ada/cpython
0
0
Fork 0
mirror of https://github.com/AdaCore/cpython.git synced 2026-02-12 12:57:15 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
e052d40cea15f582b50947f7d906b39744dc62a2
cpython/Lib
History
Benjamin Peterson e052d40cea [2.7] bpo-32981: Fix catastrophic backtracking vulns (GH-5955) 
* Prevent low-grade poplib REDOS (CVE-2018-1060)

The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.

Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.

A 2KB evil response from the mail server would result in small slowdowns
(milliseconds vs. microseconds) accumulated over many apop calls.
This is a potential DOS vector via accumulated slowdowns.

Replace it with a similar non-vulnerable regex.

The new regex is RFC compliant.
The old regex was non-compliant in edge cases.

* Prevent difflib REDOS (CVE-2018-1061)

The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.

Replace it with an equivalent non-vulnerable regex.

Also introduce unit and REDOS tests for difflib.

Co-authored-by: Tim Peters <tim.peters@gmail.com>
Co-authored-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 0e6c8ee235)
2018-03-03 22:18:17 -08:00
..
bsddb
test_bsddb3 tolerates smaller timeout on Windows (#2840)
2017-07-24 13:01:59 +02:00
compiler
Issue #28998: More APIs now support longs as well as ints.
2016-12-27 15:09:36 +02:00
ctypes
Fix py3k warnings in 1/0 in tests. (#4072)
2017-10-22 12:15:41 +03:00
curses
Issue #13051: Fixed recursion errors in large or resized curses.textpad.Textbox.
2016-12-28 10:16:06 +02:00
distutils
[2.7] bpo-21060 Improve error message for "setup.py upload" without dist files (GH-5726).
2018-02-18 19:56:06 -08:00
email
bpo-30109: Fix reindent.py for non-ASCII files. (#5637)
2018-02-12 20:16:42 +02:00
encodings
Issue #27076: Doc, comment and test function name spelling fixes
2016-05-26 05:28:50 +00:00
ensurepip
[2.7] bpo-31351: Set return code in ensurepip when pip fails (GH-3734)
2017-09-25 11:03:24 +10:00
hotshot
Issue #27171: Fix typos in documentation, code comments, and tests
2016-06-02 10:35:44 +00:00
idlelib
[2.7] bpo-27425: Be more explicit in .gitattributes (GH-840) (GH-2086)
2017-06-11 14:19:39 -05:00
importlib
json
Fix py3k warnings in 1/0 in tests. (#4072)
2017-10-22 12:15:41 +03:00
lib2to3
[2.7] remove unused import (GH-5040). (#5043)
2017-12-28 23:38:55 -08:00
lib-tk
bpo-30855: Fix winfo_id related Tkinter test on Windows. (#4121)
2017-10-26 00:28:02 +03:00
logging
[2.7] bpo-21149: Workaround a GC finalization bug in logging. (#4368)
2017-11-11 14:48:49 -08:00
msilib
Issue #25523: Correct "a" article to "an" article
2015-11-02 03:37:02 +00:00
multiprocessing
bpo-31019: Fix multiprocessing.Process.is_alive() (#2875) (#2882)
2017-07-26 17:54:42 +02:00
plat-aix3
plat-aix4
plat-atheos
plat-beos5
plat-darwin
plat-freebsd4
plat-freebsd5
plat-freebsd6
plat-freebsd7
plat-freebsd8
plat-generic
- Issue #17086: Backport the patches from the 3.3 branch to cross-build
2013-01-31 23:52:03 +01:00
plat-irix5
Issue #26778: Fixed "a/an/and" typos in code comment and documentation.
2016-04-17 09:37:36 +03:00
plat-irix6
Issue #26778: Fixed "a/an/and" typos in code comment and documentation.
