Commit Graph

2016 Commits

Author SHA1 Message Date
Artem Bulgakov 22748a83d9
bpo-41316: Make tarfile follow specs for FNAME (GH-21511)
tarfile writes full path to FNAME field of GZIP format instead of just basename if user specified absolute path. Some archive viewers may process file incorrectly. Also it creates security issue because anyone can know structure of directories on system and know username or other personal information.

RFC1952 says about FNAME:
This is the original name of the file being compressed, with any directory components removed.

So tarfile must remove directory names from FNAME and write only basename of file.

Automerge-Triggered-By: @jaraco
2020-09-07 09:46:33 -07:00
Irit Katriel 582f13786b
bpo-39994: Fix pprint handling of dict subclasses that override __repr__ (GH-21892)
Co-authored-by: Palak Kumar Jha
2020-08-30 20:29:53 +03:00
Hans Petter Jansson da4e09fff6
bpo-36982: Add support for extended color functions in ncurses 6.1 (GH-17536)
Co-authored-by: Jeffrey Kintscher <websurfer@surf2c.net>
2020-08-03 23:51:33 -04:00
Gregory Schevchenko daff39070e
bpo-38731: Add --quiet option to py_compile CLI (GH-17134) 2020-07-25 22:58:45 +03:00
E-Paine 1ee5dc1586
Remove trailing >>> in enum docs (GH-21358)
The >>> as the last line serve no purpose and are not colored correctly by Sphinx.
2020-07-09 12:18:34 -07:00
Srinivas Reddy Thatiparthy (శ్రీనివాస్ రెడ్డి తాటిపర్తి) 7f569c9bc0
bpo-41048: mimetypes should read the rule file using UTF-8, not the locale encoding (GH-20998) 2020-06-29 11:36:48 +03:00
David Szotten 8666356280
closes bpo-28557: error message for bad raw readinto (GH-7496)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
2020-06-15 18:53:57 -05:00
Krzysztof Konopko 4a3a682b12
bpo-40448: ensurepip: Do not use cache (GH-19812)
ensurepip optionally installs or upgrades 'pip' and 'setuptools' using
the version of those modules bundled with Python.  The internal PIP
installation routine by default temporarily uses its cache, if it
exists.  This is undesirable as Python builds and installations may be
independent of the user running the build, whilst PIP cache location
is dependent on the user's environment and outside of the build
environment.

At the same time, there's no value in using the cache while installing
bundled modules.

This change disables PIP caching when used in ensurepip.
2020-06-15 13:28:46 -04:00
Huon Wilson 8b62644831
bpo-40630: Add tracemalloc.reset_peak (GH-20102)
The reset_peak function sets the peak memory size to the current size,
representing a resetting of that metric. This allows for recording the
peak of specific sections of code, ignoring other code that may have
had a higher peak (since the most recent `tracemalloc.start()` or
tracemalloc.clear_traces()` call).
2020-05-22 16:18:51 +02:00
Ned Deily 951ab58024
Revert "bpo-26317: Support OBJC and OBJCXX configure command line variables (GH-20176)" (GH-20182)
This reverts commit 0da5466650.

The commit is causing make failures on a FreeBSD buildbot.
Due to the imminent 3.9.0b1 cutoff, revert this commit for
now pending further investigation.
2020-05-18 11:31:21 -04:00
Ned Deily 0da5466650
bpo-26317: Support OBJC and OBJCXX configure command line variables (GH-20176)
Add support to the configure script for OBJC and OBJCXX command line options so that the macOS builds can use the clang compiler for the macOS-specific Objective C source files. This allows third-party compilers, like GNU gcc, to be used to build the rest of the project since some of the Objective C system header files are not compilable by GNU gcc.

Co-authored-by: Jeffrey Kintscher <websurfer@surf2c.net>
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
2020-05-18 09:17:22 -04:00
Ned Deily fa098b6bc8
bpo-35569: add Erlend to Misc/ACKS (GH-20146) 2020-05-17 02:57:25 -04:00
Chris Jerdonek fe1176e882
Add Andrew York to ACKS for GH-19622. (GH-20105)
This updates ACKS for commit 003708bcf8
contributed by Andrew York.
2020-05-15 15:19:39 -07:00
romasku 382a5635bd
bpo-40607: Reraise exception during task cancelation in asyncio.wait_for() (GH-20054)
Currently, if asyncio.wait_for() timeout expires, it cancels
inner future and then always raises TimeoutError. In case
those future is task, it can handle cancelation mannually,
and those process can lead to some other exception. Current
implementation silently loses thoses exception.

