Age | Commit message (Collapse) | Author |
|
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
|
|
|
(GH-113179) (GH-113186) (GH-118177) (GH-118472)
The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).
This patch updates the ranges with what was missing or otherwise
incorrect.
100.64.0.0/10 is left alone, for now, as it's been made special in [1].
The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.
[1] https://github.com/python/cpython/issues/61602
In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.
For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").
---------
Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
|
|
(cherry picked from commit c9829eec0883a8991ea4d319d965e123a3cf6c20)
|
|
(GH-117996) (GH-118005)
(cherry picked from commit a4b44d39cd6941cc03590fee7538776728bdfd0a)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
|
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
|
This fixes XML unittest fallout from the https://github.com/python/cpython/issues/115398 security fix. When configured using `--with-system-expat` on systems with older pre 2.6.0 versions of libexpat, our unittests were failing.
(cherry picked from commit 9f74e86c78853c101a23e938f8e32ea838d8f62e)
Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
|
|
|
|
|
|
(GH-115210) (GH-116068)
Use of a proxy is intended to defer DNS for the hosts to the proxy itself, rather than a potential for information leak of the host doing DNS resolution itself for any reason. Proxy bypass lists are strictly name based. Most implementations of proxy support agree.
(cherry picked from commit c43b26d02eaa103756c250e8d36829d388c5f3be)
Co-authored-by: Weii Wang <weii.wang@canonical.com>
|
|
(GH-115623) (GH-116272)
Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425) by adding five new methods:
- `xml.etree.ElementTree.XMLParser.flush`
- `xml.etree.ElementTree.XMLPullParser.flush`
- `xml.parsers.expat.xmlparser.GetReparseDeferralEnabled`
- `xml.parsers.expat.xmlparser.SetReparseDeferralEnabled`
- `xml.sax.expatreader.ExpatParser.flush`
Based on the "flush" idea from https://github.com/python/cpython/pull/115138#issuecomment-1932444270 .
Includes code suggested-by: Snild Dolkow <snild@sony.com>
and by core dev Serhiy Storchaka.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
|
SSL_ERROR_SYSCALL (GH-107586) (#107590)
(cherry picked from commit 77e09192b5f1caf14cd5f92ccb53a4592e83e8bc)
Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
Co-authored-by: T. Wouters <thomas@python.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
|
Manual backport due to code differences.
(cherry picked from commit e071b0d558b2f5cddd5a9fc6afadb4ba109ec77e)
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
|
(GH-115400) (GH-115763)
Doc/library/xml.rst: Document CVE-2023-52425 under "XML vulnerabilities"
(cherry picked from commit fbd40ce46e7335a5dbaf48a3aa841be22d7302ba)
Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
|
|
Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
|
(#115655)
(cherry picked from commit 17a6533dbf5ffdfd707c1514a61423d9ac59a9cb)
Co-authored-by: Ned Deily <nad@python.org>
|
|
Pin theme to fix code snippets
|
|
(cherry picked from commit dc8893af7df706138161d82ce7d1d2f9132d14f9)
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
|
|
(cherry picked from commit 618d7256e78da8200f6e2c6235094a1ef885dca4)
Co-authored-by: Zachary Ware <zach@python.org>
|
|
(cherry picked from commit 74208ed0c440244fb809d8acc97cb9ef51e888e3)
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
|
(GH-109928) (GH-114184)
(cherry picked from commit 9dbfe2dc8e7bba25e52f9470ae6969821a365297)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
|
(GH-114022) (GH-114039)
(cherry picked from commit 94b1d1fa38ada8cf7d196184a04a195c152eed75)
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
|
|
(GH-113915)
Raise BadZipFile when try to read an entry that overlaps with other entry or
central directory.
(cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
|
(GH-99930) (GH-112842)
(cherry picked from commit 81c16cd94ec38d61aa478b9a452436dc3b1b524d)
Co-authored-by: Søren Løvborg <sorenl@unity3d.com>
|
|
(GH-13503) (GH-112600)
* Fix a crash when pass UINT_MAX.
* Fix an integer overflow on 64-bit non-Windows platforms.
(cherry picked from commit 0daf555c6fb3feba77989382135a58215e1d70a5)
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
|
|
(cherry picked from commit dcb16c98be61630369227f0d893f8d9262d25cac)
Co-authored-by: Steve Dower <steve.dower@python.org>
|
|
multissltests to use 1.1.1w and 3.0.11. (GH-110008)
(cherry picked from commit c88037d137a98d7c399c7bd74d5117b5bcae1543)
|
|
Alabaster is Sphinx's dependency. Alabaster 0.7.14 released on 2024-01-08 dropped support for Sphinx 3.3 and earlier.
https://alabaster.readthedocs.io/en/latest/changelog.html
|
|
Add 'regen-configure' make target
|
|
read out of bounds (gh-111695) (gh-111780)
(cherry picked from commit c8faa3568afd255708096f6aa8df0afa80cf7697)
Co-authored-by: Masayuki Moriyama <masayuki.moriyama@miraclelinux.com>
|
|
(#109008)
Output with one wheel:
```
❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py
Verifying checksum for /Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl.