2016-04-17 09:37:36 +03:00
plat-linux2
plat-mac
English spelling and grammar fixes
2016-07-11 07:51:37 +00:00
plat-netbsd1
plat-next3
plat-os2emx
plat-riscos
plat-sunos5
plat-unixware7
pydoc_data
update pydoc topics
2017-08-26 11:17:02 -07:00
site-packages
sqlite3
bpo-31764: Prevent a crash in sqlite3.Cursor.close() in case the Cursor object is uninitialized (GH-4333)
2017-11-08 01:57:02 -08:00
test
[2.7] bpo-32981: Fix catastrophic backtracking vulns (GH-5955)
2018-03-03 22:18:17 -08:00
unittest
Update TestCase.assertAlmostEqual and assertNotAlmostEqual docstrings. (GH-3998) (GH-4040)
2017-10-18 10:30:05 -07:00
wsgiref
Issue #27076: Doc, comment and test function name spelling fixes
2016-05-26 05:28:50 +00:00
xml
bpo-30365: Backport warnings and fix bugs in ElementTree. (#1581)
2017-05-17 10:08:11 +03:00
__future__.py
#14494: Document that absolute imports became default in 3.0 instead of 2.7.
2012-05-19 18:36:04 +03:00
__phello__.foo.py
_abcoll.py
Issue #24286: Register dict views with the MappingView ABCs.
2015-05-26 01:35:54 -07:00
_LWPCookieJar.py
Fix typos in comments, documentation and test method names
2016-05-08 13:18:25 +00:00
_MozillaCookieJar.py
update url to spec (closes #20018)
2013-12-18 15:36:34 -06:00
_osx_support.py
Issue #27171: Fix typos in documentation, code comments, and tests
2016-06-02 10:35:44 +00:00
_pyio.py
Issue #20699: Document that “io” methods should accept memoryview
2016-06-03 05:59:20 +00:00
_strptime.py
[2.7] bpo-30363: Backport warnings in the re module. (#1577)
2017-05-18 12:34:40 +03:00
_threading_local.py
Delete a broken threading.local example (GH-5870)
2018-02-25 07:34:46 -08:00
_weakrefset.py
Issue #20006: Fix sporadic failures in test_weakset.
2013-12-18 00:28:36 +01:00
abc.py
aifc.py
[2.7] bpo-31848: Fix broken error handling in Aifc_read.initfp() when the SSND chunk is not found (GH-5240) (GH-5781)
2018-02-21 08:37:18 +02:00
antigravity.py
anydbm.py
argparse.py
#9351: set_defaults on subparser is no longer ignored if set on parent.
2014-10-17 20:07:08 -04:00
ast.py
asynchat.py
Issue #28998: More APIs now support longs as well as ints.
2016-12-27 15:09:36 +02:00
asyncore.py
bpo-30980: Fix double close in asyncore.file_wrapper (#2789) (#2900)
2017-07-27 01:24:52 +02:00
atexit.py
audiodev.py
base64.py
Issue #22088: Clarify base-64 alphabets and which characters are discarded
2016-02-23 22:30:50 +00:00
BaseHTTPServer.py
Issue #25738: Don’t send message body for 205 Reset Content
2016-06-08 07:16:14 +00:00
Bastion.py
bdb.py
Have Bdb frame_returning in the finally clause
2012-05-01 10:46:59 +08:00
binhex.py
Issue #23865: close() methods in multiple modules now are idempotent and more
2015-04-10 13:24:10 +03:00
bisect.py
calendar.py
Issue #28253: Fixed calendar functions for extreme months: 0001-01 and 9999-12.
2016-09-27 22:45:20 -04:00
cgi.py
Issue #27076: Doc, comment and test function name spelling fixes
2016-05-26 05:28:50 +00:00
CGIHTTPServer.py
Issue #24657: Prevent CGIRequestHandler from collapsing the URL query
2015-10-03 05:55:46 +00:00
cgitb.py
#12890: don't emit <p> tags in text mode when logdir specified.
2012-10-27 14:42:36 -04:00
chunk.py
Issue #25523: Correct "a" article to "an" article
2015-11-02 03:37:02 +00:00
cmd.py
Issue 15337: help() shown as undocumented
2012-07-16 00:11:05 -07:00
code.py
codecs.py
bpo-32110: codecs.StreamReader.read(n) now returns not more than n (GH-4499) (#4623)
2017-11-29 02:15:43 +02:00
codeop.py
collections.py
Issue #27076: Doc, comment and test function name spelling fixes
2016-05-26 05:28:50 +00:00
colorsys.py
commands.py
compileall.py
Clarify compileall command-line options (#10454).
