| 8d21aa2 | Benjamin Peterson | 19 April 2020, 21:13:39 UTC | Add empty 2.7.18 NEWS file. | 19 April 2020, 21:13:39 UTC |
| 8323757 | Benjamin Peterson | 19 April 2020, 21:12:51 UTC | Bump version to 2.7.18. | 19 April 2020, 21:12:51 UTC |
| f2f950e | Benjamin Peterson | 19 April 2020, 14:08:18 UTC | Remove incorrect comma. (GH-19604) | 19 April 2020, 14:08:18 UTC |
| 0fc82e9 | Leonard Richardson | 18 April 2020, 22:55:10 UTC | [2.7] Doc: Add an optional obsolete header. (GH-19229) | 18 April 2020, 22:55:10 UTC |
| 7a41638 | Benjamin Peterson | 04 April 2020, 16:54:14 UTC | Bump version to 2.7.18rc1. | 04 April 2020, 16:54:14 UTC |
| c6bfd04 | Benjamin Peterson | 04 April 2020, 16:53:42 UTC | Make 2.7.18rc1 release notes. | 04 April 2020, 16:53:42 UTC |
| 8a0a500 | Ned Deily | 04 April 2020, 00:34:39 UTC | Update macOS installer build for 2.7.18 end-of-life. (GH-19352) | 04 April 2020, 00:34:39 UTC |
| ba8a2bc | Benjamin Peterson | 01 April 2020, 01:52:23 UTC | [2.7] closes bpo-40125: Update multissltests.py to use OpenSSL 1.1.1f. (GH-19251) (cherry picked from commit cd16661f903153ecac55f190ed682e576c5deb24) | 01 April 2020, 01:52:23 UTC |
| e176e0c | Matěj Cepl | 19 March 2020, 01:35:44 UTC | [2.7] closes bpo-38576: Disallow control characters in hostnames in http.client. (GH-19052) Add host validation for control characters for more CVE-2019-18348 protection. (cherry picked from commit 83fc70159b24) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com> | 19 March 2020, 01:35:44 UTC |
| 249706c | Miss Islington (bot) | 07 January 2020, 06:56:57 UTC | Doc: Change Python 2 status to EOL. (GH-17885) (cherry picked from commit f4800b8ed3dbe15a0078869a836d968ab3362b8c) Co-authored-by: Inada Naoki <songofacandy@gmail.com> | 07 January 2020, 06:56:57 UTC |
| 5bba602 | Senthil Kumaran | 04 January 2020, 02:14:18 UTC | bpo-27973 - Use test.support.temp_dir instead of NamedTemporaryFile for the (#17774) desired behavior under windows platform. Suggestion by David Bolen | 04 January 2020, 02:14:18 UTC |
| ecd572a | Miss Islington (bot) | 03 January 2020, 03:44:03 UTC | Update copyright year in macOS installer license copy (GH-17806) (cherry picked from commit 32f1443aa98db769d87db497b45bd0dcb732445b) Co-authored-by: Ned Deily <nad@python.org> | 03 January 2020, 03:44:03 UTC |
| aa5b196 | Benjamin Peterson | 03 January 2020, 03:10:06 UTC | [2.7] Bring Python into the next decade. (GH-17805) (cherry picked from commit 946b29ea0b3b386ed05e87e60b8617c9dc19cd53) Co-authored-by: Benjamin Peterson <benjamin@python.org> | 03 January 2020, 03:10:06 UTC |
| f82e59a | Senthil Kumaran | 31 December 2019, 05:14:56 UTC | [2.7] bpo-27973 - Fix for urllib.urlretrieve() failing on second ftp transfer (#1040) * bpo-27973: Fix urllib.urlretrieve failing on subsequent ftp transfers from the same host. * bpo-35411: Skip test_urllibnet FTP tests on Travis CI. | 31 December 2019, 05:14:56 UTC |
| 362ede2 | Benjamin Peterson | 25 December 2019, 04:34:38 UTC | [2.7] Minor C API documentation improvements. (GH-17699) (cherry picked from commit 5c7ed7550ec2da16d7679e538fcd7c1a5631811f) Co-authored-by: William Ayd <william.ayd@icloud.com> | 25 December 2019, 04:34:38 UTC |
| 5f2c134 | Miss Islington (bot) | 17 December 2019, 09:16:33 UTC | bpo-38295: prevent test_relative_path of test_py_compile failure on macOS Catalina (GH-17636) (cherry picked from commit bf3aa1060a29a05813abbe877193af16e3e7131e) Co-authored-by: Ned Deily <nad@python.org> | 17 December 2019, 09:16:33 UTC |
| 052f47e | Benjamin Peterson | 17 December 2019, 00:39:57 UTC | bpo-38730: Replace strncpy in import.c with memcpy. (GH-17633) In all these cases, we know the exact length we want copied, so memcpy is the right function to use. | 17 December 2019, 00:39:57 UTC |
