| b8cbe74 | Steve Dower | 09 December 2019, 19:05:39 UTC | bpo-39008: Require Py_ssize_t for PySys_Audit formats rather than raise a deprecation warning (GH-17540) | 09 December 2019, 19:05:39 UTC |
| ac22911 | Pablo Galindo | 09 December 2019, 17:57:50 UTC | bpo-39003: Make sure all test are the same when using -R in test_unparse (GH-17537) | 09 December 2019, 17:57:50 UTC |
| c18b805 | Tim Gates | 09 December 2019, 17:42:17 UTC | bpo-39002: Fix simple typo: tranlation -> translation (GH-17517) | 09 December 2019, 17:42:17 UTC |
| e89e159 | Steve Dower | 09 December 2019, 16:43:13 UTC | Fix APPX registry key generation (GH-17489) | 09 December 2019, 16:43:13 UTC |
| a1a99b4 | Victor Stinner | 09 December 2019, 16:34:02 UTC | bpo-20443: No longer make sys.argv[0] absolute for script (GH-17534) In Python 3.9.0a1, sys.argv[0] was made an asolute path if a filename was specified on the command line. Revert this change, since most users expect sys.argv to be unmodified. | 09 December 2019, 16:34:02 UTC |
| d219cc4 | Yury Selivanov | 09 December 2019, 14:54:20 UTC | bpo-34776: Fix dataclasses to support __future__ "annotations" mode (#9518) | 09 December 2019, 14:54:20 UTC |
| bba873e | Mark Dickinson | 09 December 2019, 14:36:34 UTC | bpo-38992: avoid fsum test failure from constant-folding (GH-17513) * Issue 38992: avoid fsum test failure * Add NEWS entry | 09 December 2019, 14:36:34 UTC |
| ab513a3 | Kyle Stanley | 09 December 2019, 14:21:10 UTC | bpo-37228: Fix loop.create_datagram_endpoint()'s usage of SO_REUSEADDR (#17311) | 09 December 2019, 14:21:10 UTC |
| 82b4950 | Victor Stinner | 09 December 2019, 14:02:03 UTC | bpo-39006: Fix asyncio when the ssl module is missing (GH-17524) Fix asyncio when the ssl module is missing: only check for ssl.SSLSocket instance if the ssl module is available. | 09 December 2019, 14:02:03 UTC |
| 0131aba | Victor Stinner | 09 December 2019, 13:09:14 UTC | bpo-38916: array.array: remove fromstring() and tostring() (GH-17487) array.array: Remove tostring() and fromstring() methods. They were aliases to tobytes() and frombytes(), deprecated since Python 3.2. | 09 December 2019, 13:09:14 UTC |
| a1838ec | Victor Stinner | 09 December 2019, 10:57:05 UTC | bpo-38547: Fix test_pty if the process is the session leader (GH-17519) Fix test_pty: if the process is the session leader, closing the master file descriptor raises a SIGHUP signal: simply ignore SIGHUP when running the tests. | 09 December 2019, 10:57:05 UTC |
| 109fc27 | Batuhan Taşkaya | 09 December 2019, 04:36:27 UTC | bpo-38673: dont switch to ps2 if the line starts with comment or whitespace (GH-17421) https://bugs.python.org/issue38673 | 09 December 2019, 04:36:27 UTC |
| 3ae4ea1 | Abhilash Raj | 09 December 2019, 01:37:34 UTC | bpo-38708: email: Fix a potential IndexError when parsing Message-ID (GH-17504) Fix a potential IndexError when passing an empty value to the message-id parser. Instead, HeaderParseError should be raised. | 09 December 2019, 01:37:34 UTC |
| 68157da | Abhilash Raj | 09 December 2019, 01:35:38 UTC | bpo-38698: Add a new InvalidMessageID token to email header parser. (GH-17503) This adds a new InvalidMessageID token to the email header parser which can be used to represent invalid message-id headers in the parse tree. | 09 December 2019, 01:35:38 UTC |
