Commit Graph

106115 Commits

Author SHA1 Message Date
Brett Cannon 1df65f7c6c Fix old mention of virtualenv (GH-17417)
Automerge-Triggered-By: @brettcannon
2019-11-29 15:37:08 -08:00
Steve Dower bea33f5e1d
bpo-38920: Add audit hooks for when sys.excepthook and sys.unraisable hooks are invoked (GH-17392)
Also fixes some potential segfaults in unraisable hook handling.
2019-11-28 08:46:11 -08:00
Tal Einat 02519f75d1
bpo-38524: clarify example a bit and improve formatting (GH-17406) 2019-11-28 07:22:09 +02:00
Tzu-ping Chung d9aa216d49 bpo-38927: Use python -m pip to upgrade venv deps (GH-17403)
I suggest you add `bpo-NNNNN: ` as a prefix for the first commit for future PRs. Thanks!
2019-11-27 20:25:23 +00:00
Tzu-ping Chung 045d4e243d bpo-38928: Fix versionadded for venv's upgrade_deps function (GH-17404) 2019-11-27 20:21:48 +00:00
Inada Naoki ea9835c5d1
bpo-26730: Fix SpooledTemporaryFile data corruption (GH-17400)
SpooledTemporaryFile.rollback() might cause data corruption
when it is in text mode.

Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
2019-11-27 22:22:06 +09:00
Florian Dahlitz 1bddf890e5 bpo-38524: document implicit and explicit calling of descriptors' __set_name__ (GH-17364) 2019-11-27 10:46:40 +02:00
Yoni Lavi ce4b7a273a Show the differing module names for readlink() (GH-17395)
This was very confusing with the text for both being just `readlink()`.
2019-11-26 21:08:50 -08:00
Anthony Sottile 1ef4c32c8d Be more specific about the `.so` gitignore patterns (GH-17328)
In GH-15823 the pattern was changed from `libpython*.so*` to `*.so*` which
matches a bit too greedily for some packagers.  For instance this trips up
`debian/README.source`.  A more specific pattern fixes this issue.
2019-11-26 22:54:46 -06:00
Bruno P. Kinoshita 9bbcbc9f6d bpo-38688, shutil.copytree: consume iterator and create list of entries to prevent infinite recursion (GH-17098) 2019-11-27 09:10:37 +08:00
Steve Dower c7c01ab1e5
bpo-38922: Raise code.__new__ audit event when code object replace() is called (GH-17394) 2019-11-26 16:27:50 -08:00
HongWeipeng 0b41a922f9 bpo-38045: Improve the performance of _decompose() in enum.py (GH-16483)
* Improve the performance of _decompose() in enum.py

Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com>
2019-11-26 14:36:02 -08:00
Terry Jan Reedy e563a155be bpo-38892: Improve docs for audit event (GH-17361) 2019-11-26 09:07:48 -08:00
Karl Dubost bc441ed7c1 bpo-22377: Fixes documentation for %Z in datetime (GH-16507)
This fixes the issue discussed in https://bugs.python.org/issue22377
and fixes it according to the comments made by Paul Ganssle @pganssle

* It clarifies which values are acceptable in the table
* It extends the note with a clearer information on the valid values


https://bugs.python.org/issue22377
2019-11-26 08:38:41 -08:00
HongWeipeng 036fe85bd3 bpo-27145: small_ints[x] could be returned in long_add and long_sub (GH-15716) 2019-11-26 16:54:49 +09:00
David Coles 386d00cc34 Remove use of deprecated `array.fromstring` method (GH-17332) 2019-11-26 15:31:09 +09:00
Brandt Bucher 6dd9b64770 bpo-38328: Speed up the creation time of constant list and set display. (GH-17114) 2019-11-26 15:16:53 +09:00
Eddie Elizondo e4db1f05e9 closes bpo-38803: Fix leak in posixmodule. (GH-17373) 2019-11-25 19:07:37 -08:00
Sanchit Khurana f8a6316778 bpo-21063: Improve module synopsis for distutils (GH-17363) 2019-11-25 14:17:59 -08:00
Stefan Behnel c6a7bdb356
bpo-20928: support base-URL and recursive includes in etree.ElementInclude (#5723)
* bpo-20928: bring elementtree's XInclude support en-par with the implementation in lxml by adding support for recursive includes and a base-URL.

