Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539)gentoo-2.7.18-r3Michał Górny2020-09-122-0/+37
| | | | | | | | | reject control chars in http method in http.client.putrequest to prevent http header injection (cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com> [rebased for py2.7]
* bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19304)Michał Górny2020-09-122-40/+101
| | | | | | | | | | | | | | | | | The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge. Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com> (cherry picked from commit 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4) [rebased for py2.7]
* bpo-39017: Avoid infinite loop in the tarfile module (GH-21454)gentoo-2.7.18-r1Rishi2020-07-192-0/+3
| | | | | | | Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). [stripped test to avoid binary patch]
* test.support.unlink: ignore EACCESgentoo-2.7.18Mike Gilbert2020-04-221-1/+1
| | | | | | Resolves test errors when running in the Gentoo sandbox environment. Bug: https://bugs.gentoo.org/679628
* Force using system libffiMichał Górny2020-04-221-4/+4
|
* Use specific -Werror for cross-compile testsMichał Górny2020-04-221-2/+2
| | | | https://bugs.python.org/issue25397
* Use ncurses to find pkg-configMichał Górny2020-04-221-1/+1
|
* Make module byte-compilation non-fatalMichał Górny2020-04-221-2/+2
|
* Disable nisMike Gilbert2020-04-221-1/+1
|
* use_pyxmlMike Gilbert2020-04-221-15/+18
|
* ARM OABIMike Gilbert2020-04-221-29/+78
| | | | | https://bugs.gentoo.org/show_bug.cgi?id=266703 https://bugs.python.org/issue1762561
* Turkish localeMike Gilbert2020-04-221-15/+24
|
* distutils C++Mike Gilbert2020-04-226-42/+82
| | | | https://bugs.python.org/issue1222585
* Regenerate platform-specific modulesMike Gilbert2020-04-225-26/+34
| | | | https://bugs.python.org/issue12619
* sqlite loadable extensionsMike Gilbert2020-04-222-2/+13
| | | | | https://bugs.gentoo.org/show_bug.cgi?id=335505 https://bugs.python.org/issue10268
* Non-zero exit status on failureMike Gilbert2020-04-221-0/+6
| | | | | https://bugs.gentoo.org/show_bug.cgi?id=281968 https://bugs.python.org/issue6731
* Gentoo libdirMike Gilbert2020-04-229-35/+30
|
* Disable modules and SSLMike Gilbert2020-04-221-19/+31
|
* Install libpythonX.Y.a in /usr/lib instead of /usr/lib/pythonX.Y/config.Mike Gilbert2020-04-223-17/+14
| | | | | https://bugs.gentoo.org/show_bug.cgi?id=252372 https://bugs.python.org/issue6103
* Add empty 2.7.18 NEWS file.v2.7.182.7Benjamin Peterson2020-04-191-0/+8
|
* Bump version to 2.7.18.Benjamin Peterson2020-04-191-3/+3
|
* Remove incorrect comma. (GH-19604)Benjamin Peterson2020-04-191-1/+1
|
* [2.7] Doc: Add an optional obsolete header. (GH-19229)Leonard Richardson2020-04-183-0/+21
|
* Bump version to 2.7.18rc1.v2.7.18rc1Benjamin Peterson2020-04-042-5/+5
|
* Make 2.7.18rc1 release notes.Benjamin Peterson2020-04-0410-16/+89
|
* Update macOS installer build for 2.7.18 end-of-life. (GH-19352)Ned Deily2020-04-034-27/+27
|
* [2.7] closes bpo-40125: Update multissltests.py to use OpenSSL 1.1.1f. ↵Benjamin Peterson2020-03-311-3/+3
| | | | | | (GH-19251) (cherry picked from commit cd16661f903153ecac55f190ed682e576c5deb24)
* [2.7] closes bpo-38576: Disallow control characters in hostnames in ↵Matěj Cepl2020-03-184-8/+53
| | | | | | | | | http.client. (GH-19052) Add host validation for control characters for more CVE-2019-18348 protection. (cherry picked from commit 83fc70159b24) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
* Doc: Change Python 2 status to EOL. (GH-17885)Miss Islington (bot)2020-01-061-1/+1
| | | | | (cherry picked from commit f4800b8ed3dbe15a0078869a836d968ab3362b8c) Co-authored-by: Inada Naoki <songofacandy@gmail.com>
* bpo-27973 - Use test.support.temp_dir instead of NamedTemporaryFile for the ↵Senthil Kumaran2020-01-031-4/+4
| | | | | | | (#17774) desired behavior under windows platform. Suggestion by David Bolen
* Update copyright year in macOS installer license copy (GH-17806)Miss Islington (bot)2020-01-021-3/+3
| | | | | (cherry picked from commit 32f1443aa98db769d87db497b45bd0dcb732445b) Co-authored-by: Ned Deily <nad@python.org>
* [2.7] Bring Python into the next decade. (GH-17805)Benjamin Peterson2020-01-027-7/+7
| | | | | (cherry picked from commit 946b29ea0b3b386ed05e87e60b8617c9dc19cd53) Co-authored-by: Benjamin Peterson <benjamin@python.org>
* [2.7] bpo-27973 - Fix for urllib.urlretrieve() failing on second ftp ↵Senthil Kumaran2019-12-303-1/+46
| | | | | | | | transfer (#1040) * bpo-27973: Fix urllib.urlretrieve failing on subsequent ftp transfers from the same host. * bpo-35411: Skip test_urllibnet FTP tests on Travis CI.