| 080ee5a | Victor Stinner | 08 December 2019, 20:55:58 UTC | bpo-38858: Fix ref leak in pycore_interp_init() (GH-17512) bpo-38858, bpo-38997: _PySys_Create() returns a strong reference to the sys module: Py_DECREF() is needed when we are done with the module. | 08 December 2019, 20:55:58 UTC |
| 526606b | Batuhan Taşkaya | 08 December 2019, 20:31:15 UTC | bpo-38994: Implement __class_getitem__ for PathLike (GH-17498) https://bugs.python.org/issue38994 | 08 December 2019, 20:31:15 UTC |
| cd90a52 | Elena Oat | 08 December 2019, 20:14:38 UTC | bpo-38669: patch.object now raises a helpful error (GH17034) This means a clearer message is now shown when patch.object is called with two string arguments, rather than a class and a string argument. | 08 December 2019, 20:14:38 UTC |
| 28c9163 | AMIR | 08 December 2019, 11:35:59 UTC | bpo-38979: fix ContextVar "__class_getitem__" method (GH-17497) now contextvars.ContextVar "__class_getitem__" method returns ContextVar class, not None. https://bugs.python.org/issue38979 Automerge-Triggered-By: @asvetlov | 08 December 2019, 11:35:59 UTC |
| 00ada2c | xdegaye | 08 December 2019, 07:40:14 UTC | bpo-38852: Set thread stack size to 8 Mb for debug builds on android platforms (GH-17337) | 08 December 2019, 07:40:14 UTC |
| 6cac113 | Victor Stinner | 08 December 2019, 07:38:16 UTC | bpo-38991: Remove test.support.strip_python_stderr() (GH-17490) test.support: run_python_until_end(), assert_python_ok() and assert_python_failure() functions no longer strip whitespaces from stderr. | 08 December 2019, 07:38:16 UTC |
| 2b7de66 | Christian Heimes | 07 December 2019, 16:59:36 UTC | bpo-38820: OpenSSL 3.0.0 compatibility. (GH-17190) test_openssl_version now accepts version 3.0.0. getpeercert() no longer returns IPv6 addresses with a trailing new line. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38820 | 07 December 2019, 16:59:36 UTC |
| 15fb7fa | Daniel Himmelstein | 07 December 2019, 14:14:40 UTC | bpo-29636: json.tool: Add document for indentation options. (GH-17482) And updated test to use subprocess.run | 07 December 2019, 14:14:40 UTC |
| 4443450 | Anj-A | 07 December 2019, 12:53:13 UTC | bpo-38652: Remove provisional note for asyncio.BufferedProtocol (GH-17047) https://bugs.python.org/issue38652 | 07 December 2019, 12:53:12 UTC |
| 892f9e0 | idomic | 07 December 2019, 11:52:36 UTC | bpo-37404: Raising value error if an SSLSocket is passed to asyncio functions (GH-16457) https://bugs.python.org/issue37404 | 07 December 2019, 11:52:35 UTC |
| 969ae7a | Andrew Svetlov | 07 December 2019, 11:23:21 UTC | Make repr of C accelerated TaskWakeupMethWrapper the same as of pure Python version (GH-17484) | 07 December 2019, 11:23:21 UTC |
| 7ddcd0c | Andrew Svetlov | 07 December 2019, 11:22:00 UTC | bpo-38529: Fix asyncio stream warning (GH-17474) | 07 December 2019, 11:22:00 UTC |
| dec3672 | Batuhan Taşkaya | 07 December 2019, 11:05:07 UTC | bpo-38978: Implement __class_getitem__ for asyncio objects (GH-17491) https://bugs.python.org/issue38978 | 07 December 2019, 11:05:07 UTC |
| 723f71a | Benoit Hudson | 06 December 2019, 19:15:03 UTC | bpo-37931: Fix crash on OSX re-initializing os.environ (GH-15428) On most platforms, the `environ` symbol is accessible everywhere. In a dylib on OSX, it's not easily accessible, you need to find it with _NSGetEnviron. The code was caching the *value* of environ. But a setenv() can change the value, leaving garbage at the old value. Fix: don't cache the value of environ, just read it every time. | 06 December 2019, 19:15:03 UTC |
