1. Bad IP masquerade rules can prevent startup.
2. X cannot handle some complex colored chars.
(cherry picked from commit 1b4a9c7956)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Signed-off-by: Christian Heimes <christian@python.org>
Automerge-Triggered-By: GH:tiran.
(cherry picked from commit a54fc683f2)
Co-authored-by: Christian Heimes <christian@python.org>
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0)
Co-authored-by: Victor Stinner <vstinner@python.org>
OpenSSL copies the internal message callback from SSL_CTX->msg_callback to
SSL->msg_callback. SSL_set_SSL_CTX() does not update SSL->msg_callback
to use the callback value of the new context.
PySSL_set_context() now resets the callback and _PySSL_msg_callback()
resets thread state in error path.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 77cde5042a)
Co-authored-by: Christian Heimes <christian@python.org>
Python no longer fails at startup with a fatal error if a command
line argument contains an invalid Unicode character.
The Py_DecodeLocale() function now escapes byte sequences which would
be decoded as Unicode characters outside the [U+0000; U+10ffff]
range.
Use MAX_UNICODE constant in unicodeobject.c.
(cherry picked from commit 9976834f80)
Co-authored-by: Victor Stinner <vstinner@python.org>
bpo-43285: Make ftplib not trust the PASV response.
The IPv4 address value returned from the server in response to the PASV command
should not be trusted. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the client network.
Instead of using the returned address, we use the IP address we're
already connected to. This is the strategy other ftp clients adopted,
and matches the only strategy available for the modern IPv6 EPSV command
where the server response must return a port number and nothing else.
For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
attribute on your `ftplib.FTP` instance to True.
(cherry picked from commit 0ab152c6b5)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Answer "Why is there no goto?" in the Design and History FAQ.
(cherry picked from commit 5e29021a5e)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
* Fix auth_login logic (bpo-27820)
* Also fix a longstanding bug in the SimSMTPChannel.found_terminator() method that causes inability to test
SMTP AUTH with initial_response_ok=False.
(cherry picked from commit 7591d9455e)
Co-authored-by: Pandu E POLUAN <pepoluan@gmail.com>
Check to make sure stdout and stderr are not empty before selecting an item from them in Windows subprocess._communicate.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit b4fc44bb2d)
Co-authored-by: Chris Griffith <chris@cdgriffith.com>
We now buffer the CONNECT request + tunnel HTTP headers into a single
send call. This prevents the OS from generating multiple network
packets for connection setup when not necessary, improving efficiency.
(cherry picked from commit c25910a135)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
We can receive signals (at the C level, in `trip_signal()` in signalmodule.c) while `signal.signal` is being called to modify the corresponding handler. Later when `PyErr_CheckSignals()` is called to handle the given signal, the handler may be a non-callable object and would raise a cryptic asynchronous exception.
(cherry picked from commit 68245b7a10)
Co-authored-by: Antoine Pitrou <antoine@python.org>
Previous wording implied that only the result of call N and N+1 could be
meaningfully compared, whereas comparing call N and N+M is fine.
(cherry picked from commit ff5f05934d)
Co-authored-by: Alex Willmer <alex@moreati.org.uk>
This reverts commit aca67da4fe.
(cherry picked from commit b5711c940f)
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
Automerge-Triggered-By: GH:jaraco
Exit code is now 1 instead of 0. A message is printed to stderr instead of stdout. This is
the proper behaviour for a tool that can be used in scripts.
(cherry picked from commit cc3df6368d)
Co-authored-by: Ruben Vorderman <r.h.p.vorderman@lumc.nl>
Printing to IDLE's Shell is often slower than printing to a system
terminal, but it can be made faster by pre-formatting a single
string before printing.
(cherry picked from commit 2827e8a177)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
When very large data remains in TextIOWrapper, flush() may fail forever.
So prevent that data larger than chunk_size is remained in TextIOWrapper internal
buffer.
Co-Authored-By: Eryk Sun
(cherry picked from commit 01806d5)
Previously, the doc at least strongly implied that it had to be an iterator.
(cherry picked from commit 2f9ef514fb)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
(cherry picked from commit fcbe0cb04d)
* [3.9] bpo-42967: only use '&' as a query string separator (GH-24297)
bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.
Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
* bpo-41748: Adds tests for unquoted attributes with comma
* bpo-41748: Handles unquoted attributes with comma
* bpo-41748: Addresses review comments
* bpo-41748: Addresses review comments
* Adds more test cases
* Simplifies the regex for handling spaces
* bpo-41748: Moves attributes tests under the right class
* bpo-41748: Addresses review about duplicate attributes
* bpo-41748: Adds NEWS.d entry for this patch
(cherry picked from commit 9eb11a139f)
Co-authored-by: Karl Dubost <karl+github@la-grange.net>
* bpo-42504: Ensure that get_config_var('MACOSX_DEPLOYMENT_TARGET') is a string
(cherry picked from commit 49926cf2bc)
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
