reject control chars in http method in http.client.putrequest to prevent http header injection
(cherry picked from commit 8ca8a2e8fb)
Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
GCC says
```
../cpython/Parser/string_parser.c: In function ‘fstring_find_expr’:
../cpython/Parser/string_parser.c:404:93: warning: ‘cols’ may be used uninitialized in this function [-Wmaybe-uninitialized]
404 | p2->starting_col_offset = p->tok->first_lineno == p->tok->lineno ? t->col_offset + cols : cols;
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~
../cpython/Parser/string_parser.c:384:16: note: ‘cols’ was declared here
384 | int lines, cols;
| ^~~~
../cpython/Parser/string_parser.c:403:45: warning: ‘lines’ may be used uninitialized in this function [-Wmaybe-uninitialized]
403 | p2->starting_lineno = t->lineno + lines - 1;
| ~~~~~~~~~~~~~~~~~~^~~
../cpython/Parser/string_parser.c:384:9: note: ‘lines’ was declared here
384 | int lines, cols;
| ^~~~~
```
and, indeed, if `PyBytes_AsString` somehow fails, lines & cols will not be initialized.
(cherry picked from commit 2ad7e9c011)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
This should also fix the syntax highlighting for these code blocks
Automerge-Triggered-By: @csabella
(cherry picked from commit 5e5c0f9866)
Co-authored-by: Christopher Yeh <chrisyeh96@users.noreply.github.com>
Move definition of UNUSED from modified headers of libmpdec to
_decimal.c itself. This makes the vendored source closer to the
standalone library and fixes build with --with-system-libmpdec.
Tested to build fine with either system libmpdec or the vendored one.
(cherry picked from commit 015efdbef7)
Co-authored-by: Felix Yan <felixonmars@archlinux.org>
Avoid infinite loop when reading specially crafted TAR files using the tarfile module
(CVE-2019-20907).
(cherry picked from commit 5a8d121a1f)
Co-authored-by: Rishi <rishi_devan@mail.com>
Automerge-Triggered-By: @encukou
The phrase "At any time during execution," was repeated twice.
Automerge-Triggered-By: @Mariatta
(cherry picked from commit 4f28f75dee)
Co-authored-by: Paul McMillan <paul@mcmillan.ws>
The issue is triggered by the bytearray() + bytearray() operation.
Detected by GCC 10 static analysis tool.
(cherry picked from commit 61fc23ca10)
Co-authored-by: stratakis <cstratak@redhat.com>
Keywords are present in the main module tab completion lists generated by rlcompleter, which is used by REPLs on *nix. Add all keywords to IDLE's main module name list except those already added from builtins (True, False, and None) . This list may also be used by Show Completions on the Edit menu, and its hot key.
Rewrite Completions doc.
Co-authored-by: Cheryl Sabella <cheryl.sabella@gmail.com>
(cherry picked from commit bce2eb4646)
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
The running loop holder cache variable was always set to NULL when
calling set_running_loop.
Now set_running_loop saves the newly created running loop holder in the
cache variable for faster access in get_running_loop.
Automerge-Triggered-By: @1st1
(cherry picked from commit 529f42645d)
Co-authored-by: Tony Solomonik <tony.solomonik@gmail.com>
3.8.3 had a regression where compiling with
ast.PyCF_ALLOW_TOP_LEVEL_AWAIT woudl agressively mark things are
coroutine even if there were not.
(cherry picked from commit bd46174)
Co-authored-by: Matthias Bussonnier <bussonniermatthias@gmail.com>
Co-authored-by: Matthias Bussonnier <bussonniermatthias@gmail.com>
Also enables using debug build of `python3_d.dll`
Reference: CVE-2020-15523
(cherry picked from commit dcbaa1b49c)
Co-authored-by: Steve Dower <steve.dower@python.org>
* improve control flow docs
* Add also
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
(cherry picked from commit d12af71047)
Co-authored-by: Joannah Nanjekye <33177550+nanjekyejoannah@users.noreply.github.com>
Co-authored-by: Joannah Nanjekye <33177550+nanjekyejoannah@users.noreply.github.com>
* Clarify number of scopes
* Indicate 3 or 4
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
(cherry picked from commit 9ed3cd8ba0)
Co-authored-by: Joannah Nanjekye <33177550+nanjekyejoannah@users.noreply.github.com>
Co-authored-by: Joannah Nanjekye <33177550+nanjekyejoannah@users.noreply.github.com>
It doesn't use PyUnicode_EncodeDecimal. It uses a private API instead.
(cherry picked from commit 9c84417122)
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
PyUnicode_EncodeDecimal and PyUnicode_TransformDecimalToASCII
are deprecated since Python 3.3.
But Py_DEPRECATED(3.3) was commented out.
(cherry picked from commit 13c90e82b6)
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
* bpo-41194: Pass module state in Python-ast.c (GH-21284)
Rework asdl_c.py to pass the module state to functions in
Python-ast.c, instead of using astmodulestate_global.
Handle also PyState_AddModule() failure in init_types().
(cherry picked from commit 74419f0c64)
* bpo-41194: The _ast module cannot be loaded more than once (GH-21290)
Fix a crash in the _ast module: it can no longer be loaded more than
once. It now uses a global state rather than a module state.
* Move _ast module state: use a global state instead.
* Set _astmodule.m_size to -1, so the extension cannot be loaded more
than once.
(cherry picked from commit 91e1bc18bd)
Miss Islington (bot)