| de44813 | Inada Naoki | 14 December 2019, 14:02:55 UTC | bpo-39035: travis: Don't use beta group (GH-17605) | 14 December 2019, 14:02:55 UTC |
| a016d4e | Matthew Rollings | 03 December 2019, 18:18:52 UTC | [2.7] bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (GH-17418). (#17452) (cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a) Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com> | 03 December 2019, 18:18:52 UTC |
| 8642071 | Miss Islington (bot) | 01 December 2019, 20:12:09 UTC | document threading.Lock.locked() (GH-17427) (cherry picked from commit fdafa1d0ed0a8930b52ee81e57c931cc4d5c2388) Co-authored-by: idomic <michael.ido@gmail.com> | 01 December 2019, 20:12:09 UTC |
| e649903 | Victor Stinner | 24 November 2019, 15:49:23 UTC | bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (GH-17345) The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 # Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): # Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was. (cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e) | 24 November 2019, 15:49:23 UTC |
| 9f94e52 | Benjamin Peterson | 07 November 2019, 15:27:03 UTC | bpo-38730: Remove usage of stpncpy as it's not supported on MSVC 2008. (GH-17081) | 07 November 2019, 15:27:03 UTC |
| f32bcf8 | Benjamin Peterson | 07 November 2019, 15:06:28 UTC | [2.7] bpo-38730: Fix -Wstringop-truncation warnings. (GH-17075) | 07 November 2019, 15:06:28 UTC |
| 089e5f5 | Benjamin Peterson | 07 November 2019, 05:29:43 UTC | bpo-37731: Squish another _POSIX_C_SOURCE redefinition problem in expat. (GH-17077) | 07 November 2019, 05:29:43 UTC |
| 30114c7 | Miss Islington (bot) | 07 November 2019, 05:10:05 UTC | bpo-37731: Reorder includes in xmltok.c to avoid redefinition of _POSIX_C_SOURCE (GH-16733) (cherry picked from commit 8177404d520e81f16324a900f093adf3856d33f8) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com> | 07 November 2019, 05:10:05 UTC |
| 7356e10 | Miss Skeleton (bot) | 26 October 2019, 20:04:13 UTC | bpo-38557: Improve documentation for list and tuple C API. (GH-16925) (cherry picked from commit d898d20e8c228229eb68e545f544db13f246f216) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> | 26 October 2019, 20:04:13 UTC |
| 493fef6 | Serhiy Storchaka | 26 October 2019, 14:30:30 UTC | [2.7] bpo-38535: Fix positions for AST nodes for calls without arguments in decorators. (GH-16861). (GH-16931) (cherry picked from commit 26ae9f6d3d755734c9f371b9356325afe5764813) | 26 October 2019, 14:30:30 UTC |
| c80955c | Miss Skeleton (bot) | 23 October 2019, 20:15:56 UTC | Update URL in macOS installer copy of license (GH-16905) (cherry picked from commit 01659ca62c4508518478a74615ac91c0009427ad) Co-authored-by: Ned Deily <nad@python.org> | 23 October 2019, 20:15:56 UTC |
| 009a692 | Zackery Spytz | 23 October 2019, 18:15:55 UTC | bpo-37025: AddRefActCtx() shouldn't be checked for failure (GH-16897) AddRefActCtx() does not return a value. | 23 October 2019, 18:15:55 UTC |
| 9978a95 | Miss Skeleton (bot) | 22 October 2019, 09:48:33 UTC | Fix Zope URL (GH-16880) (cherry picked from commit dfe726b1ace03f206f45253b93ed7610473ae20f) Co-authored-by: Kyle Stanley <aeros167@gmail.com> | 22 October 2019, 09:48:33 UTC |
| ccdfeb7 | Serhiy Storchaka | 21 October 2019, 18:40:30 UTC | [2.7] bpo-38540: Fix possible leak in PyArg_Parse for "es#" and "et#". (GH-16869). (GH-16877) (cherry picked from commit 5bc6a7c06eda20ba131ecba6752be0506d310181) | 21 October 2019, 18:40:30 UTC |
| c9ed34f | Steve Dower | 20 October 2019, 01:25:35 UTC | Work around Path.glob() issue when creating nuget package (GH-16855) | 20 October 2019, 01:25:35 UTC |