* bpo-20928: Support xincluding the same file multiple times, just not recursively.

* bpo-20928: Add 'max_depth' parameter to xinclude that limits the maximum recursion depth to 6 by default.

* Add news entry for updated ElementInclude support
2019-11-25 16:36:25 +01:00
Pablo Galindo ded8888fbc bpo-38870: Remove dependency on contextlib to avoid performance regression on import (GH-17376)
https://bugs.python.org/issue38870



Automerge-Triggered-By: @pablogsal
2019-11-25 03:49:17 -08:00
Pablo Galindo e11f25dbd8
Fix typo in Doc/whatsnew/3.9.rst (GH-17372) 2019-11-25 11:16:39 +00:00
Pablo Galindo 27fc3b6f3f
bpo-38870: Expose a function to unparse an ast object in the ast module (GH-17302)
Add ast.unparse() as a function in the ast module that can be used to unparse an
ast.AST object and produce a string with code that would produce an equivalent ast.AST
object when parsed.
2019-11-24 23:02:40 +00:00
Terry Jan Reedy 6bf644ec82
bpo-38862: IDLE Strip Trailing Whitespace fixes end newlines (GH-17366)
Extra newlines are removed at the end of non-shell files. If the file only has newlines after stripping other trailing whitespace, all are removed, as is done by patchcheck.py.
2019-11-24 16:29:29 -05:00
Claudiu Popa 6f03b236c1 bpo-38876: Raise pickle.UnpicklingError when loading an item from memo for invalid input (GH-17335)
The previous code was raising a `KeyError` for both the Python and C implementation.
This was caused by the specified index of an invalid input which did not exist
in the memo structure, where the pickle stores what objects it has seen.
The malformed input would have caused either a `BINGET` or `LONG_BINGET` load
from the memo, leading to a `KeyError` as the determined index was bogus.

https://bugs.python.org/issue38876



https://bugs.python.org/issue38876
2019-11-24 11:15:08 -08:00
Batuhan Taşkaya e407646b74 Remove unnecessary variable definition (GH-17368) 2019-11-24 16:46:18 +00:00
Zac Hatfield-Dodds 665ad3dfa9 Better runtime TypedDict (GH-17214)
This patch enables downstream projects inspecting a TypedDict subclass at runtime to tell which keys are optional.

This is essential for generating test data with Hypothesis or validating inputs with typeguard or pydantic.
2019-11-24 10:48:48 +00:00
Raymond Hettinger 041d8b48a2
bpo-38881: choices() raises ValueError when all weights are zero (GH-17362) 2019-11-23 02:22:13 -08:00
Brett Cannon 84b1ff6560 bpo-38899: virtual environment activation for fish should use `source` (GH-17359)
The previously documented use of `.` is considered deprecated (https://fishshell.com/docs/current/commands.html#source).


https://bugs.python.org/issue38899



Automerge-Triggered-By: @brettcannon
2019-11-22 23:32:27 -08:00
Victor Stinner d68b592dd6
bpo-38896: Remove PyUnicode_ClearFreeList() function (GH-17354)
Remove PyUnicode_ClearFreeList() function: the Unicode free list has
been removed in Python 3.3.
2019-11-23 02:30:32 +01:00
PypeBros 14a89c4798 bpo-38686: fix HTTP Digest handling in request.py (#17045)
* fix HTTP Digest handling in request.py

