The regex to decode a number in fpformat is susceptible to catastrophic backtracking. This is a potential DOS vector if a server is using fpformat on untrusted number strings.
Replace it with an equivalent non-vulnerable regex. The match behavior of the new regex is slightly different. It captures the whole integer part of the number in one group, Leading zeros are stripped off later.
* Prevent low-grade poplib REDOS (CVE-2018-1060)
The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.
Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.
A 2KB evil response from the mail server would result in small slowdowns
(milliseconds vs. microseconds) accumulated over many apop calls.
This is a potential DOS vector via accumulated slowdowns.
Replace it with a similar non-vulnerable regex.
The new regex is RFC compliant.
The old regex was non-compliant in edge cases.
* Prevent difflib REDOS (CVE-2018-1061)
The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.
Replace it with an equivalent non-vulnerable regex.
Also introduce unit and REDOS tests for difflib.
Co-authored-by: Tim Peters <tim.peters@gmail.com>
Co-authored-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 0e6c8ee235)
Dropped the part that says: "For objects that do not provide sequence protocol".
(cherry picked from commit 7a1e1786f9)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
This code never did anything correct or useful. The class attribute will never be affected, and the condition will never be true.
(cherry picked from commit 5fb632e831)
Co-authored-by: Aaron Gallagher <habnabit@users.noreply.github.com>
The ctypes module used to depend on indirect linking for dlopen. The shared
extension is now explicitly linked against libdl on platforms with dl.
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 5bb9692575)
Co-authored-by: Christian Heimes <christian@python.org>
The ssl module now detects missing NPN support in LibreSSL.
Co-Authored-By: Bernard Spil <brnrd@FreeBSD.org>
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 6cdb7954b0)
Co-authored-by: Christian Heimes <christian@python.org>
The SSL module no longer sends IP addresses in SNI TLS extension on
platforms with OpenSSL 1.0.2+ or inet_pton.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit e9370a4738)
Co-authored-by: Christian Heimes <christian@python.org>
Debian Unstable has disabled TLS 1.0 and 1.1 for SSLv23_METHOD(). Change
TLS/SSL protocol of some tests to PROTOCOL_TLS or PROTOCOL_TLSv1_2 to
make them pass on Debian.
Signed-off-by: Christian Heimes <christian@python.org>
`whilst` and `while` are both english words, `whilst` is not as commonly used.
This can be confusing to readers whose primary language is not english.
(cherry picked from commit 98f42aac23)
Co-authored-by: Mariatta <Mariatta@users.noreply.github.com>
Make test.support.temp_cwd() fork-safe. The context manager test.support.temp_cwd() no longer removes the temporary directory when executing in a process other than the parent it entered from.
If a forked child exits the context manager it won't do the cleanup..
(cherry picked from commit 33dddac00b)
Co-authored-by: Anselm Kruis <a.kruis@science-computing.de>
Initialize self._ssnd_chunk so that aifc.Error is raised as intended,
not AttributeError.
(cherry picked from commit 80d20b918b)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
It's bad form to pin to an old version of TLS. ssl.SSLContext has the right
protocol default, so let's not pass anyway..
(cherry picked from commit e9edee0b65)
Adapt documentation for `copyright` and `credits` to reality. Previously, the documentation implied that all each of `copyright`,
`credits`, and `license`, would print a message to call the object in order to see the full text. In reality, only `license` exhibits this
behaviour, and `copyright` and `credit` print their full text either when printed, displayed, or called.
(cherry picked from commit 243d6d7126)
Co-authored-by: Gerrit Holl <gerrit.holl@gmail.com>
A closing parentheses was missing.
Signed-off-by: Ngie Cooper <yaneurabeya@gmail.com>
(cherry picked from commit 7745ec4e35)
Co-authored-by: ngie-eign <1574099+ngie-eign@users.noreply.github.com>
Remove pkg_add -r python from FreeBSD installation section.
Moved to OpenBSD.
(cherry picked from commit 3384d38d51)
Co-authored-by: Eitan Adler <grimreaper@users.noreply.github.com>
The new link is given in a red box on the old page.
(cherry picked from commit 8d1f2f4038)
Co-authored-by: sblondon <sblondon@users.noreply.github.com>
Clarify that the level argument is used to determine whether to
perform absolute or relative imports: 0 is absolute, while a positive number
is the number of parent directories to search relative to the current module..
(cherry picked from commit 461d225b19)
Co-authored-by: oldk <oldk1331@users.noreply.github.com>
_test_multiprocessing.test_queue_feeder_donot_stop_onexc() now uses a
timeout of 1 second on Queue.get(), instead of 0.1 second, for slow
buildbots.
(cherry picked from commit 8f6eeaf21c)
The nismodule is now compatible with new libnsl and headers location
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 29a7df7827)
In str.join, if any of the iterable contains a Unicode object,
str.join will return a Unicode object.
A Type error will be raised if iterable contains values other
than a string or Unicode object.
test_subprocess.test_leaking_fds_on_error() failed when the PATH
environment variable contains a path to an existing file. Fix the
test: ignore also ENOTDIR, not only ENOENT and EACCES.
Miss Islington (bot)
Xiang Zhang
Jamie Davis
Benjamin Peterson
Brett Cannon
Alexey Izbyshev
bennorth
Cheryl Sabella
Christian Heimes
Anselm Kruis
Raymond Hettinger
Éric Araujo
Zachary Ware
Serhiy Storchaka
Stéphane Wirtel
INADA Naoki
Ned Deily
Mariatta
Victor Stinner
Bo Bayles