2011-09-01 20:04:50 +02:00
ConfigParser.py
Fixes #4686. Reverts redundant picklability code from r74544.
2012-01-23 17:30:53 +01:00
contextlib.py
Cookie.py
Issue #27171: Fix typos in documentation, code comments, and tests
2016-06-02 10:35:44 +00:00
cookielib.py
[port to 2.7] - Issue #27466: Change time format returned by
2016-07-10 08:34:21 -07:00
copy_reg.py
[2.7] bpo-31107: Fix copyreg mangled slot names calculation. (GH-2989). (#3004)
2017-08-05 18:03:01 +03:00
copy.py
Issue #25718: Fixed copying object with state with boolean value is false.
2015-11-30 17:20:02 +02:00
cProfile.py
csv.py
[2.7] bpo-30157: Fix csv.Sniffer.sniff() regex pattern. (GH-5601) (GH-5604)
2018-02-10 00:02:04 +02:00
dbhash.py
decimal.py
Issue #27720: Fix error in eng_to_decimal docs and add examples from the specification.
2016-08-13 11:10:23 -07:00
difflib.py
[2.7] bpo-32981: Fix catastrophic backtracking vulns (GH-5955)
2018-03-03 22:18:17 -08:00
dircache.py
dis.py
doctest.py
Issue #27895: Spelling fixes (Contributed by Ville Skyttä).
2016-09-07 12:03:06 +00:00
DocXMLRPCServer.py
dumbdbm.py
Issue #28847: dubmdbm no longer writes the index file in when it is not
2016-12-02 07:58:42 +02:00
dummy_thread.py
dummy_threading.py
filecmp.py
Issue 16584: in filecomp._cmp, catch IOError as well as os.error.
2013-05-08 23:42:41 -04:00
fileinput.py
Issue #15068: Avoid creating a reference loop in fileinput.
2016-03-08 23:34:28 +02:00
fnmatch.py
Issue #23191: fnmatch functions that use caching are now threadsafe.
2015-01-27 11:40:51 +02:00
formatter.py
fpformat.py
fractions.py
ftplib.py
[2.7] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214) (#2894)
2017-07-26 17:50:36 +02:00
functools.py
bpo-25732: Make functools.total_ordering implementing __ne__. (#3748)
2017-09-25 14:41:34 +03:00
genericpath.py
Issue #21840: Fixed expanding unicode variables of form $var in
2015-02-13 12:02:05 +02:00
getopt.py
Issue #26778: Fixed "a/an/and" typos in code comment and documentation.
2016-04-17 09:37:36 +03:00
getpass.py
gettext.py
Issue #28563: Make plural form selection more lenient and accepting
2016-11-14 19:25:44 +02:00
glob.py
Issue #17923: glob() patterns ending with a slash no longer match non-dirs on
2014-08-12 12:54:55 +03:00
gzip.py
Fix spelling (inital), grammar (may translates) in documentation, comments
2016-04-19 04:03:41 +00:00
hashlib.py
Removed duplicated words in in comments and docs.
2014-12-01 18:16:30 +02:00
heapq.py
Correct “an” → “a” with “Unicode”, “user”, “UTF”, etc
2016-04-15 02:14:19 +00:00
hmac.py
backport hmac.compare_digest to partially implement PEP 466 (closes #21306)
2014-05-11 16:11:44 -07:00
htmlentitydefs.py
Issue #23181: More "codepoint" -> "code point".