There is a bug triggered when server replies to a request with `WWW-Authenticate: Digest` where `qop="auth,auth-int"` rather than mere `qop="auth"`. Having both `auth` and `auth-int` is legitimate according to the `qop-options` rule in §3.2.1 of [[https://www.ietf.org/rfc/rfc2617.txt|RFC 2617]]:
>      qop-options       = "qop" "=" <"> 1#qop-value <">
>      qop-value         = "auth" | "auth-int" | token
> **qop-options**: [...] If present, it is a quoted string **of one or more** tokens indicating the "quality of protection" values supported by the server.  The value `"auth"` indicates authentication; the value `"auth-int"` indicates authentication with integrity protection

This is description confirmed by the definition of the [//n//]`#`[//m//]//rule// extended-BNF pattern defined in §2.1 of [[https://www.ietf.org/rfc/rfc2616.txt|RFC 2616]] as 'a comma-separated list of //rule// with at least //n// and at most //m// items'.

When this reply is parsed by `get_authorization`, request.py only tests for identity with `'auth'`, failing to recognize it as one of the supported modes the server announced, and claims that `"qop 'auth,auth-int' is not supported"`.

* 📜🤖 Added by blurb_it.

* bpo-38686 review fix: remember why.

* fix trailing space in Lib/urllib/request.py

Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com>
2019-11-22 15:19:08 -08:00
Ethan Furman 3ae38cc181
Update CODEOWNERS (#17356)
Add Ethan Furman for enum, cgi, and cgitb.
2019-11-22 14:28:41 -08:00
Victor Stinner 2ec1a1b307
bpo-38858: new_interpreter() uses pycore_init_import_warnings() (GH-17353) 2019-11-22 21:54:33 +01:00
Victor Stinner 2582d46fbc
bpo-38858: new_interpreter() reuses pycore_init_builtins() (GH-17351)
new_interpreter() now calls _PyBuiltin_Init() to create the builtins
module and calls _PyImport_FixupBuiltin(), rather than using
_PyImport_FindBuiltin(tstate, "builtins").

pycore_init_builtins() is now responsible to initialize
intepr->builtins_copy: inline _PyImport_Init() and remove this
function.
2019-11-22 19:24:49 +01:00
Victor Stinner 82c83bd907
bpo-38858: _PyImport_FixupExtensionObject() handles subinterpreters (GH-17350)
If _PyImport_FixupExtensionObject() is called from a subinterpreter,
leave extensions unchanged and don't copy the module dictionary
into def->m_base.m_copy.
2019-11-22 18:52:27 +01:00
Callum Ward 42bc60ead3 closes bpo-29275: Remove Y2K reference from time module docs (GH-17321)
The Y2K reference is not needed as it only points out that Python's use
of C standard functions doesn't generally suffer from Y2K issues; the
point regarding conventions for conversion of 2-digit years in
:func:`strptime` is still valid.
2019-11-22 08:57:14 -08:00
Victor Stinner b00513636c
bpo-38858: Add init_interp_main() subfunction (GH-17347)
Fix new_interpreter() error handling: undo it all if status is an
exception.
2019-11-22 17:52:42 +01:00
Victor Stinner e0c9ab8e26
bpo-38858: Add init_set_builtins_open() subfunction (GH-17346) 2019-11-22 16:19:14 +01:00
bcaller 1b779bfb85 bpo-38804: Fix REDoS in http.cookiejar (GH-17157)
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).

LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.

The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to

    \d+-\w+-\d+(\s*\s*\s*)$

Therefore, a long sequence of spaces can trigger bad performance.

Matching a malicious string such as

    LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")

caused catastrophic backtracking.

The fix removes ambiguity about which \s* should match a particular
space.

You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.

    from http.server import BaseHTTPRequestHandler, HTTPServer

    def make_set_cookie_value(n_spaces):
        spaces = " " * n_spaces
        expiry = f"1-c-1{spaces}!"
        return f"b;Expires={expiry}"

    class Handler(BaseHTTPRequestHandler):
        def do_GET(self):
            self.log_request(204)
            self.send_response_only(204)  # Don't bother sending Server and Date
            n_spaces = (
                int(self.path[1:])  # Can GET e.g. /100 to test shorter sequences
                if len(self.path) > 1 else
                65506  # Max header line length 65536
            )
            value = make_set_cookie_value(n_spaces)
            for i in range(99):  # Not necessary, but we can have up to 100 header lines
                self.send_header("Set-Cookie", value)
            self.end_headers()

    if __name__ == "__main__":
        HTTPServer(("", 44020), Handler).serve_forever()

This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.

Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :

    import http.cookiejar, urllib.request
    cj = http.cookiejar.CookieJar()
    opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
    r = opener.open("http://localhost:44020/")

The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):

    import requests
    requests.get("http://localhost:44020/")

* Regression test for http.cookiejar REDoS

If we regress, this test will take a very long time.

* Improve performance of http.cookiejar.ISO_DATE_RE

A string like

"444444" + (" " * 2000) + "A"

could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
2019-11-22 15:22:11 +01:00
Alex 4e205b74f9 Fix quoted signature of setattrofunc (GH-17251)
setattrofunc returns `int`, not `PyObject *`.
2019-11-22 14:48:14 +01:00
jacksonriley 138e7bbb0a bpo-38866: Remove asyncore from test_pyclbr.py (GH-17316)
Co-Authored-By: Kyle Stanley <aeros167@gmail.com>
2019-11-22 21:51:58 +09:00
Victor Stinner 3d4833488a
bpo-38858: Call _PyUnicode_Fini() in Py_EndInterpreter() (GH-17330)
Py_EndInterpreter() now clears the filesystem codec.
2019-11-22 12:27:50 +01:00
Victor Stinner 310e2d2517
bpo-36854: Fix refleak in subinterpreter (GH-17331)
finalize_interp_clear() now explicitly clears the codec registry and
then trigger a GC collection to clear all references.
2019-11-22 10:58:00 +01:00
Siwon Kang 91daa9d722 bpo-38863: Improve is_cgi() in http.server (GH-17312)
is_cgi() function of http.server library does not currently handle a
cgi script if one of the cgi_directories is located at the
sub-directory of given path. Since is_cgi() in CGIHTTPRequestHandler
class separates given path into (dir, rest) based on the first seen
'/', multi-level directories like /sub/dir/cgi-bin/hello.py is divided
into head=/sub, rest=dir/cgi-bin/hello.py then check whether '/sub'
exists in cgi_directories = [..., '/sub/dir/cgi-bin'].
This patch makes the is_cgi() keep expanding dir part to the next '/'
then checking if that expanded path exists in the cgi_directories.

Signed-off-by: Siwon Kang <kkangshawn@gmail.com>





https://bugs.python.org/issue38863
2019-11-22 01:13:05 -08:00
Raymond Hettinger b4e5eeac26
Defer import of shutil which only needed for help and usage (GH-17334) 2019-11-21 22:51:45 -08:00
Claudiu Popa 65444cf7fe bpo-38526: Fix zipfile.Path method name to be the correct one (#17317) 2019-11-21 16:23:13 -05:00
benedwards14 0aca3a3a1e bpo-37838: get_type_hints for wrapped functions with forward reference (GH-17126)
https://bugs.python.org/issue37838
2019-11-21 17:24:58 +00:00
Mark Shannon 82f897bf8f
Correct release version to 3.9 for RERAISE and WITH_EXCEPT_START bytecodes. (#17318)
bpo-33387

Corrects commit fee5526
2019-11-21 14:47:49 +00:00
Victor Stinner 3ab479a2d1
bpo-38692: Skip test_posix.test_pidfd_open() on EPERM (GH-17290)
Skip the test_posix.test_pidfd_open() test if os.pidfd_open() fails
with a PermissionError. This situation can happen in a Linux sandbox
using a syscall whitelist which doesn't allow the pidfd_open()
syscall yet (like systemd-nspawn).
2019-11-21 12:54:54 +01:00
Victor Stinner 0127bb1c5c
bpo-38875: test_capi: trashcan tests require cpu resource (GH-17314)
test_capi: trashcan tests now require the test "cpu" resource.
2019-11-21 12:54:02 +01:00