python / cpython

It wasn't actually detecting the regression due to the
assertion being too lenient.
(cherry picked from commit e60ab84)

Co-authored-by: Gregory P. Smith <greg@krypto.org>

…or 3.6.14 (GH-26268)

Co-authored-by: Gregory P. Smith <greg@krypto.org>

…00 Continue (GH-25916) (GH-25935)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e3)

Co-authored-by: Gen Xu <xgbarry@gmail.com>

…H-25250)

Fix Regular Expression Denial of Service (ReDoS) vulnerability in
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
has quadratic worst-case complexity and it allows cause a denial of
service when identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the HTTP server.
(cherry picked from commit 7215d1a)

Co-authored-by: Yeting Li <liyt@ios.ac.cn>

…newline and tabs (GH-25924)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 76cd81d)
Co-authored-by: Senthil Kumaran <senthil@uthcode.com>
(cherry picked from commit 515a7bc)

Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b99947)

Co-authored-by: Victor Stinner <vstinner@python.org>

…H-24881) (GH-24882)

The IPv4 address value returned from the server in response to the PASV command
should not be trusted.  This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the client network.

Instead of using the returned address, we use the IP address we're
already connected to.  This is the strategy other ftp clients adopted,
and matches the only strategy available for the modern IPv6 EPSV command
where the server response must return a port number and nothing else.

For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
attribute on your `ftplib.FTP` instance to True..
(cherry picked from commit 0ab152c)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 664d1d1)

…H-24532)

bpo-42967: [security] Address a web cache-poisoning issue reported in
urllib.parse.parse_qsl().

urllib.parse will only us "&" as query string separator by default
instead of both ";" and "&" as allowed in earlier versions. An optional
argument seperator with default value "&" is added to specify the
separator.

Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>

…ng in ctypes param reprs. (GH-24250)

(cherry picked from commit 916610e)

Co-authored-by: Benjamin Peterson <benjamin@python.org>

(cherry picked from commit de6f20a)

Co-authored-by: Dong-hee Na <donghee.na@python.org>

…H-24037) (GH-24042)

(cherry picked from commit ec31653)

Co-authored-by: Dong-hee Na <donghee.na@python.org>

The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization.

(This is change GH-1 from https://bugs.python.org/issue40791 .)
(cherry picked from commit 3172936)

Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>

)

Fix an assertion error in format() in debug build for floating point
formatting with "n" format, zero padding and small width. Release build is
not impacted. Patch by Karthikeyan Singaravelan.
(cherry picked from commit 3f7983a)

Co-authored-by: Xtreak <tir.karthi@gmail.com>

)

* Prevent some possible DoS attacks via providing invalid Plist files
  with extremely large number of objects or collection sizes.
* Raise InvalidFileException for too large bytes and string size instead of returning garbage.
* Raise InvalidFileException instead of ValueError for specific invalid datetime (NaN).
* Raise InvalidFileException instead of TypeError for non-hashable dict keys.
* Add more tests for invalid Plist files..
(cherry picked from commit 34637a0)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

)

(cherry picked from commit 283f9a2)

…CJK codec tests (GH-22566) (GH-22579)

(cherry picked from commit 2ef5caa)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

…H-22801) (GH-22804)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
(cherry picked from commit e512bc7)

Co-authored-by: Ned Deily <nad@python.org>

)

reject control chars in http method in http.client.putrequest to prevent http header injection
(cherry picked from commit 8ca8a2e)

Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>

Avoid infinite loop when reading specially crafted TAR files using the tarfile module
(CVE-2019-20907).
(cherry picked from commit 5a8d121)

Co-authored-by: Rishi <rishi_devan@mail.com>

…H-21462)

Automerge-Triggered-By: @tiran
(cherry picked from commit 4f309ab)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

…when Python is embedded (GH-21298) (#21354)

* bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (GH-21298)

* bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded.

* Add CVE number

* Updates for 3.6

…terface (GH-21033) (GH-21232)

CVE-2020-14422
The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation
(cherry picked from commit b30ee26)

Co-authored-by: Ravi Teja P <rvteja92@gmail.com>

Signed-off-by: Tapas Kundu <tkundu@vmware.com>

Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f172)

Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>

Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>

(cherry picked from commit 19e3e00)

Co-authored-by: Julien Palard <julien@palard.fr>

Co-authored-by: Julien Palard <julien@palard.fr>

…-19304)

The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 0b297d4)