Expected digest: 7ccf472345f20d35bdc9d1841ff5f313260c2c33fe417f48c30ac46cccabf5be
Actual digest: 7ccf472345f20d35bdc9d1841ff5f313260c2c33fe417f48c30ac46cccabf5be
::notice file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl::Successfully verified the checksum of the pip wheel.
```
Output with two wheels:
```
❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py
::error file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-22.0.4-py3-none-any.whl::Found more than one wheel for package pip.
::error file=/Volumes/RAMDisk/cpython/Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl::Found more than one wheel for package pip.
```
Output without wheels:
```
❯ GITHUB_ACTIONS=true ./Tools/build/verify_ensurepip_wheels.py
::error file=::Could not find a pip wheel on disk.
```
(cherry picked from commit f8a047941f2e4a1848700c21d58a08c9ec6a9c68)
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
|
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
|
(GH-108908) (#108925)
(cherry picked from commit 5970435b26fc85c83490bc915c894ea7dd0fbf21)
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>
|
|
|
|
|
|
|
|
(#108407)
* In preauth tests of test_ssl, explicitly break reference cycles
invoving SingleConnectionTestServerThread to make sure that the
thread is deleted. Otherwise, the test marks the environment as
altered because the threading module sees a "dangling thread"
(SingleConnectionTestServerThread). This test leak was introduced
by the test added for the fix of issue gh-108310.
* Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds
timeout.
* SingleConnectionTestServerThread.run() catchs TimeoutError
* Fix a race condition (missing synchronization) in
test_preauth_data_to_tls_client(): the server now waits until the
client connect() completed in call_after_accept().
* test_https_client_non_tls_response_ignored() calls server.join()
explicitly.
* Replace "localhost" with server.listener.getsockname()[0].
(cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
|
(#108351)
Explicitly break a reference cycle when SSLSocket._create() raises an
exception. Clear the variable storing the exception, since the
exception traceback contains the variables and so creates a reference
cycle.
This test leak was introduced by the test added for the fix of GH-108310.
(cherry picked from commit 64f99350351bc46e016b2286f36ba7cd669b79e3)
Co-authored-by: Victor Stinner <vstinner@python.org>
|
|
1.1.1v, 3.0.10, and 3.1.2. (#108123)
[3.9] gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2.
(cherry picked from commit 441797d4ffb12acda257370b9e5e19ed8d6e8a71)
|
|
(#108274)
(cherry picked from commit acbd3f9c5c5f23e95267714e41236140d84fe962)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Lumír 'Frenzy' Balhar <frenzy.madness@gmail.com>
|
|
(GH-99613) (GH-107224) (#107231)
Previously *consumed was not set in this case.
(cherry picked from commit f08e52ccb027f6f703302b8c1a82db9fd3934270).
(cherry picked from commit b8b3e6afc0a48c3cbb7c36d2f73e332edcd6058c)
|
|
flaw (#108320)
gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw
Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake
and included protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.
The vulnerability is caused when a socket is connected, data is sent by the
malicious peer and stored in a buffer, and then the malicious peer closes the
socket within a small timing window before the other peers’ TLS handshake can
begin. After this sequence of events the closed socket will not immediately
attempt a TLS handshake due to not being connected but will also allow the
buffered data to be read as if a successful TLS handshake had occurred.
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
|
|
(cherry picked from commit 34e93d3998bab8acd651c50724eb1977f4860a08)
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
|
|
docs gh-105269 (GH-105468) (#105477)
(cherry picked from commit acf3916e84158308660ed07c474a564e045d6884)
Co-authored-by: Federico Caselli <CaselIT@users.noreply.github.com>
|
|
|
|
|
|
checked with PyErr_Occurred (GH-105185) (#105221)
(cherry picked from commit ee26ca13a129da8cf549409d0a1b2e892ff2b4ec)
Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>
|
|
(GH-105200) (#105205)
Upgrade builds to OpenSSL 1.1.1u.
Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.
Manual edits to the _ssl_data_300.h file prevent it from removing any
existing definitions in case those exist in some peoples builds and were
important (avoiding regressions during backporting).
(cherry picked from commit ede89af)
Co-authored-by: Ned Deily <nad@python.org>
|
|
|
|
|