python / cpython

… (GH-24544)

(cherry picked from commit 813db24)

Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>

…H-24531)

bpo-42967: [security] Address a web cache-poisoning issue reported in
urllib.parse.parse_qsl().

urllib.parse will only us "&" as query string separator by default
instead of both ";" and "&" as allowed in earlier versions. An optional
argument seperator with default value "&" is added to specify the
separator.

Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
(cherry picked from commit fcbe0cb)

…ng in ctypes param reprs. (GH-24249)

(cherry picked from commit 916610e)

Co-authored-by: Benjamin Peterson <benjamin@python.org>

(cherry picked from commit de6f20a)

Co-authored-by: Dong-hee Na <donghee.na@python.org>

…H-24037) (GH-24041)

(cherry picked from commit ec31653)

Co-authored-by: Dong-hee Na <donghee.na@python.org>

Up until now, the `multiprocessing.pool.ThreadPool` class has gone
undocumented, despite being a public class in multiprocessing that is
included in `multiprocessing.pool.__all__`.
(cherry picked from commit 84ebcf2)

Co-authored-by: Matt Wozniski <mwozniski@bloomberg.net>

… to v2.1.3. (GH-23596)

* build(deps): bump actions/cache from v2.1.2 to v2.1.3 (23582)

Bumps [actions/cache](https://github.com/actions/cache) from v2.1.2 to v2.1.3.
- [Release notes](https://github.com/actions/cache/releases)
- [Commits](actions/cache@v2.1.2...0781355)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit a43fea8)

* [3.7] build(deps): bump actions/cache from v2.1.2 to v2.1.3 (23582)

Bumps [actions/cache](https://github.com/actions/cache) from v2.1.2 to v2.1.3.
- [Release notes](https://github.com/actions/cache/releases)
- [Commits](actions/cache@v2.1.2...0781355)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>.
(cherry picked from commit a43fea8)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization.

(This is change GH-1 from https://bugs.python.org/issue40791 .)
(cherry picked from commit 3172936)

Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>

* bpo-42336: Improve PCbuild batch files (GH-23325)

* Remove ARM platforms

* Prevent some possible DoS attacks via providing invalid Plist files
  with extremely large number of objects or collection sizes.
* Raise InvalidFileException for too large bytes and string size instead of returning garbage.
* Raise InvalidFileException instead of ValueError for specific invalid datetime (NaN).
* Raise InvalidFileException instead of TypeError for non-hashable dict keys.
* Add more tests for invalid Plist files..
(cherry picked from commit 34637a0)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

)

(cherry picked from commit 283f9a2)

…CJK codec tests (GH-22566) (GH-22578)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

…-22801)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>

…when using gcc>9 (GH-22598). (GH-22601)

(cherry picked from commit 27ac19c)

Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>

Note: macOS 11 is not yet released, this release of Python is not
fully supported on 11.0, and not all tests pass.

…row() (GH-7467) (GH-21878)

(cherry picked from commit 52698c7)

Co-authored-by: Yury Selivanov <yury@magic.io>

… the GC docs (GH-21703) (GH-21788)

Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
(cherry picked from commit 82ca8fa)

Co-authored-by: Yaroslav Pankovych <31005942+P-Alban@users.noreply.github.com>

(cherry picked from commit 76643c1)

Co-authored-by: Ram Rachum <ram@rachum.com>

)

reject control chars in http method in http.client.putrequest to prevent http header injection
(cherry picked from commit 8ca8a2e)

Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>

…GH-21524)

(cherry picked from commit 164b04c)

Co-authored-by: Steve Dower <steve.dower@python.org>

…1484)

Avoid infinite loop when reading specially crafted TAR files using the tarfile module
(CVE-2019-20907).
(cherry picked from commit 5a8d121)

Co-authored-by: Rishi <rishi_devan@mail.com>

…H-21461)

Automerge-Triggered-By: @tiran
(cherry picked from commit 4f309ab)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

…() (GH-21389)

(cherry picked from commit aebc049)

Co-authored-by: Zackery Spytz <zspytz@gmail.com>

…when Python is embedded (GH-21297) (#21298)

* bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded.

* Add CVE number

…terface (GH-21033) (GH-21231)

CVE-2020-14422
The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation
(cherry picked from commit b30ee26)

Co-authored-by: Ravi Teja P <rvteja92@gmail.com>

Signed-off-by: Tapas Kundu <tkundu@vmware.com>

(cherry picked from commit 8ea6353)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>

…GH-20949)

Signed-off-by: Christian Heimes <christian@python.org>

Automerge-Triggered-By: @tiran.
(cherry picked from commit bb6ec14)

Co-authored-by: Christian Heimes <christian@python.org>