2015-01-18 11:42:50 +02:00
htmllib.py
HTMLParser.py
bpo-30011: Fixed race condition in HTMLParser.unescape(). (#1140)
2017-04-15 18:35:46 +03:00
httplib.py
Issue #24363: Continue parsing HTTP header in spite of invalid lines
2016-09-16 02:54:11 +00:00
ihooks.py
imaplib.py
bpo-30329: Catch Windows error 10022 on shutdown() (#1538) (#1624)
2017-05-16 17:38:30 -07:00
imghdr.py
Issue #20331: Fixed possible FD leaks in various modules:
2014-01-25 19:42:27 +02:00
imputil.py
inspect.py
Issue #29354: Fixed inspect.getargs() for parameters which are cell
2017-02-01 22:53:03 +02:00
io.py
Issue #25523: Correct "a" article to "an" article
2015-11-02 03:37:02 +00:00
keyword.py
Fix instructions on how to rebuild some modules
2012-02-26 01:26:09 +01:00
linecache.py
Issue #23838: linecache now clears the cache and returns an empty result on
2015-04-01 16:53:53 +03:00
locale.py
bpo-30409: locale.getpreferredencoding doesn't return result (#1672)
2017-05-20 18:44:02 -07:00
macpath.py
Issue #21840: Fixed expanding unicode variables of form $var in
2015-02-13 12:02:05 +02:00
macurl2path.py
Increase macurl2path test coverage
2013-10-23 21:45:58 -07:00
mailbox.py
Issue #26778: Fixed "a/an/and" typos in code comment and documentation.
2016-04-17 09:37:36 +03:00
mailcap.py
Issue #20331: Fixed possible FD leaks in various modules:
2014-01-25 19:42:27 +02:00
markupbase.py
#13576: add tests about the handling of (possibly broken) condcoms.
2011-12-19 07:28:08 +02:00
md5.py
mhlib.py
Issue #7759: Fixed the mhlib module on filesystems that doesn't support
2015-11-11 17:33:12 +02:00
mimetools.py
mimetypes.py
[2.7] bpo-30824: Add mimetype for .json (GH-3048) (#3394)
2017-09-06 18:31:36 -04:00
MimeWriter.py
mimify.py
modulefinder.py
Remove PEP 291 compatibility requirements for ctypes and modulefinder
2016-05-14 07:25:37 +00:00
multifile.py
mutex.py
Issue #27076: Doc, comment and test function name spelling fixes
2016-05-26 05:28:50 +00:00
netrc.py
bpo-30806: Fix netrc.__repr__() format (GH-2491)
2017-12-10 15:09:58 +09:00
new.py
nntplib.py
2.6 merge
2013-10-01 11:39:08 -04:00
ntpath.py
Correct “an” → “a” with “Unicode”, “user”, “UTF”, etc
2016-04-15 02:14:19 +00:00
nturl2path.py
Issue21160: Correct comments in nturl2path. Patch by Jurko Gospodnetić.
2015-10-24 17:39:36 +03:00
numbers.py
Update docstring with more useful text (from the PEP)
2012-02-26 01:37:47 +01:00
opcode.py
optparse.py
Fix spelling (inital), grammar (may translates) in documentation, comments
2016-04-19 04:03:41 +00:00
os2emxpath.py
Correct “an” → “a” with “Unicode”, “user”, “UTF”, etc
2016-04-15 02:14:19 +00:00
os.py
remove useless word (closes #23929)
2015-04-13 20:24:10 -04:00
pdb.doc
Issue #27171: Fix typos in documentation, code comments, and tests
2016-06-02 10:35:44 +00:00
pdb.py
Issue #16180: Exit pdb if file has syntax error, instead of trapping user
2015-09-05 19:13:17 -04:00
pickle.py
Issue #892902: Fixed pickling recursive objects.
2015-11-07 11:15:32 +02:00
pickletools.py
Issue #28998: More APIs now support longs as well as ints.
2016-12-27 15:09:36 +02:00
pipes.py
Remove obsolete comment
2011-09-01 22:06:49 +02:00
pkgutil.py
bpo-31681: Make sure pkgutil.get_data closes files properly (#3875)
2017-10-09 10:55:54 -04:00
platform.py
Issue #26513: Use winver.product_type instead of .product
2016-09-21 09:10:21 -07:00
plistlib.py
Ensure that plistlib doesn't corrupt deeply nested datastructures
2013-04-23 13:47:06 +02:00
popen2.py
poplib.py
[2.7] bpo-32981: Fix catastrophic backtracking vulns (GH-5955)
2018-03-03 22:18:17 -08:00
posixfile.py
posixpath.py
# 2466: ismount now recognizes mount points user can't access.
2016-08-23 12:30:28 -04:00
pprint.py
Issue #19137: The pprint module now correctly formats empty set and frozenset
2013-10-02 11:40:26 +03:00
profile.py
pstats.py
Issue #27076: Doc, comment and test function name spelling fixes
2016-05-26 05:28:50 +00:00
pty.py
Issue #2489: Fix bug in _copy loop that could consume 100% cpu on EOF.