| e76ee1a | Victor Stinner | 06 December 2019, 15:32:41 UTC | bpo-38982: Fix asyncio PidfdChildWatcher on waitpid() error (GH-17477) If waitpid() is called elsewhere, waitpid() call fails with ChildProcessError: use return code 255 in this case, and log a warning. It ensure that the pidfd file descriptor is closed if this error occurs. | 06 December 2019, 15:32:41 UTC |
| b64334c | Mario Corchero | 06 December 2019, 14:27:38 UTC | bpo-36820: Break unnecessary cycle in socket.py, codeop.py and dyld.py (GH-13135) Break cycle generated when saving an exception in socket.py, codeop.py and dyld.py as they keep alive not only the exception but user objects through the ``__traceback__`` attribute. https://bugs.python.org/issue36820 Automerge-Triggered-By: @pablogsal | 06 December 2019, 14:27:38 UTC |
| efefe25 | wim glenn | 06 December 2019, 06:44:01 UTC | bpo-27413: json.tool: Add --no-ensure-ascii option. (GH-17472) | 06 December 2019, 06:44:01 UTC |
| d863ade | Victor Stinner | 06 December 2019, 02:37:07 UTC | bpo-38858: Add pycore_interp_init() code to factorize code (GH-17483) Add a new pycore_interp_init() function called by new_interpreter() and pyinit_config(). | 06 December 2019, 02:37:07 UTC |
| 81fe5bd | Victor Stinner | 06 December 2019, 01:43:30 UTC | bpo-38858: new_interpreter() reuses _PySys_Create() (GH-17481) new_interpreter() now calls _PySys_Create() to create a new sys module isolated from the main interpreter. It now calls _PySys_InitCore() and _PyImport_FixupBuiltin(). init_interp_main() now calls _PySys_InitMain(). | 06 December 2019, 01:43:30 UTC |
| 44ea525 | Steve Dower | 05 December 2019, 23:32:04 UTC | Fix unquoted YAML in Windows release build (GH-17479) | 05 December 2019, 23:32:04 UTC |
| 4da4400 | Pablo Galindo | 05 December 2019, 16:18:27 UTC | Remove unused variable in Python/pylifecycle.c (GH-17475) | 05 December 2019, 16:18:27 UTC |
| 1f9f69d | Sergey Fedoseev | 05 December 2019, 14:55:28 UTC | bpo-27961: Replace PY_LLONG_MAX, PY_LLONG_MIN and PY_ULLONG_MAX with standard macros (GH-15385) Use standard constants LLONG_MIN, LLONG_MAX and ULLONG_MAX. | 05 December 2019, 14:55:28 UTC |
| 99eb70a | Hill Ma | 05 December 2019, 12:40:12 UTC | bpo-38951: Use threading.main_thread() check in asyncio (GH-17433) https://bugs.python.org/issue38951 | 05 December 2019, 12:40:12 UTC |
| bb81549 | Claudiu Popa | 05 December 2019, 03:14:26 UTC | bpo-38698: Prevent UnboundLocalError to pop up in parse_message_id (GH-17277) parse_message_id() was improperly using a token defined inside an exception handler, which was raising `UnboundLocalError` on parsing an invalid value. https://bugs.python.org/issue38698 | 05 December 2019, 03:14:26 UTC |
| 8b78796 | Victor Stinner | 04 December 2019, 20:10:06 UTC | bpo-38965: Fix faulthandler._stack_overflow() on GCC 10 (GH-17467) Use the "volatile" keyword to prevent tail call optimization on any compiler, rather than relying on compiler specific pragma. | 04 December 2019, 20:10:06 UTC |
