Commits · 7023644e0c310a3006c984318c2c111c468735b4 · Kirill Smelkov / cpython

04 Mar, 2018 2 commits

closes bpo-32980 Remove _PyFrame_Init (GH-5965) · 7023644e
Thomas Nyberg authored Mar 04, 2018

7023644e

bpo-32981: Fix catastrophic backtracking vulns (#5955) · 0e6c8ee2

Jamie Davis authored Mar 04, 2018

* Prevent low-grade poplib REDOS (CVE-2018-1060)

The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.

Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.

A 2KB evil response from the mail server would result in small slowdowns
(milliseconds vs. microseconds) accumulated over many apop calls.
This is a potential DOS vector via accumulated slowdowns.

Replace it with a similar non-vulnerable regex.

The new regex is RFC compliant.
The old regex was non-compliant in edge cases.

* Prevent difflib REDOS (CVE-2018-1061)

The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.

Replace it with an equivalent non-vulnerable regex.

Also introduce unit and REDOS tests for difflib.
Co-authored-by: Tim Peters <tim.peters@gmail.com>
Co-authored-by: Christian Heimes <christian@python.org>

0e6c8ee2

03 Mar, 2018 1 commit
- Fix missing coroutine declaration in the asyncio documentation. (#5964) · 13cfd57d
  Joongi Kim authored Mar 04, 2018
  
  13cfd57d
02 Mar, 2018 1 commit
- bpo-32964: Reuse a testing implementation of the path protocol in tests. (#5930) · b21d155f
  Serhiy Storchaka authored Mar 02, 2018
  
  b21d155f
01 Mar, 2018 3 commits
- bpo-30607: Use external python-doc-theme (GH-2017) · bf63e8d5
  Jon Wayne Parrott authored Mar 01, 2018
  
  bf63e8d5
- Fixed incorrect default value for dataclass unsafe_hash. (GH-5949) · 5da8cfb8
  Eric V. Smith authored Mar 01, 2018
  
  5da8cfb8
- bpo-32903: Fix a memory leak in os.chdir() on Windows (GH-5801) · 3e197c7a
  Alexey Izbyshev authored Mar 01, 2018
  
  3e197c7a
28 Feb, 2018 4 commits
- Fix typo in logging doc: picked -> pickled (GH-5942) · 982c7233
  James Walker authored Feb 28, 2018
  
  982c7233
- bpo-32940: IDLE: Simplify StringTranslatePseudoMapping in pyparse (GH-5862) · f0daa880
  Cheryl Sabella authored Feb 28, 2018
```
The new code also runs faster.
```
  f0daa880
- Fix 3.8 whatsnew changelog link · 45ab51c1
  Ned Deily authored Feb 28, 2018
  
  45ab51c1
- Minor improvements to the Windows build/release process (GH-5935) · 881323db
  Steve Dower authored Feb 27, 2018
  
  881323db
27 Feb, 2018 12 commits

bpo-30928: Update idlelib/NEWS.txt, possibly for 3.7.0b2 (GH-5932) · 0954c9e9
Terry Jan Reedy authored Feb 27, 2018

0954c9e9
Revert "bpo-31961: subprocess now accepts path-like args (GH-4329)" (#5912) · be50a7b6
Serhiy Storchaka authored Feb 28, 2018
```
* Revert "bpo-31961: subprocess now accepts path-like args (GH-4329)"

This reverts commit dd42cb71.
```
be50a7b6
Update macOS installer resources · cc5ac04c
Ned Deily authored Feb 27, 2018

cc5ac04c
bpo-32901: update macOS 10.9+ installer to Tcl/Tk 8.6.8 · 9189e95d
Ned Deily authored Feb 27, 2018

9189e95d
bpo-31355: Travis-CI: re-enable macOS job (#5858) · d7687eb4
Antoine Pitrou authored Feb 27, 2018
```
The long build queues that plagued macOS builds on Travis seem to be
a thing of the past now.
```
d7687eb4

bpo-10381, bpo-32403: What's new entries for changes to datetime (gh-5814) · 5bd04f96

Paul Ganssle authored Feb 27, 2018

* Add What's New entry for addition of datetime.timezone to the C API

Closes bpo-10381

* Add what's new entry for date and datetime optimizations

Closes bpo-32403

5bd04f96

bpo-31453: Add setter for min/max protocol version (#5259) · 698dde16

Christian Heimes authored Feb 27, 2018

OpenSSL 1.1 has introduced a new API to set the minimum and maximum
supported protocol version. The API is easier to use than the old
OP_NO_TLS1 option flags, too.

Since OpenSSL has no call to set minimum version to highest supported,
the implementation emulate maximum_version = MINIMUM_SUPPORTED and
minimum_version = MAXIMUM_SUPPORTED by figuring out the minumum and
maximum supported version at compile time.
Signed-off-by: Christian Heimes <christian@python.org>

698dde16

bpo-32951: Disable SSLSocket/SSLObject constructor (#5864) · 9d50ab56

Christian Heimes authored Feb 27, 2018

Direct instantiation of SSLSocket and SSLObject objects is now prohibited.
The constructors were never documented, tested, or designed as public
constructors. The SSLSocket constructor had limitations. For example it was
not possible to enabled hostname verification except was
ssl_version=PROTOCOL_TLS_CLIENT with cert_reqs=CERT_REQUIRED.

SSLContext.wrap_socket() and SSLContext.wrap_bio are the recommended API
to construct SSLSocket and SSLObject instances. ssl.wrap_socket() is
also deprecated.