| b02f692 | Benjamin Peterson | 19 October 2019, 20:03:22 UTC | 2.2.17+ | 19 October 2019, 20:03:22 UTC |
| c2f86d8 | Benjamin Peterson | 19 October 2019, 18:38:44 UTC | Empty blurb file for 2.7.17. | 19 October 2019, 18:38:44 UTC |
| 74ceb35 | Benjamin Peterson | 19 October 2019, 18:37:52 UTC | Bump version to 2.7.17 final. | 19 October 2019, 18:37:52 UTC |
| 6c4f841 | Miss Islington (bot) | 19 October 2019, 17:52:07 UTC | Update doc switcher list for 3.8.0 (GH-16809) (cherry picked from commit 3f36043db22361500f52634f2b8de49dde0e7da9) Co-authored-by: Ned Deily <nad@python.org> | 19 October 2019, 17:52:07 UTC |
| 4ae38ba | Ned Deily | 19 October 2019, 09:35:44 UTC | Update build docs for macOS (GH-16844) | 19 October 2019, 09:35:44 UTC |
| dedb99a | Ashley Whetter | 18 October 2019, 08:00:22 UTC | bpo-32758: Warn that ast.parse() and ast.literal_eval() can segfault the interpreter (GH-5960) (GH-16565) (cherry picked from commit 7a7f100eb352d08938ee0f5ba59c18f56dc4a7b5) Co-authored-by: Brett Cannon <brettcannon@users.noreply.github.com> | 18 October 2019, 08:00:22 UTC |
| 8eb27cc | Ashley Whetter | 18 October 2019, 08:00:03 UTC | bpo-32758: Warn that compile() can crash when compiling to an AST object (GH-6043) (GH-16566) (cherry picked from commit f7a6ff6fcab32a53f262ba3f8a072c27afc330d7) Co-authored-by: Brett Cannon <brettcannon@users.noreply.github.com> | 18 October 2019, 08:00:03 UTC |
| bef8d9a | Miss Islington (bot) | 14 October 2019, 22:22:18 UTC | Doc: 3.8 is now stable. (GH-16790) (GH-16794) (cherry picked from commit 4504b4500d2a1a80c26b27b0bfff8b624d5ce06c) Co-authored-by: Julien Palard <julien@palard.fr> | 14 October 2019, 22:22:18 UTC |
| 2c9d70a | Ned Deily | 14 October 2019, 08:39:00 UTC | [2.7] Update macOS installer display files for 2.7.17 (GH-16768) | 14 October 2019, 08:39:00 UTC |
| 0bd59d6 | Benjamin Peterson | 08 October 2019, 03:57:05 UTC | [2.7] bpo-31036: Allow sphinx and blurb to be found automatically (GH-16638) Rather than requiring the path to blurb and/or sphinx-build to be specified to the make rule, enhance the Doc/Makefile to look for each first in a virtual environment created by make venv and, if not found, look on the normal process PATH. This allows the Doc/Makefile to take advantage of an installed spinx-build or blurb and, thus, do the right thing most of the time. Also, make the directory for the venv be configurable and document the `make venv` target.. (cherry picked from commit 590665c399fc4aa3c4a9f8e7104d43a02e9f3a0c) Co-authored-by: Ned Deily <nad@python.org> | 08 October 2019, 03:57:05 UTC |
| e78d79c | Miss Islington (bot) | 08 October 2019, 03:43:53 UTC | bpo-35036: Remove empty log line in the suspicious.py tool (GH-10024) Previous to commit ee171a2 the logline was working because of self.info() (now deprecated) defaults to an empty message. (cherry picked from commit c3f52a59ce8406d9e59253ad4621e4749abdaeef) Co-authored-by: Xtreak <tirkarthi@users.noreply.github.com> | 08 October 2019, 03:43:53 UTC |
| d9b3216 | Miss Islington (bot) | 08 October 2019, 03:42:51 UTC | bpo-31589 : Build PDF using xelatex for better UTF8 support. (GH-3940) Also addresses doc build failures documented in bpo-32200. (cherry picked from commit 7324b5ce8e7c031a0a3832a6a8d7c639111ae0ff) Co-authored-by: Julien Palard <julien@palard.fr> | 08 October 2019, 03:42:51 UTC |
| c9a195e | Benjamin Peterson | 08 October 2019, 03:37:45 UTC | [2.7] Stop using deprecated logging API in Sphinx suspicious checker (GH-16635) (cherry picked from commit ee171a26c1169abfae534b08acc0d95c6e45a22a) Co-authored-by: Pablo Galindo <Pablogsal@gmail.com> | 08 October 2019, 03:37:45 UTC |
| 1c7b141 | Ned Deily | 08 October 2019, 02:13:04 UTC | Update macOS installer displays for 2.7.17rc1 (#16634) | 08 October 2019, 02:13:04 UTC |