2012-02-16 00:40:03 -08:00
py_compile.py
Issue #23811: Add missing newline to the PyCompileError error message.
2015-04-14 19:03:06 +03:00
pyclbr.py
#14798: pyclbr now raises ImportError instead of KeyError for missing packages
2012-05-18 21:54:25 +03:00
pydoc.py
#16484: Change PYTHONDOCS to "https:", and fix links to use lowercase
2016-06-12 05:25:16 +00:00
Queue.py
Issue #18676: Change 'positive' to 'non-negative' in queue.py put and get
2013-08-10 18:17:01 -04:00
quopri.py
random.py
Issue #29023: Clarify that ints and longs are always deterministic seeds for random.
2017-01-06 16:13:37 -08:00
re.py
backout fac649bf2d10 (#9179) for further consideration
2014-11-30 11:47:54 -05:00
repr.py
rexec.py
rfc822.py
Issue #27125: Fix various errors like “will [be] inherited”
2016-05-29 08:13:58 +00:00
rlcompleter.py
Issue #25663: Make rlcompleter avoid duplicate global names
2015-11-23 23:50:26 +00:00
robotparser.py
Fix typos in comments, documentation and test method names
2016-05-08 13:18:25 +00:00
runpy.py
Issue #14285: Do not catch ImportError from __init__.py in runpy
2015-12-03 01:23:10 +00:00
sched.py
Remove duplication.
2011-10-19 10:39:35 +03:00
sets.py
sgmllib.py
sha.py
shelve.py
Issue #23865: close() methods in multiple modules now are idempotent and more
2015-04-10 13:24:10 +03:00
shlex.py
Issue #21999: Handled empty strings correctly when in POSIX mode.
2016-08-09 14:57:03 +01:00
shutil.py
Issue #14061: Misc fixes and cleanups in archiving code in shutil.
2016-12-16 19:04:17 +02:00
SimpleHTTPServer.py
Issue #26657: Fix SimpleHTTPServer Windows directory traversal vulnerability
2016-04-18 03:45:18 +00:00
SimpleXMLRPCServer.py
English spelling and grammar fixes
2016-07-11 07:51:37 +00:00
site.py
Issue #28440: No longer add /Library/Python/site-packages, the Apple-supplied
2016-12-03 02:14:09 -05:00
smtpd.py
Issue #9168: now smtpd is able to bind privileged port.
2011-10-20 23:21:58 +02:00
smtplib.py
bpo-30394: Fix a socket leak in smtplib.SMTP.__init__() (#1700) (#1788)
2017-05-25 02:24:27 +08:00
sndhdr.py
socket.py
Issue #26778: Fixed "a/an/and" typos in code comment and documentation.
2016-04-17 09:37:36 +03:00
SocketServer.py
Issue #26778: Fixed "a/an/and" typos in code comment and documentation.
