Commit Graph

45 Commits

Author SHA1 Message Date
Łukasz Langa d93605de72
Python 3.8.0b4 2019-08-29 23:59:20 +02:00
Miss Islington (bot) 217077440a
bpo-34155: Dont parse domains containing @ (GH-13079)
Before:

        >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses
        (Address(display_name='', username='a', domain='malicious.org'),)

        >>> parseaddr('a@malicious.org@important.com')
        ('', 'a@malicious.org')

    After:

        >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses
        (Address(display_name='', username='', domain=''),)

        >>> parseaddr('a@malicious.org@important.com')
        ('', 'a@')

https://bugs.python.org/issue34155
(cherry picked from commit 8cb65d1381)

Co-authored-by: jpic <jpic@users.noreply.github.com>
2019-08-09 01:31:27 -07:00
Łukasz Langa 4336222407
Python 3.8.0b3 2019-07-29 15:26:01 +02:00
Miss Islington (bot) 6816ca30af
bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)
* bpo-37461: Fix infinite loop in parsing of specially crafted email headers.

Some crafted email header would cause the get_parameter method to run in an
infinite loop causing a DoS attack surface when parsing those headers. This
patch fixes that by making sure the DQUOTE character is handled to prevent
going into an infinite loop.
(cherry picked from commit a4a994bd3e)

Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
2019-07-17 10:13:54 -07:00
Łukasz Langa 21dd01dad7
Python 3.8.0b2 2019-07-04 12:50:19 +02:00
Miss Islington (bot) 3cba3d3c55
bpo-37463: match_hostname requires quad-dotted IPv4 (GH-14499)
ssl.match_hostname() no longer accepts IPv4 addresses with additional text
after the address and only quad-dotted notation without trailing
whitespaces. Some inet_aton() implementations ignore whitespace and all data
after whitespace, e.g. '127.0.0.1 whatever'.

Short notations like '127.1' for '127.0.0.1' were already filtered out.

The bug was initially found by Dominik Czarnota and reported by Paul Kehrer.

Signed-off-by: Christian Heimes <christian@python.org>

https://bugs.python.org/issue37463
(cherry picked from commit 477b1b2576)

Co-authored-by: Christian Heimes <christian@python.org>
2019-07-02 14:06:18 -07:00
Miss Islington (bot) 746992c1ae
bpo-37363: Add audit events on startup for the run commands (GH-14524)
(cherry picked from commit e226e83d36)

Co-authored-by: Steve Dower <steve.dower@python.org>
2019-07-01 16:22:29 -07:00
Miss Islington (bot) 8763d43a95
bpo-37363: Add audit events for a range of modules (GH-14301)
(cherry picked from commit 60419a7e96)

Co-authored-by: Steve Dower <steve.dower@python.org>
2019-06-24 09:09:47 -07:00
Miss Islington (bot) 35202c7637
bpo-37364: Use io.open_code() to read .pth files (GH-14299)
https://bugs.python.org/issue37364
(cherry picked from commit 184f3d4f39)

Co-authored-by: Steve Dower <steve.dower@python.org>
2019-06-21 15:35:44 -07:00
Miss Islington (bot) c28c135824 bpo-34631: Updated OpenSSL to 1.1.1c in Windows installer (GH-14163)
(cherry picked from commit a268edd6a4)

Co-authored-by: Steve Dower <steve.dower@python.org>
2019-06-17 12:54:18 -07:00
Łukasz Langa 3b5deb0116
Python 3.8.0b1 2019-06-04 19:44:34 +02:00
Victor Stinner 1c9debd236
bpo-35907: Fix typo in the NEWS entry (GH-13559) 2019-05-24 23:06:25 +02:00
Victor Stinner deffee5774
bpo-35907: Clarify the NEWS entry (GH-13523) 2019-05-24 22:06:32 +02:00
David Carlier 51aa35e9e1 bpo-33164: update blake2 implementation (GH-6286) 2019-05-23 13:32:44 +09:00
Victor Stinner 0c2b6a3943
bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-13474)
CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL
scheme in URLopener().open() and URLopener().retrieve()
of urllib.request.

