Cherry-picked from 66d47da8.

This is a manual backport of ca7fe506 since 2.7 has `http.cookiejar` in `cookielib`


https://bugs.python.org/issue35121

If urlparse.urlsplit() detects an invalid netloc according to NFKC
normalization, the error message type is now str rather than unicode,
and use repr() to format the URL, to prevent <exception str() failed>
when display the error message.

Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>

https://bugs.python.org/issue34836

(cherry picked from commit dc247650)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>

This avoids the search dialogs being hidden behind the editor window.

(cherry picked from commit 554450fb)

(cherry picked from commit 59e7bbca)
Co-authored-by: Julien Palard <julien@palard.fr>

(cherry picked from commit d3371691)
Co-authored-by: cclauss <cclauss@me.com>

* bpo-12639: msilib.Directory.start_component() fails if *keyfile* is not None (GH-13688)

msilib.Directory.start_component() was passing an extra argument to CAB.gen_id().
(cherry picked from commit c8d5bf6c)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>

Patch by Kojo Idrissa.
(cherry picked from commit 1b4abcf3)
Co-authored-by: Kojo Idrissa <kojoidrissa@users.noreply.github.com>


https://bugs.python.org/issue33071

https://bugs.python.org/issue33006

Skip the test if xrange(sys.maxsize) raises an OverflowError.

Fix possible overflow in wrap_lenfunc() when
sizeof(long) < sizeof(Py_ssize_t) (e.g., 64-bit Windows).

(cherry picked from commit 05f16416)

modified:   Lib/ctypes/test/test_unicode.py
 	modified:   Misc/ACKS
 	new file:   Misc/NEWS.d/next/Library/2019-05-23-15-57-36.bpo-36713.sjPhnf.rst

Test also URLopener().open(), URLopener().retrieve(), and
DummyURLopener().retrieve().

 CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen().

Disallow control chars in http URLs in urllib2.urlopen.  This
addresses a potential security problem for applications that do not
sanity check their URLs where http request headers could be injected.

Disable https related urllib tests on a build without ssl (GH-13032)
These tests require an SSL enabled build. Skip these tests when
python is built without SSL to fix test failures.

Use httplib.InvalidURL instead of ValueError as the new error case's
exception. (GH-13044)

Backport Co-Authored-By: Miro Hrončok <miro@hroncok.cz>

(cherry picked from commit 7e200e0763f5b71c199aaf98bd5588f291585619)

Notes on backport to Python 2.7:

* test_urllib tests urllib.urlopen() which quotes the URL and so is
  not vulerable to HTTP Header Injection.
* Add tests to test_urllib2 on urllib2.urlopen().
* Reject non-ASCII characters: range 0x80-0xff.

(cherry picked from commit 53d378c8)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>

TLS 1.3 has a more efficient handshake protocol. The client can reject the server's credentials and close the connection before the server has even finished writing out all of its initial data. Depending on whether the server finishes writing the rest of its handshake before the it sees the connection is reset, the server will read an empty line or see a ECONNRESET OSError. Nothing is really wrong here with the server or client, so just suppress the error output in the OSError case to fix the test.

This fix isn't required in Python 3 because clients that reject the server's certificate will shut down the TLS layer before closing the TCP connection.

(cherry picked from commit f0be4bbb)

[2.7] bpo-35925: Skip SSL tests that fail due to weak external certs or old TLS (GH-13124) (GH-13253)

Modern Linux distros such as Debian Buster have default OpenSSL system
configurations that reject connections to servers with weak certificates
by default. This causes our test suite run with external networking
resources enabled to skip these tests when they encounter such a
failure.

Fixing the network servers is a separate issue.
(cherry picked from commit 2cc0223f)

Changes to test_ssl.py required as 2.7 has legacy protocol tests.

The test_httplib.py change is omitted from this backport as
self-signed.pythontest.net's certificate was updated and the
test_nntplib.py change is not applicable on 2.7.

Authored-by: Gregory P. Smith greg@krypto.org

In Python-2.7, we were only searching for bind_textdomain_codeset in
libc.  We should have also checked for it in libintl.  This change from
Mel Flynn https://bugs.python.org/file24918/python27-configure.in.patch
fixes that.

* [2.7] bpo-36816: Update the self-signed.pythontest.net cert (GH-13192)

We updated the server, our testsuite must match.

https://bugs.python.org/issue36816

✈️ CLE -> DEN ✈️ #pycon2019 #beyonce
(cherry picked from commit 6bd81734)

The 2.7 tree also needed a certificate in the capath directory updated.
The filename for that was determined by `openssl x509 -in $cert.pem -subject_hash`.
Authored-by: Gregory P. Smith <greg@krypto.org>

Patch by Mike Taylor.

(cherry picked from commit c4e78b11)

(cherry picked from commit 11e4a941)
Co-authored-by: Xtreak <tir.karthi@gmail.com>

(cherry picked from commit ee0309f3)
Co-authored-by: Utkarsh Gupta <guptautkarsh2102@gmail.com>