| a6df224 | Benjamin Peterson | 08 October 2019, 02:03:32 UTC | Bump version to 2.7.17rc1. | 08 October 2019, 02:03:32 UTC |
| 89dea46 | Benjamin Peterson | 08 October 2019, 02:01:18 UTC | Roll up news for 2.7.17rc1. | 08 October 2019, 02:01:18 UTC |
| f5b1abb | Jason R. Coombs | 08 October 2019, 02:00:02 UTC | [2.7] bpo-38216, bpo-36274: Allow subclasses to separately override validation and encoding behavior (GH-16476) Backporting this change, I observe a couple of things: 1. The _encode_request call is no longer meaningful because the request construction will implicitly encode the request using the default encoding when the format string is used (request = '%s %s %s'...). In order to keep the code as consistent as possible, I decided to include the call as a pass-through. I'd be just as happy to remove it entirely, but I'll leave that up to the reviewer to decide. It's okay that this functionality is disabled on Python 2 because this functionality was mainly around bpo-36274, which was mainly a concern with the transition to Python 3. 2. Because _encode_request is no longer meaningful, neither is the test for it, so I've removed that test. Therefore, the meaningful part of this test is that for bpo-38216, adding a (underscore-protected) hook to customize/disable validation. (cherry picked from commit 7774d7831e8809795c64ce27f7df52674581d298) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com> | 08 October 2019, 02:00:01 UTC |
| e7e58fe | Benjamin Peterson | 08 October 2019, 01:54:05 UTC | [2.7] bpo-37664: Update ensurepip bundled wheels, again (GH-16633) (cherry picked from commit 10c452b894d95fed06056fe11e8fe8e1a2a60040) Co-authored-by: Pradyun Gedam <pradyunsg@gmail.com> | 08 October 2019, 01:54:05 UTC |
| c5abd63 | Kirill Smelkov | 03 October 2019, 07:06:52 UTC | bpo-38106: Fix race in pthread PyThread_release_lock() (GH-16047) Fix race in PyThread_release_lock that was leading to memory corruption and deadlocks. The fix applies to POSIX systems where Python locks are implemented with mutex and condition variable because POSIX semaphores are either not provided, or are known to be broken. One particular example of such system is macOS. On Darwin, even though this is considered as POSIX, Python uses mutex+condition variable to implement its lock, and, as of 2019-08-28, Py2.7 implementation, even though similar issue was fixed for Py3 in 2012, contains synchronization bug: the condition is signalled after mutex unlock while the correct protocol is to signal condition from under mutex: https://github.com/python/cpython/blob/v2.7.16-127-g0229b56d8c0/Python/thread_pthread.h#L486-L506 https://github.com/python/cpython/commit/187aa545165d (py3 fix) PyPy has the same bug for both pypy2 and pypy3: https://bitbucket.org/pypy/pypy/src/578667b3fef9/rpython/translator/c/src/thread_pthread.c#lines-443:465 https://bitbucket.org/pypy/pypy/src/5b42890d48c3/rpython/translator/c/src/thread_pthread.c#lines-443:465 Signalling condition outside of corresponding mutex is considered OK by POSIX, but in Python context it can lead to at least memory corruption if we consider the whole lifetime of python level lock. For example the following logical scenario: T1 T2 sema = Lock() sema.acquire() sema.release() sema.acquire() free(sema) ... can translate to the next C-level calls: T1 T2 # sema = Lock() sema = malloc(...) sema.locked = 0 pthread_mutex_init(&sema.mut) pthread_cond_init (&sema.lock_released) # sema.acquire() pthread_mutex_lock(&sema.mut) # sees sema.locked == 0 sema.locked = 1 pthread_mutex_unlock(&sema.mut) # sema.release() pthread_mutex_lock(&sema.mut) sema.locked = 0 pthread_mutex_unlock(&sema.mut) # OS scheduler gets in