| 7105319 | serge-sans-paille | 04 December 2019, 16:02:57 UTC | bpo-38634: Allow non-apple build to cope with libedit (GH-16986) The readline module now detects if Python is linked to libedit at runtime on all platforms. Previously, the check was only done on macOS. If Python is used as a library by a binary linking to libedit, the linker resolves the rl_initialize symbol required by the readline module against libedit instead of libreadline, which leads to a segfault. Take advantage of the existing supporting code to have readline module being compatible with both situations. | 04 December 2019, 16:02:57 UTC |
| ac0e1c2 | Pablo Galindo | 04 December 2019, 11:51:03 UTC | bpo-38962: Fix reference leak in the per-subinterpreter gc (GH-17457) https://bugs.python.org/issue38962 Automerge-Triggered-By: @pablogsal | 04 December 2019, 11:51:03 UTC |
| b96c6b0 | Pablo Galindo | 04 December 2019, 11:19:59 UTC | bpo-38962: Fix reference leak in new_interpreter() (GH-17453) https://bugs.python.org/issue38962 Automerge-Triggered-By: @pablogsal | 04 December 2019, 11:19:59 UTC |
| 808769f | Inada Naoki | 04 December 2019, 09:39:31 UTC | bpo-33684: json.tool: Use utf-8 for infile and outfile. (GH-17460) | 04 December 2019, 09:39:31 UTC |
| 24f5cac | Pablo Galindo | 04 December 2019, 09:29:10 UTC | bpo-38962: Fix reference leak in test_httpservers (GH-17454) | 04 December 2019, 09:29:10 UTC |
| edd5b38 | Raymond Hettinger | 04 December 2019, 09:07:02 UTC | Add setobject.c (GH-17463) | 04 December 2019, 09:07:02 UTC |
| 83f1449 | Ethan Furman | 04 December 2019, 08:18:31 UTC | add @ethanfurman for tarfile (GH-17461) | 04 December 2019, 08:18:31 UTC |
| 0325794 | Daniel Himmelstein | 04 December 2019, 06:15:19 UTC | bpo-29636: Add --(no-)indent arguments to json.tool (GH-345) | 04 December 2019, 06:15:19 UTC |
| eb48a45 | An Long | 03 December 2019, 23:30:53 UTC | bpo-27873: Update docstring for multiprocessing.Pool.map (GH-17436) Update docstring for `multiprocessing.Pool.map` to mention `pool.starmap()`. Prev PR: https://github.com/python/cpython/pull/17367 @aeros https://bugs.python.org/issue27873 | 03 December 2019, 23:30:53 UTC |
| 8943318 | stratakis | 03 December 2019, 15:35:54 UTC | bpo-38270: Fix indentation of test_hmac assertions (GH-17446) Since https://github.com/python/cpython/commit/c64a1a61e6fc542cada40eb069a239317e1af36e two assertions were indented and thus ignored when running test_hmac. This PR fixes it. As the change is quite trivial I didn't add a NEWS entry. https://bugs.python.org/issue38270 | 03 December 2019, 15:35:54 UTC |
| a62ad47 | Matthew Rollings | 02 December 2019, 22:25:21 UTC | bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (#17418) | 02 December 2019, 22:25:21 UTC |
| 016b028 | Pablo Galindo | 02 December 2019, 18:09:43 UTC | Fix compiler warning in Objects/unicodeobject.c (GH-17440) | 02 December 2019, 18:09:43 UTC |
| 34864d1 | torsava | 02 December 2019, 16:15:42 UTC | bpo-38815: Accept TLSv3 default in min max test (GH-NNNN) (GH-17437) Make ssl tests less strict and also accept TLSv3 as the default maximum version. This change unbreaks test_min_max_version on Fedora 32. https://bugs.python.org/issue38815 | 02 December 2019, 16:15:42 UTC |
| 2fe4c48 | Dong-hee Na | 01 December 2019, 23:06:28 UTC | bpo-38449: Add URL delimiters test cases (#16729) * bpo-38449: Add tricky test cases * bpo-38449: Reflect codereview | 01 December 2019, 23:06:28 UTC |
| fdafa1d | idomic | 01 December 2019, 20:07:39 UTC | document threading.Lock.locked() (GH-17427) | 01 December 2019, 20:07:39 UTC |
| 575d0b4 | Ofek Lev | 01 December 2019, 05:44:21 UTC | Fix typos (GH-17423) | 01 December 2019, 05:44:21 UTC |
