to encode/decode localeconv(), strerror()
and time zone name.
* Remove PyUnicode_DecodeLocale(), PyUnicode_DecodeLocaleAndSize()
and PyUnicode_EncodeLocale() now ignore the UTF-8 mode: always use
the "current" locale.
* Remove _PyUnicode_DecodeCurrentLocale(),
_PyUnicode_DecodeCurrentLocaleAndSize() and
_PyUnicode_EncodeCurrentLocale().
`os.path.is*()` can return False if the file can't be accessed.
The behaviour is documented in details in `os.path.exists()`.
Link to `os.path.exists()` from `os.path.is*()`.
In lexical analysis reference documentation, the internal link to
the string literal concatenation section was written as`.. _string-catenation:`.
Changed that to `.. _string-concatenation:`.
- primary change is to add a new default filter entry for
'default::DeprecationWarning:__main__'
- secondary change is an internal one to cope with plain
strings in the warning module's internal filter list
(this avoids the need to create a compiled regex object
early on during interpreter startup)
- assorted documentation updates, including many more
examples of configuring the warnings settings
- additional tests to ensure that both the pure Python and
the C accelerated warnings modules have the expected
default configuration
Add a new argument "-m" to the pdb module to allow
users to run `python -m pdb -m my_module_name`.
This relies on private APIs in the runpy module to work,
but we can get away with that since they're both part of
the standard library and can be updated together if
the runpy internals get refactored.
This module has never been enabled by default, never worked correctly
on x86-64, and caused ABI problems that caused C extension
compatibility. See bpo-29137 for details/discussion.
Updates documentation for generator expressions in classes tutorial: Clarify usage of ambiguous term "brackets" by replacing with "square brackets". Updated subsequent lines to respect line breaks. (#5079)
* Make ssh_handshake_timeout None by default.
* Raise ValueError if ssl_handshake_timeout is used without ssl.
* Raise ValueError if ssl_handshake_timeout is not positive.
Even though Python marks any handles it opens as non-inheritable there
is still a race when using `subprocess.Popen` since creating a process
with redirected stdio requires temporarily creating inheritable handles.
By implementing support for `subprocess.Popen(close_fds=True)` we fix
this race.
In order to implement this we use PROC_THREAD_ATTRIBUTE_HANDLE_LIST
which is available since Windows Vista. Which allows to pass an explicit
list of handles to inherit when creating a process.
This commit also adds `STARTUPINFO.lpAttributeList["handle_list"]`
which can be used to control PROC_THREAD_ATTRIBUTE_HANDLE_LIST
directly.
bpo-29240, bpo-32030: If the encoding change (C locale coerced or
UTF-8 Mode changed), Py_Main() now reads again the configuration with
the new encoding.
Changes:
* Add _Py_UnixMain() called by main().
* Rename pymain_free_pymain() to pymain_clear_pymain(), it can now be
called multipled times.
* Rename pymain_parse_cmdline_envvars() to pymain_read_conf().
* Py_Main() now clears orig_argc and orig_argv at exit.
* Remove argv_copy2, Py_Main() doesn't modify argv anymore. There is
no need anymore to get two copies of the wchar_t** argv.
* _PyCoreConfig: add coerce_c_locale and coerce_c_locale_warn.
* Py_UTF8Mode is now initialized to -1.
* Locale coercion (PEP 538) now respects -I and -E options.
bpo-32329, bpo-32030:
* The -R option now turns on hash randomization when the
PYTHONHASHSEED environment variable is set to 0 Previously, the
option was ignored.
* sys.flags.hash_randomization is now properly set to 0 when hash
randomization is turned off by PYTHONHASHSEED=0.
* _PyCoreConfig_ReadEnv() now reads the PYTHONHASHSEED environment
variable. _Py_HashRandomization_Init() now only apply the
configuration, it doesn't read PYTHONHASHSEED anymore.
* Fix multiple typos in code comments
* Add spacing in comments (test_logging.py, test_math.py)
* Fix spaces at the beginning of comments in test_logging.py
Miss Islington (bot)
Pablo Galindo
Ethan Furman
Brett Cannon
Serhiy Storchaka
Nick Coghlan
Ned Deily
Christian Heimes
Mariatta
Ivan Levkivskyi
Barry Warsaw
Cheryl Sabella
Xiang Zhang
Bernhard M. Wiedemann
Stéphane Wirtel
John Jolly
Anders Lorentsen
Bo Bayles
Julien Palard
Mark Shannon
Raymond Hettinger
Victor Stinner
cocoatomo
Yury Selivanov
Gregory P. Smith
Steve Dower
larryhastings
Eric V. Smith
jcea
Коренберг Марк
Elvis Pranskevichus
Andrew Svetlov
INADA Naoki
Guido van Rossum
mwidjaja
Ilya Kulakov
Paul Ganssle
Nathaniel J. Smith
Sanyam Khurana
Antoine Pitrou
Julian Kahnert
İsmail Arılık
Mario Corchero
Benjamin Peterson
Emily Morehouse
Srinivas Reddy Thatiparthy (శ్రీనివాస్ రెడ్డి తాటిపర్తి)
Sebastian Pucilowski
Marcel Plch
KatherineMichel
Neil Aspinall
Segev Finer
Ville Skyttä
Giuseppe Scrivano
Mike