gh-126037: fix UAF in `xml.etree.ElementTree.Element.find*` when concurrent mutations happen (#127964)
We fix a use-after-free in the `find`, `findtext` and `findall` methods of `xml.etree.ElementTree.Element`
objects that can be triggered when the tag to find implements an `__eq__` method that mutates the
element being queried.
(cherry picked from commit c57623c221)
The bin tag is 3.0.16.1 because we rebuilt without uplink support to fix gh-131804.
This PR also prevents making calls that are now unsafe without uplink, and updates
the tests to property interpret these failures as unsupported.
gh-131670: Fix crash in `anext()` when `__anext__` is sync and raises (GH-131682)
(cherry picked from commit 929afd1d6e)
Co-authored-by: sobolevn <mail@sobolevn.me>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
* gh-131045: [Enum] fix flag containment checks when using values (GH-131053)
Check would fail if value would create a pseudo-member, but that member
had not yet been created. We now attempt to create a pseudo-member for
a passed-in value first.
---------
Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Tomas R. <tomas.roun8@gmail.com>
gh-131417: Mention asyncio Future and Task in docs for generic classes list (GH-131422)
Mention asyncio Future and Task in docs for generic classes list
(cherry picked from commit 61b4b2c57c)
Co-authored-by: Andrew Svetlov <andrew.svetlov@gmail.com>
gh-121284: Fix email address header folding with parsed encoded-word (GH-122754)
Email generators using email.policy.default may convert an RFC 2047
encoded-word to unencoded form during header refolding. In a structured
header, this could allow 'specials' chars outside a quoted-string,
leading to invalid address headers and enabling spoofing. This change
ensures a parsed encoded-word that contains specials is kept as an
encoded-word while the header is refolded.
[Better fix from @bitdancer.]
---------
(cherry picked from commit 295b53df2a)
Co-authored-by: Mike Edmunds <medmunds@gmail.com>
Co-authored-by: R David Murray <rdmurray@bitdance.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
[3.13] gh-131261: Update libexpat to 2.7.0 (CVE-2024-8176)
(cherry picked from commit bb0268f60d)
(cherry picked from commit 6af54d298d)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
gh-131325: fix sendfile fallback implementation to drain data after writing to transport (GH-131376)
(cherry picked from commit 94f4d87aeb)
Co-authored-by: Kumar Aditya <kumaraditya@python.org>
gh-129843: fix pure Python implementation of `warnings.warn_explicit` (GH-129848)
The pure Python implementation of `warnings.warn_explicit` constructs a `WarningMessage`
with an incorrect source (it incorrectly sets the WarningMessage's line to the given `source`).
(cherry picked from commit 80e00ecc39)
Co-authored-by: Srinivas Reddy Thatiparthy (తాటిపర్తి శ్రీనివాస్ రెడ్డి) <thatiparthysreenivas@gmail.com>
gh-130814: Enhance documentation for Python C API type objects (GH-130817)
The "Type Objects" title in `c-api/typeobj.rst`, duplicating the title of `c-api/type.rst`,
has been changed to "Type Objects Structures", thereby slightly improving Sphinx
search.
(cherry picked from commit 6b932edc52)
Co-authored-by: sharktide <meherrihaan@gmail.com>
Fix the pure Python implementation of `fromisoformat()` to reject any
non-digit characters, including whitespace, in the fractional part
of time specification. This makes the behavior consistent with the C
implementation, and prevents incorrect parsing of these fractions
(e.g. `.400 ` would be misinterpreted as `.04`).
(cherry picked from commit 33494b4d0d)
(cherry picked from commit 27fd328cf6)
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Michał Górny <mgorny@gentoo.org>
gh-125331: Allow the parser to activate future imports on the fly (GH-125482)
(cherry picked from commit 3bd3e09588)
Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
gh-130740: Move some `stdbool.h` includes after `Python.h` (#130738)
Move some `#include <stdbool.h>` after `#include "Python.h"` when `pyconfig.h` is not
included first and when we are in a platform-agnostic context. This is to avoid having
features defined by `stdbool.h` before those decided by `Python.h` (this caused some
build failures when compiling CPython with `zig cc`).
(cherry-picked from commit 214562ed4d)
---------
Co-authored-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
gh-130637: Add validation for numeric response data in `stat()` method (GH-130646)
(cherry picked from commit a42168d316)
Co-authored-by: Kanishk Pachauri <itskanishkp.py@gmail.com>
Co-authored-by: Eric V. Smith <ericvsmith@users.noreply.github.com>
gh-129726: Break `gzip.GzipFile` reference loop (GH-130055)
A reference loop was resulting in the `fileobj` held by the `GzipFile`
being closed before the `GzipFile`.
The issue started with gh-89550 in 3.12, but was hidden in most cases
until 3.13 when gh-62948 made it more visible.
(cherry picked from commit 7f39137662)
Co-authored-by: Cody Maloney <cmaloney@users.noreply.github.com>
The use of PySys_GetObject() and _PySys_GetAttr(), which return a borrowed
reference, has been replaced by using one of the following functions, which
return a strong reference and distinguish a missing attribute from an error:
_PySys_GetOptionalAttr(), _PySys_GetOptionalAttrString(),
_PySys_GetRequiredAttr(), and _PySys_GetRequiredAttrString().
(cherry picked from commit 0ef4ffeefd)
(cherry picked from commit 7c1b76fce8)
(cherry picked from commit 2ab7e1135a)
gh-130151: Fix reference leaks in `_hashlib.hmac_{new,digest}` (GH-130152)
* fix leak in `_hashlib.hmac_new`
* fix leak in `hmac_digest`
* fix exception type in `_hashlib.HMAC.copy`
(cherry picked from commit 071820113f)
Document the architectures supported by macOS universal SDK configuration flags,
and add details on wheel tag naming.
(cherry picked from commit 474c388740)
Co-authored-by: Russell Keith-Magee <russell@keith-magee.com>
gh-129838: Don't redefine _Py_NO_SANITIZE_UNDEFINED (GH-129839)
Newer GCC versions accept both __attribute__((no_sanitize("undefined")))
and __attribute__((no_sanitize_undefined)) so check that the macro is
not already defined.
(cherry picked from commit 568db400ff)
Co-authored-by: Collin Funk <collin.funk1@gmail.com>
gh-46236: Document PyUnicode_RSplit, PyUnicode_Partition and PyUnicode_RPartition (GH-130191)
(cherry picked from commit 0f5b82169e)
Co-authored-by: Marc Mueller <30130371+cdce8p@users.noreply.github.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
gh-118761: Revert "Improve import time of `subprocess` (GH-129427)" (GH-130201)
* Revert "gh-118761: Improve import time of `subprocess` (GH-129427)"
This reverts commit 49f24650e4.
Also known as f502c8f6a6 in 3.13 (PR GH-129447)
Also known as f65aa0d1bf in 3.12 (PR GH-129448)
This caused bugs in the `__del__` finalizer:
https://github.com/python/cpython/issues/118761#issuecomment-2661504264
---------
(cherry picked from commit ae30646089)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
gh-129873: IDLE: Improve help.py's method of parsing HTML (GH-129859)
In `help.copy_strip`, only copy the text `<section>`. In `help.HelpParser.handle_starttag` and elsewhere, remove code to skip the no longer present html. Add a reminder at the top of idle.rst to run copy_strip after changes.
---------
(cherry picked from commit 6fbf15f98e)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
[3.13] gh-129660: Do not use test_embed in PGO profile builds (GH-129662)
(cherry picked from commit 19ceb342b5)
Co-authored-by: neonene <53406459+neonene@users.noreply.github.com>
