1. 23 May, 2019 1 commit
  2. 22 May, 2019 1 commit
  3. 21 May, 2019 2 commits
    • SH's avatar
      bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme (GH-11842) · b15bde80
      SH authored
       CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen().
      b15bde80
    • Victor Stinner's avatar
      bpo-30458: Disallow control chars in http URLs (GH-12755) (GH-13154) (GH-13315) · bb8071a4
      Victor Stinner authored
      Disallow control chars in http URLs in urllib2.urlopen.  This
      addresses a potential security problem for applications that do not
      sanity check their URLs where http request headers could be injected.
      
      Disable https related urllib tests on a build without ssl (GH-13032)
      These tests require an SSL enabled build. Skip these tests when
      python is built without SSL to fix test failures.
      
      Use httplib.InvalidURL instead of ValueError as the new error case's
      exception. (GH-13044)
      
      Backport Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
      
      (cherry picked from commit 7e200e0763f5b71c199aaf98bd5588f291585619)
      
      Notes on backport to Python 2.7:
      
      * test_urllib tests urllib.urlopen() which quotes the URL and so is
        not vulerable to HTTP Header Injection.
      * Add tests to test_urllib2 on urllib2.urlopen().
      * Reject non-ASCII characters: range 0x80-0xff.
      bb8071a4
  4. 20 May, 2019 2 commits
  5. 17 May, 2019 1 commit
    • Benjamin Peterson's avatar
      closes bpo-36755: Suppress noisy error output in test HTTPS server by default. (GH-13370) · 951af2d7
      Benjamin Peterson authored
      TLS 1.3 has a more efficient handshake protocol. The client can reject the server's credentials and close the connection before the server has even finished writing out all of its initial data. Depending on whether the server finishes writing the rest of its handshake before the it sees the connection is reset, the server will read an empty line or see a ECONNRESET OSError. Nothing is really wrong here with the server or client, so just suppress the error output in the OSError case to fix the test.
      
      This fix isn't required in Python 3 because clients that reject the server's certificate will shut down the TLS layer before closing the TCP connection.
      951af2d7
  6. 15 May, 2019 1 commit
  7. 13 May, 2019 2 commits
    • Terry Jan Reedy's avatar
    • Gregory P. Smith's avatar
      [2.7] bpo-35925: Skip SSL tests that fail due to weak external certs or old... · 7346a16e
      Gregory P. Smith authored
      [2.7] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124) (GH-13253)
      
      Modern Linux distros such as Debian Buster have default OpenSSL system
      configurations that reject connections to servers with weak certificates
      by default. This causes our test suite run with external networking
      resources enabled to skip these tests when they encounter such a
      failure.
      
      Fixing the network servers is a separate issue.
      (cherry picked from commit 2cc0223f)
      
      Changes to test_ssl.py required as 2.7 has legacy protocol tests.
      
      The test_httplib.py change is omitted from this backport as
      self-signed.pythontest.net's certificate was updated and the
      test_nntplib.py change is not applicable on 2.7.
      
      Authored-by: Gregory P. Smith greg@krypto.org
      7346a16e
  8. 12 May, 2019 1 commit
  9. 09 May, 2019 1 commit
  10. 08 May, 2019 1 commit
  11. 02 May, 2019 2 commits
  12. 01 May, 2019 1 commit
  13. 30 Apr, 2019 1 commit
  14. 29 Apr, 2019 1 commit
  15. 25 Apr, 2019 1 commit
  16. 22 Apr, 2019 1 commit
  17. 13 Apr, 2019 1 commit
  18. 12 Apr, 2019 1 commit
  19. 09 Apr, 2019 5 commits
  20. 03 Apr, 2019 1 commit
  21. 31 Mar, 2019 1 commit
  22. 28 Mar, 2019 1 commit
  23. 27 Mar, 2019 3 commits
  24. 26 Mar, 2019 2 commits
  25. 25 Mar, 2019 2 commits
  26. 20 Mar, 2019 2 commits
  27. 19 Mar, 2019 1 commit