and relinquishes control from T2 # to another process ... # second sema.acquire() pthread_mutex_lock(&sema.mut) # sees sema.locked == 0 sema.locked = 1 pthread_mutex_unlock(&sema.mut) # free(sema) pthread_mutex_destroy(&sema.mut) pthread_cond_destroy (&sema.lock_released) free(sema) # ... e.g. malloc() which returns memory where sema was ... # OS scheduler returns control to T2 # sema.release() continues # # BUT sema was already freed and writing to anywhere # inside sema block CORRUPTS MEMORY. In particular if # _another_ python-level lock was allocated where sema # block was, writing into the memory can have effect on # further synchronization correctness and in particular # lead to deadlock on lock that was next allocated. pthread_cond_signal(&sema.lock_released) Note that T2.pthread_cond_signal(&sema.lock_released) CORRUPTS MEMORY as it is called when sema memory was already freed and is potentially reallocated for another object. The fix is to move pthread_cond_signal to be done under corresponding mutex: # sema.release() pthread_mutex_lock(&sema.mut) sema.locked = 0 pthread_cond_signal(&sema.lock_released) pthread_mutex_unlock(&sema.mut) To do so this patch cherry-picks thread_pthread.h part of the following 3.2 commit: commit 187aa545165d8d5eac222ecce29c8a77e0282dd4 Author: Kristján Valur Jónsson <kristjan@ccpgames.com> Date: Tue Jun 5 22:17:42 2012 +0000 Signal condition variables with the mutex held. Destroy condition variables before their mutexes. Python/ceval_gil.h | 9 +++++---- Python/thread_pthread.h | 15 +++++++++------ 2 files changed, 14 insertions(+), 10 deletions(-) (ceval_gil.h is Python3 specific and does not apply to Python2.7) The bug was there since 1994 - since at least [1]. It was discussed in 2001 with original code author[2], but the code was still considered to be race-free. In 2010 the place where pthread_cond_signal should be - before or after pthread_mutex_unlock - was discussed with the rationale to avoid threads bouncing[3,4,5], and in 2012 pthread_cond_signal was moved to be called from under mutex, but only for CPython3[6,7]. In 2019 the bug was (re-)discovered while testing Pygolang[8] on macOS with CPython2 and PyPy2 and PyPy3. [1] https://github.com/python/cpython/commit/2c8cb9f3d240 [2] https://bugs.python.org/issue433625 [3] https://bugs.python.org/issue8299#msg103224 [4] https://bugs.python.org/issue8410#msg103313 [5] https://bugs.python.org/issue8411#msg113301 [6] https://bugs.python.org/issue15038#msg163187 [7] https://github.com/python/cpython/commit/187aa545165d [8] https://pypi.org/project/pygolang (cherry picked from commit 187aa545165d8d5eac222ecce29c8a77e0282dd4) Co-Authored-By: Kristján Valur Jónsson <kristjan@ccpgames.com> | 03 October 2019, 07:06:52 UTC |
| 403ca7e | Victor Stinner | 02 October 2019, 16:36:32 UTC | [2.7] bpo-38338, test.pythoninfo: add more ssl infos (GH-16543) test.pythoninfo now logs environment variables used by OpenSSL and Python ssl modules, and logs attributes of 3 SSL contexts (SSLContext, default HTTPS context, stdlib context). (cherry picked from commit 1df1c2f8df53d005ff47af81aa02c58752b84e20) | 02 October 2019, 16:36:32 UTC |
| 8eb6415 | Dong-hee Na | 01 October 2019, 10:58:01 UTC | [2.7] bpo-38243: Escape the server title of DocXMLRPCServer (GH-16447) Escape the server title of DocXMLRPCServer.DocXMLRPCServer when rendering the document page as HTML. | 01 October 2019, 10:58:00 UTC |
| 598f676 | Jesús Cea | 28 September 2019, 03:09:24 UTC | [2.7] bpo-38301: In Solaris family, we must be sure to use '-D_REENTRANT' (GH-16446). (#16454) (cherry picked from commit 52d1b86bde2b772a76919c76991c326384954bf1) Co-authored-by: Jesús Cea <jcea@jcea.es> | 28 September 2019, 03:09:24 UTC |
