Upgrade builds to OpenSSL 1.1.1u.
This OpenSSL version addresses a pile if less-urgent CVEs since 1.1.1t.
The Mac/BuildScript/build-installer.py was already updated.
Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.
Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting).
(cherry picked from commit ede89af).
(cherry picked from commit a5d2b546c1)
(cherry picked from commit f90d3f68db)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport. (people will see
that in the mainline /3/ docs)
---------
(cherry picked from commit 2f630e1ce1)
(cherry picked from commit 610cc0ab1b)
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067)
Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)
---------
(cherry picked from commit c7c3a60c88)
Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
(cherry picked from commit d052a383f1)
Co-authored-by: Bernhard Wagner <github.comNotification20120125@xmlizer.net>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Co-authored-by: Éric <merwok@netwok.org>
On macOS all file descriptors for a particular file in /dev/fd
share the same file offset, that is ``open("/dev/fd/9", "r")`` behaves
more like ``dup(9)`` than a regular open.
This causes problems when a user tries to run "/dev/fd/9" as a script
because zipimport changes the file offset to try to read a zipfile
directory. Therefore change zipimport to reset the file offset after
trying to read the zipfile directory.
(cherry picked from commit d08fb25769)
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
* Regen zipimport
---------
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
Co-authored-by: Shantanu <12621235+hauntsaninja@users.noreply.github.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
There are some warnings if build python via clang:
Parser/pegen.c:812:31: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
_PyPegen_clear_memo_statistics()
^
void
Parser/pegen.c:820:29: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
_PyPegen_get_memo_statistics()
^
void
Fix it to make clang happy.
(cherry picked from commit 7703def37e)
Signed-off-by: Chenxi Mao <chenxi.mao@suse.com>
Co-authored-by: Chenxi Mao <chenxi.mao@suse.com>
Previously, any data _after_ the zip64 extra would be removed.
With many new tests.
Fixes GH-88233
(cherry picked from commit 59e86caca8)
Co-authored-by: Tim Hatch <tim@timhatch.com>
GH-25309 enabled SSL_OP_IGNORE_UNEXPECTED_EOF by default, with a comment
that it restores OpenSSL 1.1.1 behavior, but this wasn't quite right.
That option causes OpenSSL to treat transport EOF as the same as
close_notify (i.e. SSL_ERROR_ZERO_RETURN), whereas Python actually has
distinct SSLEOFError and SSLZeroReturnError exceptions. (The latter is
usually mapped to a zero return from read.) In OpenSSL 1.1.1, the ssl
module would raise them for transport EOF and close_notify,
respectively. In OpenSSL 3.0, both act like close_notify.
Fix this by, instead, just detecting SSL_R_UNEXPECTED_EOF_WHILE_READING
and mapping that to the other exception type.
There doesn't seem to have been any unit test of this error, so fill in
the missing one. This had to be done with the BIO path because it's
actually slightly tricky to simulate a transport EOF with Python's fd
based APIs. (If you instruct the server to close the socket, it gets
confused, probably because the server's SSL object is still referencing
the now dead fd?)
(cherry picked from commit 420bbb783b)
Co-authored-by: David Benjamin <davidben@google.com>
gh-102027: Fix macro name (GH-102124)
This fixes the ssse3 / sse2 detection when sse4 is available.
(cherry picked from commit ea93bde4ec)
Co-authored-by: Max Bachmann <kontakt@maxbachmann.de>
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Fix an issue of concurrent.futures ProcessPoolExecutor shutdown hanging.
(cherry picked from commit 2dc94634b5)
Co-authored-by: yonatanp <yonatan.perry@gmail.com>
Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>
---------
(cherry picked from commit 5e0865f22e)
Co-authored-by: Andre Hora <andrehora@users.noreply.github.com>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
GH-101673: Fix pdb bug where local variable changes are lost after longlist (#101674)
(cherry picked from commit 5d677c556f)
Co-authored-by: gaogaotiantian <gaogaotiantian@hotmail.com>
It is possible but unlikely for the `python_tzpath_context` function to fail between the start of the `try` block and the point where `os.environ.get` succeeds, in which case `old_env` will be undefined. In this case, we want to take no action.
Practically speaking this will really only happen in an error condition anyway, so it doesn't really matter, but we should probably do it right anyway.
(cherry picked from commit 64bde502cf)
Co-authored-by: Paul Ganssle <1377457+pganssle@users.noreply.github.com>
GH-102397: Fix segfault from race condition in signal handling (GH-102399)
(cherry picked from commit 1a84cc007e)
Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Add thrashcan macros to the deallocator of the filter objects to protect against deeply nested destruction of chains of nested filters.
(cherry picked from commit 66aa78cbe6)
Co-authored-by: Marta Gómez Macías <mgmacias@google.com>
* [3.10] gh-97786: Fix compiler warnings in pytime.c (GH-101826)
Fixes compiler warnings in pytime.c..
(cherry picked from commit b1b375e267)
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
* Add comment about the casts
---------
Co-authored-by: Gregory P. Smith <greg@krypto.org>
gh-85417: Clarify behaviour on branch cuts in cmath module (GH-102046)
This PR updates the cmath module documentation to reflect the reality that Python is almost always (and as far as I can tell, that "almost" can be omitted) running on a machine whose C double supports signed zeros.
* Removes misleading references to functions being continuous from above / below / the left / the right at branch cuts
* Expands the note on branch cuts at the top of the module documentation to explain the double-sided sign-of-zero-based behaviour
(cherry picked from commit b513c46d99)
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
gh-95675: fix uid and gid at test_add_dir_getmember (gh-102207)
(cherry picked from commit 56e93c8020)
Co-authored-by: Seonkyo Ok <seonkyo.ok@linecorp.com>
gh-101936: Update the default value of fp from io.StringIO to io.BytesIO (gh-102100)
(cherry picked from commit 0d4c7fcd4f)
Co-authored-by: Long Vo <long.vo@linecorp.com>
gh-101961 fileinput.hookcompressed should not set the encoding value for the binary mode (gh-102068)
(cherry picked from commit 6f25657b83)
Co-authored-by: Gihwan Kim <gihwan.kim@linecorp.com>