| 8d62df6 | Daniel Hillier | 30 November 2019, 08:30:47 UTC | bpo-37523: Raise ValueError for I/O operations on a closed zipfile.ZipExtFile. (GH-14658) Raises ValueError when calling the following on a closed zipfile.ZipExtFile: read, readable, seek, seekable, tell. | 30 November 2019, 08:30:47 UTC |
| 1df65f7 | Brett Cannon | 29 November 2019, 23:37:08 UTC | Fix old mention of virtualenv (GH-17417) Automerge-Triggered-By: @brettcannon | 29 November 2019, 23:37:08 UTC |
| bea33f5 | Steve Dower | 28 November 2019, 16:46:11 UTC | bpo-38920: Add audit hooks for when sys.excepthook and sys.unraisable hooks are invoked (GH-17392) Also fixes some potential segfaults in unraisable hook handling. | 28 November 2019, 16:46:11 UTC |
| 02519f7 | Tal Einat | 28 November 2019, 05:22:09 UTC | bpo-38524: clarify example a bit and improve formatting (GH-17406) | 28 November 2019, 05:22:09 UTC |
| d9aa216 | Tzu-ping Chung | 27 November 2019, 20:25:23 UTC | bpo-38927: Use python -m pip to upgrade venv deps (GH-17403) I suggest you add `bpo-NNNNN: ` as a prefix for the first commit for future PRs. Thanks! | 27 November 2019, 20:25:23 UTC |
| 045d4e2 | Tzu-ping Chung | 27 November 2019, 20:21:48 UTC | bpo-38928: Fix versionadded for venv's upgrade_deps function (GH-17404) | 27 November 2019, 20:21:48 UTC |
| ea9835c | Inada Naoki | 27 November 2019, 13:22:06 UTC | bpo-26730: Fix SpooledTemporaryFile data corruption (GH-17400) SpooledTemporaryFile.rollback() might cause data corruption when it is in text mode. Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com> | 27 November 2019, 13:22:06 UTC |
| 1bddf89 | Florian Dahlitz | 27 November 2019, 08:46:40 UTC | bpo-38524: document implicit and explicit calling of descriptors' __set_name__ (GH-17364) | 27 November 2019, 08:46:40 UTC |
| ce4b7a2 | Yoni Lavi | 27 November 2019, 05:08:50 UTC | Show the differing module names for readlink() (GH-17395) This was very confusing with the text for both being just `readlink()`. | 27 November 2019, 05:08:50 UTC |
| 1ef4c32 | Anthony Sottile | 27 November 2019, 04:54:46 UTC | Be more specific about the `.so` gitignore patterns (GH-17328) In GH-15823 the pattern was changed from `libpython*.so*` to `*.so*` which matches a bit too greedily for some packagers. For instance this trips up `debian/README.source`. A more specific pattern fixes this issue. | 27 November 2019, 04:54:46 UTC |
| 9bbcbc9 | Bruno P. Kinoshita | 27 November 2019, 01:10:37 UTC | bpo-38688, shutil.copytree: consume iterator and create list of entries to prevent infinite recursion (GH-17098) | 27 November 2019, 01:10:37 UTC |
| c7c01ab | Steve Dower | 27 November 2019, 00:27:50 UTC | bpo-38922: Raise code.__new__ audit event when code object replace() is called (GH-17394) | 27 November 2019, 00:27:50 UTC |
| 0b41a92 | HongWeipeng | 26 November 2019, 22:36:02 UTC | bpo-38045: Improve the performance of _decompose() in enum.py (GH-16483) * Improve the performance of _decompose() in enum.py Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com> | 26 November 2019, 22:36:02 UTC |
| e563a15 | Terry Jan Reedy | 26 November 2019, 17:07:48 UTC | bpo-38892: Improve docs for audit event (GH-17361) | 26 November 2019, 17:07:48 UTC |
