Commit Graph

13756 Commits

Author SHA1 Message Date
Antoine Pitrou dad182c16e Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers.

Reported by Sergey Bobrov.
2014-09-17 00:23:55 +02:00
Georg Brandl 860c367c29 Issue #22419: Limit the length of incoming HTTP request in wsgiref server to
65536 bytes and send a 414 error code for higher lengths. Patch contributed
by Devin Cook.
2014-09-30 14:56:46 +02:00
Georg Brandl 21bf3f942b Issue #22517: When a io.BufferedRWPair object is deallocated, clear its
weakrefs.
2014-09-30 14:54:39 +02:00
Georg Brandl eaca8616ab Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
prevent readline() calls from consuming too much memory.  Patch by Jyrki
Pulliainen.
2014-09-30 14:45:39 +02:00
Georg Brandl 210ee47e33 Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
limiting the call to readline().  Original patch by Christian Heimes.
2014-09-30 14:18:02 +02:00
Georg Brandl c9cb18d3f7 Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by
limiting the call to readline().  Original patch by Michał
Jastrzębski and Giampaolo Rodola.
2014-09-30 14:12:24 +02:00
Georg Brandl f0746ca463 Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more than
100 headers are read.  Adapted from patch by Jyrki Pulliainen.
2014-09-30 14:08:04 +02:00
Georg Brandl ec3c103520 Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
inside subjectAltName correctly. Formerly the module has used OpenSSL's
GENERAL_NAME_print() function to get the string represention of ASN.1
strings for ``rfc822Name`` (email), ``dNSName`` (DNS) and
``uniformResourceIdentifier`` (URI).
2014-09-30 14:04:51 +02:00
Ned Deily 915a30fb0d Issue #21323: Fix http.server to again handle scripts in CGI subdirectories,
broken by the fix for security issue #19435.  Patch by Zach Byrne.
2014-07-12 22:06:26 -07:00
Benjamin Peterson 314dc126ce expect the correct platform-dependent linesep 2014-06-16 23:15:50 -07:00
Benjamin Peterson 73b8b1cdb8 url unquote the path before checking if it refers to a CGI script (closes #21766) 2014-06-14 18:36:29 -07:00
Benjamin Peterson 99b5afab74 in scan_once, prevent the reading of arbitrary memory when passed a negative index
Bug reported by Guido Vranken.
2014-04-13 22:10:38 -04:00
Benjamin Peterson ee5f1c13d1 remove directory mode check from makedirs (closes #21082) 2014-04-01 19:13:18 -04:00
Benjamin Peterson b4be376d16 use https docs url (#21115) 2014-03-31 13:44:53 -04:00
Benjamin Peterson cf25c5caae use ssl.PROTOCOL_SSLv23 for maximum compatibility (closes #20896) 2014-03-12 18:05:53 -05:00
Stefan Krah d9bed99fcb Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts. 2014-01-21 22:58:40 +01:00
Benjamin Peterson 1b94030b37 update logo url (#20695) 2014-02-19 22:55:16 -05:00
Benjamin Peterson f6218a2191 open retrieved file in binary mode, since it's now compressed 2014-02-19 22:56:35 -05:00
Benjamin Peterson fbf648ebba complain when nbytes > buflen to fix possible buffer overflow (closes #20246) 2014-01-13 22:59:38 -05:00
Benjamin Peterson 35aca89617 merge 3.1 (#19435) 2013-10-30 12:48:59 -04:00
Benjamin Peterson 04e9de40f3 use the collapsed path in the run_cgi method (closes #19435) 2013-10-30 12:43:09 -04:00
R David Murray 8270a2c209 Merge #14984: On POSIX, enforce permissions when reading default .netrc. 2013-09-17 20:32:54 -04:00
R David Murray 104aab956f #14984: On POSIX, enforce permissions when reading default .netrc.
Initial patch by Bruno Piguet.