To resolve this, wait_for will check was the cancelation
successfull or not. In case there was exception, wait_for
will reraise it.

Co-authored-by: Roman Skurikhin <roman.skurikhin@cruxlab.com>
2020-05-15 13:12:05 -07:00
Lumír 'Frenzy' Balhar e77d428856
bpo-40495: compileall option to hardlink duplicate pyc files (GH-19901)
compileall is now able to use hardlinks to prevent duplicates in a
case when .pyc files for different optimization levels have the same content.

Co-authored-by: Miro Hrončok <miro@hroncok.cz>
Co-authored-by: Victor Stinner <vstinner@python.org>
2020-05-14 16:17:22 +02:00
Joel Rosdahl 9d74658f0a
bpo-40499: Mention that asyncio.wait() needs a non-empty aws set (GH-19900)
A similar formulation was added in bpo-21596
(db74d982d4) but was lost in bpo-33649
(3faaa8857a).
2020-05-04 14:56:00 -07:00
Shantanu 289842ae82
bpo-39435: Fix docs for pickle.loads (GH-18160) 2020-05-01 12:46:01 -07:00
lrjball 3209cbd99b
bpo-40394 - difflib.SequenceMatched.find_longest_match default args (GH-19742)
* bpo-40394 - difflib.SequenceMatched.find_longest_match default args

Added default args to find_longest_match, as well as related tests.
2020-04-29 22:42:45 -05:00
Lewis Gaul f7bbf58aa9
bpo-38880: List interpreters associated with a channel end (GH-17323)
This PR adds the functionality requested by https://github.com/ericsnowcurrently/multi-core-python/issues/52.

Automerge-Triggered-By: @ericsnowcurrently
2020-04-28 17:18:42 -07:00
Ethan Onstott d9a43e20fa
bpo-40025: Require _generate_next_value_ to be defined before members (GH-19098)
require `_generate_next_value_` to be defined before members
2020-04-28 10:20:55 -07:00
sweeneyde a81849b031
bpo-39939: Add str.removeprefix and str.removesuffix (GH-18939)
Added str.removeprefix and str.removesuffix methods and corresponding
bytes, bytearray, and collections.UserString methods to remove affixes
from a string if present. See PEP 616 for a full description.
2020-04-22 23:05:48 +02:00
Zackery Spytz 97e0de04b8
bpo-25780: Expose CAN_RAW_JOIN_FILTERS in the socket module (GH-19190)
Co-Authored-By: Stefan Tatschner <stefan@rumpelsepp.org>
2020-04-09 13:03:49 +01:00
Peter Donis e0b8101492
bpo-1812: Fix newline conversion when doctest.testfile loads from a package whose loader has a get_data method (GH-17385)
This pull request fixes the newline conversion bug originally reported in bpo-1812. When that issue was originally submitted, the open builtin did not default to universal newline mode; now it does, which makes the issue fix simpler, since the only code path that needs to be changed is the one in doctest._load_testfile where the file is loaded from a package whose loader has a get_data method.
2020-03-26 10:53:16 -05:00
Lahfa Samy 59c644eaa7
bpo-39879: Update datamodel docs to include dict ordering (GH-19006)
Co-authored-by: furkanonder <furkantahaonder@gmail.com>
2020-03-26 09:54:04 -05:00
Furkan Önder cb6534e1a8
bpo-40067: Improve error messages for multiple star expressions in assignments (GH-19168)
Co-Authored-By: Batuhan Taşkaya <isidentical@gmail.com>
Co-Authored-By: Pablo Galindo <Pablogsal@gmail.com>
2020-03-26 01:54:31 +00:00
Curtis Bucher f393b2c588
bpo-36144: Add PEP 584 operators to collections.ChainMap (#18832)
* Update ChainMap to include | and |=

Created __ior__, __or__ and __ror__ methods in ChainMap class.

* Update ACKS

* Update docs

* Update test_collections.py to include test_issue584().

Added testing for | and |= operators for ChainMap objects.

* Update test_union_operators

Renamed test_union operators, fixed errors and style problems raised by brandtbucher.

* Update test_union_operators in TestChainMap

Added testing for union operator between ChainMap and iterable of key-value pairs.

* Update test_union operators in test_collections.py

Gave more descriptive variable names and eliminated unnecessary tmp variable.

