* Prevent some possible DoS attacks via providing invalid Plist files
with extremely large number of objects or collection sizes.
* Raise InvalidFileException for too large bytes and string size instead of returning garbage.
* Raise InvalidFileException instead of ValueError for specific invalid datetime (NaN).
* Raise InvalidFileException instead of TypeError for non-hashable dict keys.
* Add more tests for invalid Plist files..
(cherry picked from commit 34637a0ce2)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
reject control chars in http method in http.client.putrequest to prevent http header injection
(cherry picked from commit 8ca8a2e8fb)
Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
Avoid infinite loop when reading specially crafted TAR files using the tarfile module
(CVE-2019-20907).
(cherry picked from commit 5a8d121a1f)
Co-authored-by: Rishi <rishi_devan@mail.com>
CVE-2020-14422
The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation
(cherry picked from commit b30ee26e36)
Co-authored-by: Ravi Teja P <rvteja92@gmail.com>
Signed-off-by: Tapas Kundu <tkundu@vmware.com>
Signed-off-by: Christian Heimes <christian@python.org>
Automerge-Triggered-By: @tiran.
(cherry picked from commit bb6ec14479)
Co-authored-by: Christian Heimes <christian@python.org>
ensurepip optionally installs or upgrades 'pip' and 'setuptools' using
the version of those modules bundled with Python. The internal PIP
installation routine by default temporarily uses its cache, if it
exists. This is undesirable as Python builds and installations may be
independent of the user running the build, whilst PIP cache location
is dependent on the user's environment and outside of the build
environment.
At the same time, there's no value in using the cache while installing
bundled modules.
This change disables PIP caching when used in ensurepip.
(cherry picked from commit 4a3a682b12)
Co-authored-by: Krzysztof Konopko <kkonopko@users.noreply.github.com>
In Python 3.7 the behavior of parse_multipart changed requiring CONTENT-LENGTH
header, this fix remove this header as required and fix FieldStorage
read_lines_to_outerboundary, by not using limit when it's negative,
since by default it's -1 if not content-length and keeps substracting what
was read from the file object.
Also added a test case for this problem.
(cherry picked from commit d8cf3514dd)
Co-authored-by: roger <rogerduran@gmail.com>
Automerge-Triggered-By: @ned-deily
Remote host cyrus.andrew.cmu.edu is blocking incoming connections and is
causing test suite to fail.
Signed-off-by: Christian Heimes <christian@python.org>
unittest.TestCase.assertWarns no longer raises a RuntimeException
when accessing a module's ``__warningregistry__`` causes importation of a new
module, or when a new module is imported in another thread.
(cherry picked from commit 46398fba4d)
Co-authored-by: kernc <kerncece@gmail.com>
A tiny sliver of a 3.9 PEG parser patch needed to backport the test added by GH-20486.
(cherry picked from commit a5d6aba318)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Would be nice to backport to python 3.7+. I don't think it's worth the hassle to backport this all the way down to 3.10. But I'll let the maintainers decide.
This is hard to test because the test setup already includes this [environment variable](https://github.com/python/cpython/blob/master/Lib/test/pythoninfo.pyGH-L292)
Let me know if something doesn't match the PR guidelines. This is my first PR in the python source code.
(cherry picked from commit c822efeda9)
Co-authored-by: Jeremy Attali <jeremy.attali@gmail.com>
Leave selection when right click within. This exception to clearing selections when right-clicking was omitted from the previous commit, 4ca060d. I did not realize that this completely disabled the context menu entries, and I should have merged a minimal fix immediately. An automated test should follow.
(cherry picked from commit 97e4e0f53d)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Backporting to 3.8 and adding a NEWS item (I should have added one to the master branch -- oh well).
(cherry picked from commit b86636bff4)
Co-authored-by: Andrew Kuchling <amk@amk.ca>
* bpo-39040: Fix parsing of email headers with encoded-words inside a quoted string.
It is fairly common to find malformed mime headers (especially content-disposition
headers) where the parameter values, instead of being encoded to RFC
standards, are "encoded" by doing RFC 2047 "encoded word" encoding, and
then enclosing the whole thing in quotes. The processing of these malformed
headers was incorrectly leaving the spaces between encoded words in the decoded
text (whitespace between adjacent encoded words is supposed to be stripped on
decoding). This changeset fixes the encoded word processing inside quoted strings
(bare-quoted-string) to do correct RFC 2047 decoding by stripping that
whitespace.