Co-Authored-By: SH <push0ebp@gmail.com>
2019-05-22 22:15:01 +02:00
Krzysztof Wojcik c1f5667be1 bpo-33529, email: Fix infinite loop in email header encoding (GH-12020) 2019-05-14 18:55:23 +02:00
Łukasz Langa c1004b8546
Python 3.8.0a4 2019-05-06 20:30:25 +02:00
Gregory P. Smith b7378d7728
bpo-30458: Use InvalidURL instead of ValueError. (GH-13044)
Use http.client.InvalidURL instead of ValueError as the new error case's exception.
2019-05-01 16:39:21 -04:00
Gregory P. Smith c4e671eec2
bpo-30458: Disallow control chars in http URLs. (GH-12755)
Disallow control chars in http URLs in urllib.urlopen.  This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
2019-04-30 19:12:21 -07:00
Steve Dower d537ab0ff9
bpo-36742: Fixes handling of pre-normalization characters in urlsplit() (GH-13017) 2019-04-30 12:03:02 +00:00
Victor Stinner 2c4c02f8a8
bpo-35755: Remove current directory from posixpath.defpath (GH-11586)
Document the change in a NEWS entry of the Security category.
2019-04-17 17:05:30 +02:00
Łukasz Langa 9a448855b5
v3.8.0a3 2019-03-25 20:36:40 +01:00
Xtreak ca7fe50635 bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258)
Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy.  Patch by Karthikeyan Singaravelan.
2019-03-09 21:09:48 -05:00
Steve Dower 16e6f7dee7
bpo-36216: Add check for characters in netloc that normalize to separators (GH-12201) 2019-03-07 08:02:26 -08:00
Łukasz Langa 8efa3b69f6
[blurb] v3.8.0a1 2019-02-03 14:02:52 +01:00
Christian Heimes a37f52436f bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.

Signed-off-by: Christian Heimes <christian@python.org>



https://bugs.python.org/issue35746
2019-01-15 14:47:42 -08:00
Victor Stinner 9de3632715
bpo-34812: subprocess._args_from_interpreter_flags(): add isolated (GH-10675)
The "-I" command line option (run Python in isolated mode) is now
also copied by the multiprocessing and distutils modules when
spawning child processes. Previously, only -E and -s options (enabled
by -I) were copied.

subprocess._args_from_interpreter_flags() now copies the -I flag.
2018-11-23 17:54:20 +01:00
Christian Heimes 223e501fb9 bpo-34791: xml package obeys ignore env flags (GH-9544)
The xml.sax and xml.dom.domreg modules now obey
sys.flags.ignore_environment.

Signed-off-by: Christian Heimes <christian@python.org>



https://bugs.python.org/issue34791
2018-09-24 10:21:12 -07:00
Christian Heimes 17b1d5d4e3 bpo-17239: Disable external entities in SAX parser (GH-9217)
The SAX parser no longer processes general external entities by default
to increase security. Before, the parser created network connections
to fetch remote files or loaded local files from the file system for DTD
and entities.

Signed-off-by: Christian Heimes <christian@python.org>



https://bugs.python.org/issue17239
2018-09-23 00:50:25 -07:00
Christian Heimes 026337a710 bpo-34623: Mention CVE-2018-14647 in news entry (GH-9482)
https://bugs.python.org/issue34623
2018-09-21 21:42:29 -07:00
Christian Heimes cb5778f00c bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)
The C accelerated _elementtree module now initializes hash randomization
salt from _Py_HashSecret instead of libexpat's default CPRNG.

Signed-off-by: Christian Heimes <christian@python.org>



https://bugs.python.org/issue34623
2018-09-18 05:38:58 -07:00
Steve Dower c6fd1c1c3a
bpo-32533: Fixed thread-safety of error handling in _ssl. (GH-7158) 2018-09-17 11:34:47 -07:00
Steve Dower 864a892af3
bpo-34405: Updated to OpenSSL 1.1.0i for Windows builds. (GH-8775) 2018-08-15 13:29:24 -07:00
Serhiy Storchaka 9d5727326a
bpo-33871: Fix os.sendfile(), os.writev(), os.readv(), etc. (GH-7931)
* Fix integer overflow in os.readv(), os.writev(), os.preadv()
  and os.pwritev() and in os.sendfile() with headers or trailers
  arguments (on BSD-based OSes and MacOS).

* Fix sending the part of the file in os.sendfile() on MacOS.
  Using the trailers argument could cause sending more bytes from
  the input file than was specified.

Thanks Ned Deily for testing on 32-bit MacOS.
2018-07-31 10:24:54 +03:00
Christian Heimes d02ac25ab0
bpo-33136: Harden ssl module against CVE-2018-8970 (GH-6229)
Harden ssl module against LibreSSL CVE-2018-8970.
X509_VERIFY_PARAM_set1_host() is called with an explicit namelen. A new test
ensures that NULL bytes are not allowed.