* [2.7] Minor C API documentation improvements. (GH-17699)Benjamin Peterson2019-12-241-1/+1
| | | | | | (cherry picked from commit 5c7ed7550ec2da16d7679e538fcd7c1a5631811f) Co-authored-by: William Ayd <william.ayd@icloud.com>
* bpo-38295: prevent test_relative_path of test_py_compile failure on macOS ↵Miss Islington (bot)2019-12-172-1/+2
| | | | | | | Catalina (GH-17636) (cherry picked from commit bf3aa1060a29a05813abbe877193af16e3e7131e) Co-authored-by: Ned Deily <nad@python.org>
* bpo-38730: Replace strncpy in import.c with memcpy. (GH-17633)Benjamin Peterson2019-12-161-3/+3
| | | In all these cases, we know the exact length we want copied, so memcpy is the right function to use.
* bpo-39035: travis: Don't use beta group (GH-17605)Inada Naoki2019-12-141-1/+0
|
* [2.7] bpo-38945: UU Encoding: Don't let newline in filename corrupt the ↵Matthew Rollings2019-12-034-0/+22
| | | | | | | output format (GH-17418). (#17452) (cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a) Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
* document threading.Lock.locked() (GH-17427)Miss Islington (bot)2019-12-011-0/+4
| | | | | (cherry picked from commit fdafa1d0ed0a8930b52ee81e57c931cc4d5c2388) Co-authored-by: idomic <michael.ido@gmail.com>
* bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (GH-17345)Victor Stinner2019-11-244-8/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 # Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): # Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was. (cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e)
* bpo-38730: Remove usage of stpncpy as it's not supported on MSVC 2008. ↵Benjamin Peterson2019-11-071-1/+6
| | | | (GH-17081)
* [2.7] bpo-38730: Fix -Wstringop-truncation warnings. (GH-17075)Benjamin Peterson2019-11-078-18/+19
|
* bpo-37731: Squish another _POSIX_C_SOURCE redefinition problem in expat. ↵Benjamin Peterson2019-11-061-6/+6
| | | | (GH-17077)
* bpo-37731: Reorder includes in xmltok.c to avoid redefinition of ↵Miss Islington (bot)2019-11-061-8/+8
| | | | | | | _POSIX_C_SOURCE (GH-16733) (cherry picked from commit 8177404d520e81f16324a900f093adf3856d33f8) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
* bpo-38557: Improve documentation for list and tuple C API. (GH-16925)Miss Skeleton (bot)2019-10-263-12/+19
| | | | | (cherry picked from commit d898d20e8c228229eb68e545f544db13f246f216) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* [2.7] bpo-38535: Fix positions for AST nodes for calls without arguments in ↵Serhiy Storchaka2019-10-263-2/+14
| | | | | | decorators. (GH-16861). (GH-16931) (cherry picked from commit 26ae9f6d3d755734c9f371b9356325afe5764813)
* Update URL in macOS installer copy of license (GH-16905)Miss Skeleton (bot)2019-10-231-1/+1
| | | | | (cherry picked from commit 01659ca62c4508518478a74615ac91c0009427ad) Co-authored-by: Ned Deily <nad@python.org>
* bpo-37025: AddRefActCtx() shouldn't be checked for failure (GH-16897)Zackery Spytz2019-10-232-5/+12
| | | AddRefActCtx() does not return a value.
* Fix Zope URL (GH-16880)Miss Skeleton (bot)2019-10-221-1/+1
| | | | | (cherry picked from commit dfe726b1ace03f206f45253b93ed7610473ae20f) Co-authored-by: Kyle Stanley <aeros167@gmail.com>
* [2.7] bpo-38540: Fix possible leak in PyArg_Parse for "es#" and "et#". ↵Serhiy Storchaka2019-10-212-1/+16
| | | | | | (GH-16869). (GH-16877) (cherry picked from commit 5bc6a7c06eda20ba131ecba6752be0506d310181)