| bc441ed | Karl Dubost | 26 November 2019, 16:38:41 UTC | bpo-22377: Fixes documentation for %Z in datetime (GH-16507) This fixes the issue discussed in https://bugs.python.org/issue22377 and fixes it according to the comments made by Paul Ganssle @pganssle * It clarifies which values are acceptable in the table * It extends the note with a clearer information on the valid values https://bugs.python.org/issue22377 | 26 November 2019, 16:38:41 UTC |
| 036fe85 | HongWeipeng | 26 November 2019, 07:54:49 UTC | bpo-27145: small_ints[x] could be returned in long_add and long_sub (GH-15716) | 26 November 2019, 07:54:49 UTC |
| 386d00c | David Coles | 26 November 2019, 06:31:09 UTC | Remove use of deprecated `array.fromstring` method (GH-17332) | 26 November 2019, 06:31:09 UTC |
| 6dd9b64 | Brandt Bucher | 26 November 2019, 06:16:53 UTC | bpo-38328: Speed up the creation time of constant list and set display. (GH-17114) | 26 November 2019, 06:16:53 UTC |
| e4db1f0 | Eddie Elizondo | 26 November 2019, 03:07:37 UTC | closes bpo-38803: Fix leak in posixmodule. (GH-17373) | 26 November 2019, 03:07:37 UTC |
| f8a6316 | Sanchit Khurana | 25 November 2019, 22:17:59 UTC | bpo-21063: Improve module synopsis for distutils (GH-17363) | 25 November 2019, 22:17:59 UTC |
| c6a7bdb | Stefan Behnel | 25 November 2019, 15:36:25 UTC | bpo-20928: support base-URL and recursive includes in etree.ElementInclude (#5723) * bpo-20928: bring elementtree's XInclude support en-par with the implementation in lxml by adding support for recursive includes and a base-URL. * bpo-20928: Support xincluding the same file multiple times, just not recursively. * bpo-20928: Add 'max_depth' parameter to xinclude that limits the maximum recursion depth to 6 by default. * Add news entry for updated ElementInclude support | 25 November 2019, 15:36:25 UTC |
| ded8888 | Pablo Galindo | 25 November 2019, 11:49:17 UTC | bpo-38870: Remove dependency on contextlib to avoid performance regression on import (GH-17376) https://bugs.python.org/issue38870 Automerge-Triggered-By: @pablogsal | 25 November 2019, 11:49:17 UTC |
| e11f25d | Pablo Galindo | 25 November 2019, 11:16:39 UTC | Fix typo in Doc/whatsnew/3.9.rst (GH-17372) | 25 November 2019, 11:16:39 UTC |
| 27fc3b6 | Pablo Galindo | 24 November 2019, 23:02:40 UTC | bpo-38870: Expose a function to unparse an ast object in the ast module (GH-17302) Add ast.unparse() as a function in the ast module that can be used to unparse an ast.AST object and produce a string with code that would produce an equivalent ast.AST object when parsed. | 24 November 2019, 23:02:40 UTC |
| 6bf644e | Terry Jan Reedy | 24 November 2019, 21:29:29 UTC | bpo-38862: IDLE Strip Trailing Whitespace fixes end newlines (GH-17366) Extra newlines are removed at the end of non-shell files. If the file only has newlines after stripping other trailing whitespace, all are removed, as is done by patchcheck.py. | 24 November 2019, 21:29:29 UTC |
| 6f03b23 | Claudiu Popa | 24 November 2019, 19:15:08 UTC | bpo-38876: Raise pickle.UnpicklingError when loading an item from memo for invalid input (GH-17335) The previous code was raising a `KeyError` for both the Python and C implementation. This was caused by the specified index of an invalid input which did not exist in the memo structure, where the pickle stores what objects it has seen. The malformed input would have caused either a `BINGET` or `LONG_BINGET` load from the memo, leading to a `KeyError` as the determined index was bogus. https://bugs.python.org/issue38876 https://bugs.python.org/issue38876 | 24 November 2019, 19:15:08 UTC |