The only test case for direct instantiation was added a couple of days
ago for IDNA testing.
Signed-off-by: Christian Heimes <christian@python.org>

9d50ab56

bpo-28124: deprecate ssl.wrap_socket() (#5888) · 90f05a52

Christian Heimes authored Feb 27, 2018

The ssl module function ssl.wrap_socket() has been de-emphasized
and deprecated in favor of the more secure and efficient
SSLContext.wrap_socket() method.
Signed-off-by: Christian Heimes <christian@python.org>

90f05a52

bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes (#5663) · 05d9fe32

Christian Heimes authored Feb 27, 2018

* bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes

Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and
TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
default. Some test cases only apply to TLS 1.2. Other tests currently
fail because the threaded or async test servers stop after failure.

I'm going to address these issues when OpenSSL 1.1.1 reaches beta.

OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
1.3. The feature is enabled by default for maximum compatibility with
broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
it to verify default options.
Signed-off-by: Christian Heimes <christian@python.org>

05d9fe32

bpo-32960: For dataclasses, disallow inheriting frozen from non-frozen classes... · 2fa6b9ea

Eric V. Smith authored Feb 26, 2018

bpo-32960: For dataclasses, disallow inheriting frozen from non-frozen classes and vice-versa, (GH-5919)

This restriction will be relaxed at a future date.

2fa6b9ea

bpo-32713: Fix tarfile.itn for large/negative float values. (GH-5434) · 72d9b2be
Joffrey F authored Feb 26, 2018

72d9b2be

26 Feb, 2018 8 commits
- bpo-32222: Fix pygettext skipping docstrings for funcs with arg typehints (GH-4745) · eee72d47
  Tobotimus authored Feb 27, 2018
  
  eee72d47
- bpo-32836: Remove obsolete code from symtable pass (GH-5680) · 3a087bed
  Nitish Chandra authored Feb 27, 2018
```
When comprehensions switched to using a nested scope, the old
code for generating a temporary name to hold the accumulation
target became redundant, but was never actually removed.

Patch by Nitish Chandra.
```
  3a087bed
- bpo-32147: Improved perfomance of binascii.unhexlify(). (GH-4586) · 6b5df906
  Sergey Fedoseev authored Feb 27, 2018
  
  6b5df906
- bpo-32394: Remove some TCP options on old version Windows. (GH-5523) · 19e7d48c
  animalize authored Feb 27, 2018
  
  19e7d48c
- Revert unneccessary changes made in bpo-30296 and apply other improvements. (GH-2624) · 3f2e6f15
  Serhiy Storchaka authored Feb 26, 2018
  
  3f2e6f15
- bpo-32922: dbm.open() now encodes filename with the filesystem encoding. (GH-5832) · 6f600ff1
  Serhiy Storchaka authored Feb 26, 2018
  
  6f600ff1
- Fix 'deecorator' typo in test/test_dataclasses (GH-5899) · 973cae07
  Terry Jan Reedy authored Feb 25, 2018
  
  973cae07
- bpo-32929: Dataclasses: Change the tri-state hash parameter to the boolean unsafe_hash. (#5891) · dbf9cff4
  Eric V. Smith authored Feb 25, 2018
```
unsafe_hash=False is now the default. It is the same behavior as the old hash=None parameter. unsafe_hash=True will try to add __hash__. If it already exists, TypeError is raised.
```
  dbf9cff4
25 Feb, 2018 9 commits
- Update PR template file, don't reference bpo 12345 (GH-5897) · 9c17e3a1
  Mariatta authored Feb 25, 2018
```
Fixes https://github.com/python/core-workflow/issues/223
```
  9c17e3a1
- bpo-31454: Include information about "import X as Y" in Modules tutorial (GH-4041) · fbee8824
  Mario Corchero authored Feb 25, 2018
  
  fbee8824
- bpo-25059: Clarify the print separator usage in tutorial (GH-5879) · 84c4b0cc
  Cheryl Sabella authored Feb 25, 2018
```
By default `print` adds spaces between its arguments.
```
  84c4b0cc
- bpo-32622: Native sendfile on windows (#5565) · a19fb3c6
  Andrew Svetlov authored Feb 25, 2018
```
* Support sendfile on Windows Proactor event loop naively.
```
  a19fb3c6
- Delete a broken threading.local example (#5870) · 5fb632e8
  Aaron Gallagher authored Feb 25, 2018
```
This code never did anything correct or useful. The class attribute will never be affected, and the condition will never be true.
```
  5fb632e8
- bpo-30622: Fix NPN for OpenSSL 1.1.1-pre1 (#5876) · 29eab553
  Christian Heimes authored Feb 25, 2018
```
Signed-off-by: Christian Heimes <christian@python.org>
```
  29eab553
- bpo-32647: Link ctypes extension with libdl. (#5550) · 5bb96925
  Christian Heimes authored Feb 25, 2018
```
The ctypes module used to depend on indirect linking for dlopen. The shared
extension is now explicitly linked against libdl on platforms with dl.
Signed-off-by: Christian Heimes <christian@python.org>
```
  5bb96925
- bpo-31809: test secp ECDH curves (#4036) · b7b92258
  Christian Heimes authored Feb 25, 2018
```
Add tests to verify connection with secp384r1 ECDH curves.
```
  b7b92258
- bpo-17232: Clarify docs for -O and -OO command line options (#5839) · 186b606d
  Cheryl Sabella authored Feb 24, 2018
```
The 'optimization' is for space in the executable file, not for run time.
```
  186b606d