Signed-off-by: Christian Heimes <christian@python.org>
2018-03-25 12:36:13 +02:00
Steve Dower 6921e73e33
bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) 2018-03-05 14:26:08 -08:00
Jamie Davis 0e6c8ee235 bpo-32981: Fix catastrophic backtracking vulns (#5955)
* Prevent low-grade poplib REDOS (CVE-2018-1060)

The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.

Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.

A 2KB evil response from the mail server would result in small slowdowns
(milliseconds vs. microseconds) accumulated over many apop calls.
This is a potential DOS vector via accumulated slowdowns.

Replace it with a similar non-vulnerable regex.

The new regex is RFC compliant.
The old regex was non-compliant in edge cases.

* Prevent difflib REDOS (CVE-2018-1061)

The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.

Replace it with an equivalent non-vulnerable regex.

Also introduce unit and REDOS tests for difflib.

Co-authored-by: Tim Peters <tim.peters@gmail.com>
Co-authored-by: Christian Heimes <christian@python.org>
2018-03-03 21:33:32 -08:00
Christian Heimes 11a1493bc4 [bpo-28414] Make all hostnames in SSL module IDN A-labels (GH-5128)
Previously, the ssl module stored international domain names (IDNs)
as U-labels. This is problematic for a number of reasons -- for
example, it made it impossible for users to use a different version
of IDNA than the one built into Python.

After this change, we always convert to A-labels as soon as possible,
and use them for all internal processing. In particular, server_hostname
attribute is now an A-label, and on the server side there's a new
sni_callback that receives the SNI servername as an A-label rather than
a U-label.
2018-02-23 17:35:08 -08:00
Ned Deily 450ceea331 Update PyDoc topics and NEWS blurbs for 3.7.0a1 2017-09-19 01:01:36 -04:00
Devin Jeanpierre c5bace2bf7 bpo-29505: Add fuzz tests for float(str), int(str), unicode(str) (#2878)
Add basic fuzz tests for a few common builtin functions.

This is an easy place to start, and these functions are probably safe.
We'll want to add more fuzz tests later.  Lets bootstrap using these.

While the fuzz tests are included in CPython and compiled / tested on a
very basic level inside CPython itself, the actual fuzzing happens as
part of oss-fuzz (https://github.com/google/oss-fuzz). The reason to
include the tests in CPython is to make sure that they're maintained
as part of the CPython project, especially when (as some eventually
will) they use internal implementation details in the test.

(This will be necessary sometimes because e.g. the fuzz test should
never enter Python's interpreter loop, whereas some APIs only expose
themselves publicly as Python functions.)

This particular set of changes is part of testing Python's builtins,
tracked internally at Google by b/37562550.

The _xxtestfuzz module that this change adds need not be shipped with binary distributions of Python.
2017-09-06 11:15:35 -07:00
Christian Heimes 6877111648 bpo-29781: Fix SSLObject.version before handshake (#3364)
SSLObject.version() now correctly returns None when handshake over BIO has
not been performed yet.

Signed-off-by: Christian Heimes <christian@python.org>
2017-09-05 21:55:40 -07:00
Gregory P. Smith 564a2c68ad Link to blurb on PyPI in the NEWS.d READMEs. (#3323) 2017-09-05 10:38:05 -07:00
larryhastings f9f17346d7 Blurbify master branch. (#3298)
Blurbify master branch.
2017-09-04 13:30:19 -07:00
Victor Stinner 93d0cb58b4 bpo-30947: Update libexpat from 2.2.1 to 2.2.3 (#3106)
* bpo-30947: Update libexpat from 2.2.1 to 2.2.3

* Add NEWS entry

* Add new loadlibrary.c

* expat_external.h: restore include "pyexpatns.h"

* PCbuild: add expat/loadlibrary.c

* Define XML_POOR_ENTROPY to compile expat
2017-08-18 23:43:54 +02:00
larryhastings ea007984d3 Add "Misc/NEWS.d" directory tree for "blurb". (GH-2316)
Add "Misc/NEWS.d" directory tree for "blurb".

CPython workflow is changing!  We're going to start using "blurb"
to manage Misc/NEWS entries:
    https://github.com/python/core-workflow
(This will be a big win for release managers, honest.)

This checkin simply populates the "Misc/NEWS.d" subdirectory tree
so that people can start putting their news entries in there.
No other changes (yet).
2017-06-22 10:29:02 -07:00