* Update test_union_operators in test_collections.py

Added cm3

* Check .maps rather than Chainmap equality.

* Add news entry

* Update Lib/test/test_collections.py

Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com>

* Removed whitespace

* Added Guido's changes

* Fixed Docs

* Removed whitespace

Co-authored-by: Brandt Bucher <brandtbucher@gmail.com>
2020-03-23 12:02:05 -07:00
Charles Burkland d648ef10c5
bpo-36144: Update os.environ and os.environb for PEP 584 (#18911) 2020-03-13 09:04:43 -07:00
Pete Wicken 8e9c47a947
bpo-28577: Special case added to IP v4 and v6 hosts for /32 and /128 networks (GH-18757)
The `.hosts()` method now returns the single address present in a /32 or /128 network.
2020-03-09 15:33:45 -07:00
Hakan Çelik 217dce9ee6
bpo-39815: add cached_property to all (GH-18726)
Automerge-Triggered-By: @pablogsal
2020-03-01 13:01:34 -08:00
Vlad Emelianov 768d739c1c
bpo-38641: Add lib2to3 support for starred expressions in return/yield statements (GH-16994) 2020-03-01 19:59:26 +00:00
Henry Harutyunyan dc04a0571e
bpo-37534: Allow adding Standalone Document Declaration when generating XML documents (GH-14912) 2020-02-29 09:22:19 +01:00
Yonatan Goldschmidt 1c56f8ffad
bpo-39382: Avoid dangling object use in abstract_issubclass() (GH-18530)
Hold reference of __bases__ tuple until tuple item is done with, because by
dropping the reference the item may be destroyed.
2020-02-22 15:11:48 +02:00
Christopher Hunt c2ac4cf040
bpo-35727: Use exit code 0 on sys.exit() in multiprocessing.Process. (GH-11538) 2020-02-21 10:33:04 +01:00
alclarks d4331c56b4
bpo-9495: avoid confusing chained exception in argparse test (GH-17120) 2020-02-21 10:48:36 +02:00
ananthan-123 f2ee21d858
bpo-39479:Add math.lcm() function: Least Common Multiple (#18547)
* Update math.rst

* Update math.rst

* updated whats new

* Update test_math.py

* Update mathmodule.c

* Update mathmodule.c.h

* Update ACKS

* 📜🤖 Added by blurb_it.

* Update 3.9.rst

* Update 2020-02-18-12-37-16.bpo-39479.j3UcCq.rst

* Update math.rst

* Update 2020-02-18-12-37-16.bpo-39479.j3UcCq.rst

* Update test_math.py

* Update ACKS

* Update mathmodule.c.h

* Update mathmodule.c

* Update mathmodule.c.h

* Update mathmodule.c.h

Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
2020-02-19 18:21:37 +00:00
Kyle Meyer 8edfc47bae
bpo-39546: argparse: Honor allow_abbrev=False for specified prefix_chars (GH-18337)
When `allow_abbrev` was first added, disabling the abbreviation of
long options broke the grouping of short flags ([bpo-26967](https://bugs.python.org/issue26967)).  As a fix,
b1e4d1b603 (contained in v3.8) ignores `allow_abbrev=False` for a
given argument string if the string does _not_ start with "--"
(i.e. it doesn't look like a long option).

This fix, however, doesn't take into account that long options can
start with alternative characters specified via `prefix_chars`,
introducing a regression: `allow_abbrev=False` has no effect on long
options that start with an alternative prefix character.

The most minimal fix would be to replace the "starts with --" check
with a "starts with two prefix_chars characters".  But
`_get_option_tuples` already distinguishes between long and short
options, so let's instead piggyback off of that check by moving the
`allow_abbrev` condition into `_get_option_tuples`.