This is implemented as if a useful .netrc file could exist without passwords,
which is possible in the general case; but in fact our netrc implementation
does not support it.  Fixing that issue will be an enhancement.
2013-09-17 20:30:02 -04:00
Antoine Pitrou 86d53cadda Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). 2013-05-18 17:56:42 +02:00
Georg Brandl c502df4e3e Issue #17915: Fix interoperability of xml.sax with file objects returned by
codecs.open().
2013-05-12 11:41:12 +02:00
Georg Brandl 93b061bc3e Issue #1159051: Back out a fix for handling corrupted gzip files that
broke backwards compatibility.
2013-05-12 11:29:27 +02:00
Georg Brandl ba2f8be4c6 Issue #17843: Remove bz2 test data that triggers antivirus warnings. 2013-05-12 11:11:51 +02:00
Georg Brandl ce654f48aa Issue #15535: Fix pickling of named tuples. 2013-05-12 11:09:11 +02:00
Serhiy Storchaka a6df938fef Close #17666: Fix reading gzip files with an extra field. 2013-04-08 22:35:02 +03:00
Ezio Melotti 656c80809c Clean up references to threads in test_queue. 2013-03-23 23:35:06 +02:00
Gregory P. Smith a1ed539268 Fixes issue #17488: Change the subprocess.Popen bufsize parameter default value
from unbuffered (0) to buffering (-1) to match the behavior existing code
expects and match the behavior of the subprocess module in Python 2 to avoid
introducing hard to track down bugs.
2013-03-23 11:44:25 -07:00
Vinay Sajip 68b4cc87cd Issue #17521: Corrected non-enabling of logger following two calls to fileConfig(). 2013-03-23 11:18:45 +00:00
Vinay Sajip 3f885b5432 Issue #17508: Handled out-of-order handler configuration correctly. 2013-03-22 15:19:54 +00:00
R David Murray 03b0116c78 #5712: Preemptively fix some other possible timing issues. 2013-03-20 22:11:40 -04:00
R David Murray 853c0f9d60 #5713: fix timing issue in smtplib tests. 2013-03-20 21:54:05 -04:00
R David Murray d312c740f1 #5713: Handle 421 error codes during sendmail by closing the socket.
This is a partial fix to the issue of servers disconnecting unexpectedly; in
this case the 421 says they are disconnecting, so we close the socket and
return the 421 in the appropriate error context.

Original patch by Mark Sapiro, updated by Kushal Das, with additional
tests by me.
2013-03-20 20:36:14 -04:00
Ezio Melotti 958f7ae865 #17493: re-enable a test on Windows. Patch by Zachary Ware. 2013-03-20 18:14:48 +02:00
Senthil Kumaran 2a4d24510a #17471 - Increasing the urllib.error test coverage. Bringing it to 100%. Based on patch contributed by Daniel Wozniak 2013-03-19 16:11:07 -07:00
Senthil Kumaran 843fae9312 #17471 - Improve urllib2 test coverage. Patch contributed by Daniel Wozniak 2013-03-19 13:43:42 -07:00
R David Murray 9929bc543a #17476: make allmethods actually return all methods.
This fixes a regression relative to Python2.  (In 2, methods on a class were
unbound methods and matched the inspect queries being done, in 3 they are just
functions and so were missed).

This is an undocumented function that pydoc itself does not use, but
I found that numpy at least uses it in its documentation generator.

Original patch by Matt Bachmann.
2013-03-19 02:31:06 -04:00
R David Murray a846f5ace8 #17448: Make test_sax skip if there are no xml parsers.
Patch by Rafael Santos.
2013-03-18 00:18:12 -04:00
Ezio Melotti c28f6fa505 #11420: make test suite pass with -B/DONTWRITEBYTECODE set. Initial patch by Thomas Wouters. 2013-03-16 19:48:51 +02:00
Terry Jan Reedy 743c85a32e Issue # 10652: make tcl/tk tests run after __all__ test, patch by Zachary Ware. 2013-03-16 02:37:06 -04:00
Ezio Melotti a7d64a6f4c #17368: Fix an off-by-one error in the Python JSON decoder that caused a failure while decoding empty object literals when object_pairs_hook was specified. 2013-03-13 01:52:34 +02:00
Terry Jan Reedy c30b7b16ea Issue #17047: remove doubled words found in 2.7 to 3.4 Lib/*,
as reported by Serhiy Storchaka and Matthew Barnett.
2013-03-11 17:57:08 -04:00
Ezio Melotti 42a541bd49 #11963: remove human verification from test_parser and test_subprocess. 2013-03-11 05:53:34 +02:00
Ezio Melotti e7c329954c #11963: fix Windows buildbots. 2013-03-10 03:25:45 +02:00
Ezio Melotti 3919184014 #11963: avoid printing messages in test_parser. Initial patch by Éric Araujo. 2013-03-09 22:17:33 +02:00
Ezio Melotti 1f38621a33 #11732: add a new suppress_crash_popup() context manager to test.support that disables crash popups on Windows and use it in test_ctypes. 2013-03-07 18:44:29 +02:00
Antoine Pitrou 44d5214927 Issue #17278: Fix a crash in heapq.heappush() and heapq.heappop() when the list is being resized concurrently. 2013-03-04 20:30:01 +01:00