(cherry picked from commit 21017ed904)
Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
ctypes now raises an ArgumentError when a callback
is invoked with more than 1024 arguments.
The ctypes module allocates arguments on the stack in
ctypes_callproc() using alloca(), which is problematic
when large numbers of arguments are passed. Instead
of a stack overflow, this commit raises an ArgumentError
if more than 1024 parameters are passed.
(cherry picked from commit 29a1384c04)
Co-authored-by: Sean Gillespie <sean@swgillespie.me>
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f17211c)
Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
struct.error is now raised if there is a null character in a struct
format string.
(cherry picked from commit 3f59b55316)
(cherry picked from commit 5ff5edfef6)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
This was the only failure running unittest.main(test.test_idle) after imports.
(cherry picked from commit 905b3cd05f)
Co-authored-by: Florian Dahlitz <f2dahlitz@freenet.de>
distutils.tests now saves/restores warnings filters to leave them
unchanged. Importing tests imports docutils which imports
pkg_resources which adds a warnings filter.
(cherry picked from commit 6e57237faf)
Co-authored-by: Victor Stinner <vstinner@python.org>
test_gdb and test.pythoninfo now check gdb command exit code.
(cherry picked from commit ec9bea4a37)
Co-authored-by: Victor Stinner <vstinner@python.org>
[3.8] bpo-40431: Fix syntax typo in turtledemo (GH-19777)
* Addresses a syntax typo that mistakenly used a undefined string prefix due to a missing space.
(cherry picked from commit 49f70db83e)
Co-authored-by: Miro Hrončok <miro@hroncok.cz>
(cherry picked from commit cc011b5190)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
* bpo-37421: multiprocessing tests call _run_finalizers() (GH-14527)
multiprocessing tests now call explicitly _run_finalizers() to remove
immediately temporary directories created by
multiprocessing.util.get_temp_dir().
(cherry picked from commit 039fb49c18)
Co-authored-by: Victor Stinner <vstinner@redhat.com>
(cherry picked from commit 632cb36084)
* bpo-37421: multiprocessing tests now stop ForkServer (GH-14601)
multiprocessing tests now stop the ForkServer instance if it's
running: close the "alive" file descriptor to ask the server to stop
and then remove its UNIX address.
(cherry picked from commit 8fbeb14312)
Co-authored-by: Victor Stinner <vstinner@redhat.com>
(cherry picked from commit 229f6e85f8)
* bpo-38546: multiprocessing tests stop the resource tracker (GH-17641) (GH-17647)
Multiprocessing and concurrent.futures tests now stop the resource
tracker process when tests complete.
Add ResourceTracker._stop() method to
multiprocessing.resource_tracker.
Add _cleanup_tests() helper function to multiprocessing.util: share
code between multiprocessing and concurrent.futures tests.
(cherry picked from commit 9707e8e22d)
(cherry picked from commit 35acb35972)
* Remove NEWS about resource tracker
Python 3.7 multiprocessing does not have resource tracker.
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
bpo-32759, bpo-39932: Fix multiprocessing test_heap():
a new Heap object is now created for each test run.
Partial backport of commit e4679cd644
by Antoine Pitrou.
It is possible to use either '-isysroot /some/path' (with a space) or
'-isysroot/some/path' (no space in between). Support both forms in
places where special handling of -isysroot is done, rather than just
the first form.
Co-authored-by: Ned Deily <nad@python.org>
(cherry picked from commit b310700976)
Co-authored-by: Joshua Root <jmr@macports.org>
Fix the Windows implementation of os.waitpid() for exit code
larger than "INT_MAX >> 8". The exit status is now interpreted as an
unsigned number.
(cherry picked from commit b07350901c)
Co-authored-by: Victor Stinner <vstinner@python.org>
Miss Islington (bot)
Serhiy Storchaka
Ned Deily
Pablo Galindo
Steve Dower
Tapas Kundu
Christian Heimes
Stefan Krah
Terry Jan Reedy
Batuhan Taskaya
Victor Stinner