https://bugs.python.org/issue39546
2020-02-18 01:48:57 -08:00
William Chargin 674935b8ca
bpo-18819: tarfile: only set device fields for device files (GH-18080)
The GNU docs describe the `devmajor` and `devminor` fields of the tar
header struct only in the context of character and block special files,
suggesting that in other cases they are not populated. Typical utilities
behave accordingly; this patch teaches `tarfile` to do the same.
2020-02-12 11:56:02 -08:00
Hugo van Kemenade 29b3fc0a18
bpo-39586: Deprecate distutils bdist_msi command (GH-18415) 2020-02-10 14:26:40 +01:00
Bruce Merry d07d9f4c43
bpo-36051: Drop GIL during large bytes.join() (GH-17757)
Improve multi-threaded performance by dropping the GIL in the fast path
of bytes.join. To avoid increasing overhead for small joins, it is only
done if the output size exceeds a threshold.
2020-01-29 16:09:24 +09:00
William Woodruff dd754caf14 bpo-29435: Allow is_tarfile to take a filelike obj (GH-18090)
`is_tarfile()` now supports `name` being a file or file-like object.
2020-01-22 18:24:16 -08:00
Géry Ogam 1d1b97ae64 bpo-39048: Look up __aenter__ before __aexit__ in async with (GH-17609)
* Reorder the __aenter__ and __aexit__ checks for async with
* Add assertions for async with body being skipped
* Swap __aexit__ and __aenter__ loading in the documentation
2020-01-14 21:58:29 +10:00
Jendrik Seipp 5b9077134c bpo-13601: always use line-buffering for sys.stderr (GH-17646) 2020-01-01 23:21:43 +01:00
Oleg Höfling cbd0408b54 links in importlib.metadata.rst replaced with sphinx references (GH-17730)
The importlib.metadata documentation uses hardcoded links to internal
pages. This results in minor rendering issues. This change replaces
the hardcoded links with suitable Sphinx roles.

Signed-off-by: Oleg Höfling <oleg.hoefling@gmail.com>
2019-12-29 12:26:35 -05:00
Éric Araujo 3c75f31bb2
Add comment to avoid ACKS losing order (GH-17678) 2019-12-23 12:03:30 -05:00
Éric Araujo dd1a20f324
reorder entries in Misc/ACKS (#17663) 2019-12-20 09:53:33 -05:00
Xtreak 79f02fee1a bpo-39033: Fix NameError in zipimport during hash validation (GH-17588)
Patch by Karthikeyan Singaravelan.
2019-12-16 09:34:12 +10:00
Tim Gates c18b805ac6 bpo-39002: Fix simple typo: tranlation -> translation (GH-17517) 2019-12-09 09:42:17 -08:00
Anj-A 4443450fda bpo-38652: Remove provisional note for asyncio.BufferedProtocol (GH-17047)
https://bugs.python.org/issue38652
2019-12-07 04:53:12 -08:00
Benoit Hudson 723f71abf7 bpo-37931: Fix crash on OSX re-initializing os.environ (GH-15428)
On most platforms, the `environ` symbol is accessible everywhere.

In a dylib on OSX, it's not easily accessible, you need to find it with
_NSGetEnviron.

The code was caching the *value* of environ. But a setenv() can change the value,
leaving garbage at the old value. Fix: don't cache the value of environ, just
read it every time.
2019-12-06 20:15:03 +01:00
bcaller 1b779bfb85 bpo-38804: Fix REDoS in http.cookiejar (GH-17157)
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).

LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.

The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to

    \d+-\w+-\d+(\s*\s*\s*)$

Therefore, a long sequence of spaces can trigger bad performance.

Matching a malicious string such as

    LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")

caused catastrophic backtracking.

The fix removes ambiguity about which \s* should match a particular
space.

You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.

    from http.server import BaseHTTPRequestHandler, HTTPServer

    def make_set_cookie_value(n_spaces):
        spaces = " " * n_spaces
        expiry = f"1-c-1{spaces}!"
        return f"b;Expires={expiry}"

    class Handler(BaseHTTPRequestHandler):
        def do_GET(self):
            self.log_request(204)
            self.send_response_only(204)  # Don't bother sending Server and Date
            n_spaces = (
                int(self.path[1:])  # Can GET e.g. /100 to test shorter sequences
                if len(self.path) > 1 else
                65506  # Max header line length 65536
            )
            value = make_set_cookie_value(n_spaces)
            for i in range(99):  # Not necessary, but we can have up to 100 header lines
                self.send_header("Set-Cookie", value)
            self.end_headers()

    if __name__ == "__main__":
        HTTPServer(("", 44020), Handler).serve_forever()

This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.

Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :

    import http.cookiejar, urllib.request
    cj = http.cookiejar.CookieJar()
    opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
    r = opener.open("http://localhost:44020/")

The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):

    import requests
    requests.get("http://localhost:44020/")

* Regression test for http.cookiejar REDoS

If we regress, this test will take a very long time.

* Improve performance of http.cookiejar.ISO_DATE_RE

A string like

"444444" + (" " * 2000) + "A"

could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
2019-11-22 15:22:11 +01:00