| e407646 | Batuhan Taşkaya | 24 November 2019, 16:46:18 UTC | Remove unnecessary variable definition (GH-17368) | 24 November 2019, 16:46:18 UTC |
| 665ad3d | Zac Hatfield-Dodds | 24 November 2019, 10:48:48 UTC | Better runtime TypedDict (GH-17214) This patch enables downstream projects inspecting a TypedDict subclass at runtime to tell which keys are optional. This is essential for generating test data with Hypothesis or validating inputs with typeguard or pydantic. | 24 November 2019, 10:48:48 UTC |
| 041d8b4 | Raymond Hettinger | 23 November 2019, 10:22:13 UTC | bpo-38881: choices() raises ValueError when all weights are zero (GH-17362) | 23 November 2019, 10:22:13 UTC |
| 84b1ff6 | Brett Cannon | 23 November 2019, 07:32:27 UTC | bpo-38899: virtual environment activation for fish should use `source` (GH-17359) The previously documented use of `.` is considered deprecated (https://fishshell.com/docs/current/commands.html#source). https://bugs.python.org/issue38899 Automerge-Triggered-By: @brettcannon | 23 November 2019, 07:32:27 UTC |
| d68b592 | Victor Stinner | 23 November 2019, 01:30:32 UTC | bpo-38896: Remove PyUnicode_ClearFreeList() function (GH-17354) Remove PyUnicode_ClearFreeList() function: the Unicode free list has been removed in Python 3.3. | 23 November 2019, 01:30:32 UTC |
| 14a89c4 | PypeBros | 22 November 2019, 23:19:08 UTC | bpo-38686: fix HTTP Digest handling in request.py (#17045) * fix HTTP Digest handling in request.py There is a bug triggered when server replies to a request with `WWW-Authenticate: Digest` where `qop="auth,auth-int"` rather than mere `qop="auth"`. Having both `auth` and `auth-int` is legitimate according to the `qop-options` rule in §3.2.1 of [[https://www.ietf.org/rfc/rfc2617.txt|RFC 2617]]: > qop-options = "qop" "=" <"> 1#qop-value <"> > qop-value = "auth" | "auth-int" | token > **qop-options**: [...] If present, it is a quoted string **of one or more** tokens indicating the "quality of protection" values supported by the server. The value `"auth"` indicates authentication; the value `"auth-int"` indicates authentication with integrity protection This is description confirmed by the definition of the [//n//]`#`[//m//]//rule// extended-BNF pattern defined in §2.1 of [[https://www.ietf.org/rfc/rfc2616.txt|RFC 2616]] as 'a comma-separated list of //rule// with at least //n// and at most //m// items'. When this reply is parsed by `get_authorization`, request.py only tests for identity with `'auth'`, failing to recognize it as one of the supported modes the server announced, and claims that `"qop 'auth,auth-int' is not supported"`. * 📜🤖 Added by blurb_it. * bpo-38686 review fix: remember why. * fix trailing space in Lib/urllib/request.py Co-Authored-By: Brandt Bucher <brandtbucher@gmail.com> | 22 November 2019, 23:19:08 UTC |
| 3ae38cc | Ethan Furman | 22 November 2019, 22:28:41 UTC | Update CODEOWNERS (#17356) Add Ethan Furman for enum, cgi, and cgitb. | 22 November 2019, 22:28:41 UTC |
| 2ec1a1b | Victor Stinner | 22 November 2019, 20:54:33 UTC | bpo-38858: new_interpreter() uses pycore_init_import_warnings() (GH-17353) | 22 November 2019, 20:54:33 UTC |