2016-04-17 09:37:36 +03:00
sre_compile.py
[2.7] bpo-30363: Backport warnings in the re module. (#1577)
2017-05-18 12:34:40 +03:00
sre_constants.py
Issue #18050: Fixed an incompatibility of the re module with Python 2.7.3
2013-09-20 21:25:53 +03:00
sre_parse.py
[2.7] bpo-30375: Correct the stacklevel of regex compiling warnings. (#1595) (#1648)
2017-05-18 13:46:17 +03:00
sre.py
ssl.py
[2.7] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 (GH-1363) (#3446)
2017-09-07 22:31:17 -07:00
stat.py
statvfs.py
string.py
Issue #23671: string.Template now allows to specify the "self" parameter as
2015-03-24 22:27:50 +02:00
StringIO.py
Issue #11311: StringIO.readline(0) now returns an empty string as all other
2013-02-13 12:26:58 +02:00
stringold.py
stringprep.py
struct.py
subprocess.py
bpo-27448: Work around a gc.disable race condition in subprocess. (#1932)
2017-09-05 11:20:02 -07:00
sunau.py
Silence deprecation warning in sunau.py
2014-01-29 00:15:59 -05:00
sunaudio.py
symbol.py
Fix instructions on how to rebuild some modules
2012-02-26 01:26:09 +01:00
symtable.py
just return toplevel symbol table rather than all blocks (closes #19393)
2013-10-26 13:13:51 -04:00
sysconfig.py
bpo-30342: Fix sysconfig.is_python_build() on VS9.0 (#1544)
2017-05-12 11:31:08 +02:00
tabnanny.py
fix function name in tabnanny documentation (GH-764)
2017-03-22 15:22:44 +08:00
tarfile.py
Issue #28449: tarfile.open() with mode "r" or "r:" now tries to open a tar
2016-10-30 20:52:55 +02:00
telnetlib.py
bpo-18035: telnetlib: select.error doesn't have an errno attribute (#5044)
2017-12-29 12:44:04 -08:00
tempfile.py
Issue #26385: Cleanup NamedTemporaryFile if fdopen() fails, by SilentGhost
2016-02-29 00:31:38 +00:00
textwrap.py
Issue #21827: Fixed textwrap.dedent() for the case when largest common
2015-10-28 21:39:36 +02:00
this.py
threading.py
use the with statement for locking the internal condition (closes #25362)
2015-10-10 19:34:46 -07:00
timeit.py
Issue #5633: Fixed timeit when the statement is a string and the setup is not.
2015-05-30 19:37:19 +03:00
toaiff.py
token.py
Issue #19936: Added executable bits or shebang lines to Python scripts which
2014-01-16 18:59:17 +02:00
tokenize.py
Issue #20387: Backport fix from Python 3.4
2015-06-28 13:05:19 -04:00
trace.py
Issue #19936: Added executable bits or shebang lines to Python scripts which
2014-01-16 18:59:17 +02:00
traceback.py
Issue #17825: Cursor ^ is correctly positioned for SyntaxError and IndentationError.
2014-01-22 01:33:59 +01:00
tty.py
types.py
Issue #23504: Added an __all__ to the types module.
2015-03-04 09:42:59 +02:00
urllib2.py
Issue #14132: Fix redirect handling when target is just a query string
2016-05-16 01:07:13 +00:00
urllib.py
bpo-30500: urllib: Simplify splithost by calling into urlparse. (#1849) (#2294)
2017-06-20 16:20:36 +02:00
urlparse.py
Issue #20270: urllib and urlparse now support empty ports.
2014-01-18 18:30:09 +02:00
user.py
UserDict.py
Issue #22609: Constructor and the update method of collections.UserDict now
2015-09-29 23:33:03 +03:00
UserList.py
UserString.py
uu.py
uuid.py
[2.7] bpo-9678: Fix determining the MAC address in the uuid module. (GH-4264) (#4270)
2017-11-04 10:23:09 +02:00
warnings.py
Simplify code in warnings modules (#1957)
2017-06-05 09:13:50 -04:00
wave.py
Issue #28515: Fixed py3k warnings.
2016-10-25 09:51:38 +03:00
weakref.py
bpo-29519: weakref spewing exceptions during interp finalization (#2958)
2017-07-31 10:52:46 -07:00
webbrowser.py
Issue #24452: Make webbrowser support Chrome on Mac OS X (backport to 2.7)
2016-10-13 13:29:55 -07:00
whichdb.py
Close #13007: whichdb should recognize gdbm 1.9 magic numbers
2011-09-19 16:57:18 +02:00
wsgiref.egg-info
xdrlib.py
Issue #11694: Raise ConversionError in xdrlib as documented
2014-10-10 21:11:34 +03:00
xmllib.py
xmlrpclib.py
Issue #25523: Correct "a" article to "an" article
2015-11-02 03:37:02 +00:00
zipfile.py
Revert "Issue #29094: Offsets in a ZIP file created with extern file object and modes" (#1467)
2017-05-04 23:54:43 -07:00