Permalink
Commits on Feb 15, 2021
-
[3.6] bpo-42967: only use '&' as a query string separator (GH-24297) (G…
…H-24532) bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl(). urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator. Co-authored-by: Éric Araujo <merwok@netwok.org> Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
4 people committedFeb 15, 2021
Commits on Jan 18, 2021
Commits on Jan 1, 2021
Commits on Dec 14, 2020
-
bpo-40791: Make compare_digest more constant-time. (GH-23438) (GH-23767)
The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization. (This is change GH-1 from https://bugs.python.org/issue40791 .) (cherry picked from commit 3172936) Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>
Commits on Nov 10, 2020
-
bpo-35560: Remove assertion from format(float, "n") (GH-11288) (GH-23231
) Fix an assertion error in format() in debug build for floating point formatting with "n" format, zero padding and small width. Release build is not impacted. Patch by Karthikeyan Singaravelan. (cherry picked from commit 3f7983a) Co-authored-by: Xtreak <tir.karthi@gmail.com>
-
[3.6] bpo-42103: Improve validation of Plist files. (GH-22882) (GH-23118
) * Prevent some possible DoS attacks via providing invalid Plist files with extremely large number of objects or collection sizes. * Raise InvalidFileException for too large bytes and string size instead of returning garbage. * Raise InvalidFileException instead of ValueError for specific invalid datetime (NaN). * Raise InvalidFileException instead of TypeError for non-hashable dict keys. * Add more tests for invalid Plist files.. (cherry picked from commit 34637a0) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Commits on Oct 22, 2020
-
[3.6] Remove 3.5 from Doc version switcher in master. (GH-22886) (#22891
) (cherry picked from commit 283f9a2)
Commits on Oct 20, 2020
Commits on Aug 17, 2020
Commits on Jul 19, 2020
Commits on Jul 15, 2020
Commits on Jul 13, 2020
Commits on Jul 6, 2020
Commits on Jun 30, 2020
-
[3.6] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6In…
…terface (GH-21033) (GH-21232) CVE-2020-14422 The __hash__() methods of classes IPv4Interface and IPv6Interface had issue of generating constant hash values of 32 and 128 respectively causing hash collisions. The fix uses the hash() function to generate hash values for the objects instead of XOR operation (cherry picked from commit b30ee26) Co-authored-by: Ravi Teja P <rvteja92@gmail.com> Signed-off-by: Tapas Kundu <tkundu@vmware.com>
Commits on Jun 18, 2020
Commits on May 27, 2020
-
bpo-39073: validate Address parts to disallow CRLF (GH-19007) (#19224)
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks. (cherry picked from commit 614f172) Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com> Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
Commits on May 23, 2020
Commits on May 19, 2020
Commits on Apr 3, 2020
-
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH…
…-19304) The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge. Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com> (cherry picked from commit 0b297d4)
-
bpo-40156: Copy Codecov configuration from master (GH-19306)
Disable "Codevov patch" job on pull requests.
Commits on Mar 14, 2020
Commits on Feb 13, 2020
Commits on Feb 4, 2020
-
closes bpo-39510: Fix use-after-free in BufferedReader.readinto() (GH…
…-18350) When called on a closed object, readinto() segfaults on account of a write to a freed buffer: ==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==220553== Access not within mapped region at address 0x2A ==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272) ==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972) ==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053) ==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253) Reproducer: reader = open ("/dev/zero", "rb") _void = reader.read (42) reader.close () reader.readinto (bytearray (42)) GH-GH-GH- BANG! The problem exists since 2012 when commit dc46945 added code to free the read buffer on close(). Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> (cherry picked from commit cb1c074) Co-authored-by: Philipp Gesang <phg@phi-gamma.net> Co-authored-by: Philipp Gesang <phg@phi-gamma.net>