| 2582d46 | Victor Stinner | 22 November 2019, 18:24:49 UTC | bpo-38858: new_interpreter() reuses pycore_init_builtins() (GH-17351) new_interpreter() now calls _PyBuiltin_Init() to create the builtins module and calls _PyImport_FixupBuiltin(), rather than using _PyImport_FindBuiltin(tstate, "builtins"). pycore_init_builtins() is now responsible to initialize intepr->builtins_copy: inline _PyImport_Init() and remove this function. | 22 November 2019, 18:24:49 UTC |
| 82c83bd | Victor Stinner | 22 November 2019, 17:52:27 UTC | bpo-38858: _PyImport_FixupExtensionObject() handles subinterpreters (GH-17350) If _PyImport_FixupExtensionObject() is called from a subinterpreter, leave extensions unchanged and don't copy the module dictionary into def->m_base.m_copy. | 22 November 2019, 17:52:27 UTC |
| 42bc60e | Callum Ward | 22 November 2019, 16:57:14 UTC | closes bpo-29275: Remove Y2K reference from time module docs (GH-17321) The Y2K reference is not needed as it only points out that Python's use of C standard functions doesn't generally suffer from Y2K issues; the point regarding conventions for conversion of 2-digit years in :func:`strptime` is still valid. | 22 November 2019, 16:57:14 UTC |
| b005136 | Victor Stinner | 22 November 2019, 16:52:42 UTC | bpo-38858: Add init_interp_main() subfunction (GH-17347) Fix new_interpreter() error handling: undo it all if status is an exception. | 22 November 2019, 16:52:42 UTC |
| e0c9ab8 | Victor Stinner | 22 November 2019, 15:19:14 UTC | bpo-38858: Add init_set_builtins_open() subfunction (GH-17346) | 22 November 2019, 15:19:14 UTC |
| 1b779bf | bcaller | 22 November 2019, 14:22:11 UTC | bpo-38804: Fix REDoS in http.cookiejar (GH-17157) The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 # Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): # Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was. | 22 November 2019, 14:22:11 UTC |
| 4e205b7 | Alex | 22 November 2019, 13:48:14 UTC | Fix quoted signature of setattrofunc (GH-17251) setattrofunc returns `int`, not `PyObject *`. | 22 November 2019, 13:48:14 UTC |
| 138e7bb | jacksonriley | 22 November 2019, 12:51:58 UTC | bpo-38866: Remove asyncore from test_pyclbr.py (GH-17316) Co-Authored-By: Kyle Stanley <aeros167@gmail.com> | 22 November 2019, 12:51:58 UTC |
| 3d48334 | Victor Stinner | 22 November 2019, 11:27:50 UTC | bpo-38858: Call _PyUnicode_Fini() in Py_EndInterpreter() (GH-17330) Py_EndInterpreter() now clears the filesystem codec. | 22 November 2019, 11:27:50 UTC |
| 310e2d2 | Victor Stinner | 22 November 2019, 09:58:00 UTC | bpo-36854: Fix refleak in subinterpreter (GH-17331) finalize_interp_clear() now explicitly clears the codec registry and then trigger a GC collection to clear all references. | 22 November 2019, 09:58:00 UTC |
| 91daa9d | Siwon Kang | 22 November 2019, 09:13:05 UTC | bpo-38863: Improve is_cgi() in http.server (GH-17312) is_cgi() function of http.server library does not currently handle a cgi script if one of the cgi_directories is located at the sub-directory of given path. Since is_cgi() in CGIHTTPRequestHandler class separates given path into (dir, rest) based on the first seen '/', multi-level directories like /sub/dir/cgi-bin/hello.py is divided into head=/sub, rest=dir/cgi-bin/hello.py then check whether '/sub' exists in cgi_directories = [..., '/sub/dir/cgi-bin']. This patch makes the is_cgi() keep expanding dir part to the next '/' then checking if that expanded path exists in the cgi_directories. Signed-off-by: Siwon Kang <kkangshawn@gmail.com> https://bugs.python.org/issue38863 | 22 November 2019, 09:13:05 UTC |
