GH-32241) (GH-32251)

(cherry picked from commit 6066739)

Co-authored-by: Zachary Ware <zach@python.org>

…other platforms (GH-32182)

…H-32111)

…fix (GH-31920) (GH-31925)

(cherry picked from commit 7088120)

Co-authored-by: Steve Dower <steve.dower@python.org>

…nSSL 1.1.1n. (GH-31911)

…GH-31907)

…th recent versions of clang. (GH-28845) (GH-31890)

Change the configure logic to function properly on macOS when the compiler
outputs a platform triplet for option --print-multiarch.
The Apple Clang included with Xcode 13.3 now supports --print-multiarch
causing configure to fail without this change.

Co-authored-by: Ned Deily <nad@python.org>
(cherry picked from commit 9c47667)

Co-authored-by: David Bohman <debohman@gmail.com>

…H-31882)

This reverts commit 0fbab8a
as it breaks test_bdb and test_distutils with installed Pythons.

(cherry picked from commit c99ac3c)

Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net>

(cherry picked from commit d87f1b7)

Co-authored-by: Pradyun Gedam <pgedam@bloomberg.net>

(cherry picked from commit 176835c)

Co-authored-by: Steve Dower <steve.dower@python.org>

…16-3189 and CVE-2019-12900 (GH-31732) (GH-31735)

…ctly uses the install path during repair (GH-31730)

…1573)

Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which
allowed to bypass authorization. For example, access to URI "example.org/foobar"
was allowed if the user was authorized for URI "example.org/foo".
(cherry picked from commit e2e7256)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

(cherry picked from commit 1935e1c)

Co-authored-by: Dong-hee Na <donghee.na@python.org>

Automerge-Triggered-By: GH:benjaminp
(cherry picked from commit ba00f0d)

Co-authored-by: Benjamin Peterson <benjamin@python.org>

…) (GH-31418)

The libexpat 2.4.1 upgrade from  introduced the following new exported symbols:

* `testingAccountingGetCountBytesDirect`
* `testingAccountingGetCountBytesIndirect`
* `unsignedCharToPrintable`
* `XML_SetBillionLaughsAttackProtectionActivationThreshold`
* `XML_SetBillionLaughsAttackProtectionMaximumAmplification`

We need to adjust [Modules/expat/pyexpatns.h](https://github.com/python/cpython/blob/master/Modules/expat/pyexpatns.h)

(The newer libexpat upgrade  has no new symbols).

Automerge-Triggered-By: GH:gpshead
(cherry picked from commit 6312c10)

Co-authored-by: Yilei "Dolee" Yang <yileiyang@google.com>

Curly brackets were never allowed in namespace URIs
according to RFC 3986, and so-called namespace-validating
XML parsers have the right to reject them a invalid URIs.

libexpat >=2.4.5 has become strcter in that regard due to
related security issues; with ET.XML instantiating a
namespace-aware parser under the hood, this test has no
future in CPython.

References:
- https://datatracker.ietf.org/doc/html/rfc3968
- https://www.w3.org/TR/xml-names/

Also, test_minidom.py: Support Expat >=2.4.5
(cherry picked from commit 2cae938)

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>

Co-authored-by: Cyril Jouve <jv.cyril@gmail.com>

…7.1 (GH-31476)

Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the
fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy
is most used on Windows and macOS.

Co-authored-by: Victor Stinner <vstinner@python.org>

Co-authored-by: Łukasz Langa <lukasz@langa.pl>.
(cherry picked from commit 3fc5d84)

…8037)

Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com>

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 0897253)

GH-27946) (GH-27975)

Various date parsing utilities in the email module, such as
email.utils.parsedate(), are supposed to gracefully handle invalid
input, typically by raising an appropriate exception or by returning
None.

The internal email._parseaddr._parsedate_tz() helper used by some of
these date parsing routines tries to be robust against malformed input,
but unfortunately it can still crash ungracefully when a non-empty but
whitespace-only input is passed. This manifests as an unexpected
IndexError.

In practice, this can happen when parsing an email with only a newline
inside a ‘Date:’ header, which unfortunately happens occasionally in the
real world.

Here's a minimal example:

    $ python
    Python 3.9.6 (default, Jun 30 2021, 10:22:16)
    [GCC 11.1.0] on linux
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import email.utils
    >>> email.utils.parsedate('foo')
    >>> email.utils.parsedate(' ')
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
      File "/usr/lib/python3.9/email/_parseaddr.py", line 176, in parsedate
        t = parsedate_tz(data)
      File "/usr/lib/python3.9/email/_parseaddr.py", line 50, in parsedate_tz
        res = _parsedate_tz(data)
      File "/usr/lib/python3.9/email/_parseaddr.py", line 72, in _parsedate_tz
        if data[0].endswith(',') or data[0].lower() in _daynames:
    IndexError: list index out of range

The fix is rather straight-forward: guard against empty lists, after
splitting on whitespace, but before accessing the first element.
(cherry picked from commit 989f6a3)

Co-authored-by: wouter bolsterlee <wouter@bolsterl.ee>

It wasn't actually detecting the regression due to the
assertion being too lenient.
(cherry picked from commit e60ab84)

Co-authored-by: Gregory P. Smith <greg@krypto.org>

…or 3.7.11 (GH-26267)

Co-authored-by: Gregory P. Smith <greg@krypto.org>

…00 Continue (GH-25916) (GH-25934)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e3)

Co-authored-by: Gen Xu <xgbarry@gmail.com>