Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gh-87389: Fix an open redirection vulnerability in http.server. #93879

Merged
merged 7 commits into from Jun 21, 2022

Conversation

gpshead
Copy link
Member

@gpshead gpshead commented Jun 15, 2022

Fix an open redirection vulnerability in the http.server module when
an URI path starts with //. Vulnerability discovered, and initial fix
proposed, by Hamza Avvan (@hamzaavvan).

Test authored and secondary mitigation by Gregory P. Smith [Google].

This PR takes over and replaces #24848.

Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//`.  Vulnerability discovered, and initial fix
proposed, by Hamza Avvan.

Test authored and secondary mitigation by Gregory P. Smith [Google].
@gpshead gpshead added type-bug An unexpected behavior, bug, or error type-security A security issue labels Jun 15, 2022
@gpshead gpshead added needs backport to 3.7 needs backport to 3.8 only security fixes needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 bug and security fixes stdlib Python modules in the Lib dir labels Jun 15, 2022
Copy link
Member

@orsenthil orsenthil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@nascheme
Copy link
Member

I'm not sure this is the exact right fix. It seems that self.path is the path provided by the client, from the HTTP request first line. That can be an ugly thing with double slashes, relative components, etc. It also includes an optional query string and fragment.

We convert self.path into a local file system path sometimes, by using self.translate_path(). That function looks a bit dubious in that it silently ignores path components that are not directories. That's probably out of scope for this issue. AFAICT, self.path is always cleaned up before being used as a local path. So sanitizing self.path does not seem correct to me since it should retain the value from the request header first line.

Maybe the problem is actually in urllib.parse.urlunsplit(). It allows path to start with a double-slash but that leads to a URL that doesn't parse correctly. E.g.

>>> urllib.parse.urlunsplit('', '', '//foo', '', '')
'//foo'
>>> urllib.parse.urlsplit('//foo')
SplitResult(scheme='', netloc='foo', path='', query='', fragment='')

We expect an empty 'netloc' and scheme. If urlunsplit() removed the extra slashes at the start of the path, I think that would fix the bug. It would have the benefit of fixing other code that uses urlunsplit() and sometimes passes paths with double-slash leading paths.

@nascheme
Copy link
Member

Hmm, I still suspect that changing urlunsplit() could be the correct fix but it looks scary to make changes there. There must be external code that depends on the path argument being treated as a relative reference (i.e. starts with double-slash). The fact that the value is called url in the function code suggest that people will pass a relative URI as the path arugment:

def urlunsplit(components):
    """Combine the elements of a tuple as returned by urlsplit() into a
    complete URL as a string. The data argument can be any five-item iterable.
    This may result in a slightly different, but equivalent URL, if the URL that
    was parsed originally had unnecessary delimiters (for example, a ? with an
    empty query; the RFC states that these are equivalent)."""
    scheme, netloc, url, query, fragment, _coerce_result = (
                                          _coerce_args(*components))
    if netloc or (scheme and scheme in uses_netloc and url[:2] != '//'):
        if url and url[:1] != '/': url = '/' + url
        url = '//' + (netloc or '') + url
    if scheme:
        url = scheme + ':' + url
    if query:
        url = url + '?' + query
    if fragment:
        url = url + '#' + fragment
    return _coerce_result(url)

I think a more minimal fix would be to strip the extra slashes for the data passed to urlunparse(), within the send_head() function. That should be enough to fix this specific bug. I suspect that urlunparse() is being misused (or is misbehaving) in the wild in that it treats the path argument as a URL if it starts with a double slash.

@nascheme
Copy link
Member

I created a WIP PR with my alternative approach: #93894 . Still needs a little cleanup yet. The change to urlunparse needs more consideration. If we want a quick fix before release, I think this PR seems okay.

Lib/test/test_httpservers.py Outdated Show resolved Hide resolved
Lib/test/test_httpservers.py Show resolved Hide resolved
@gpshead
Copy link
Member Author

gpshead commented Jun 16, 2022

If we want a quick fix before release, I think this PR seems okay.

FWIW there is no need to rush this. Lets spend time to get it right. The issue can become deferred blocker and unblock the release. It isn't a showstopper, it's just an old security issue that has been hanging around for a year without enough action.

make the base urls, attack urls, and expected_location more clear in the
test.  Adds an additional test for a triple-slash path to ensure we're
not only treating double slashes as special.
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

While it's good to fix security issues, I would like to repeat the http.server warning in its documentation ;-)

Warning: http.server is not recommended for production. It only implements basic security checks.

@gpshead
Copy link
Member Author

gpshead commented Jun 16, 2022

I think a more minimal fix would be to strip the extra slashes for the data passed to urlunsplit()

As a gut feeling, we might want your modification to urlunsplit() regardless of this fix going in. I wonder what that might break? It means a round trip urlunsplit(urlsplit('https://netloc///path')) now tackles the leading /s in the middle. Good for this purpose, possibly bad if someone were depending on using it to construct a url with multiple /s in the middle? do we care?

self.path in BaseHTTPRequestHandler is merely the second word from a http request command. that can be a full scheme://netloc/path URI, not just a path. The current code doesn't catch that. The urlunsplit() fix approach would.

@bedevere-bot bedevere-bot removed the needs backport to 3.10 only security fixes label Jun 21, 2022
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jun 21, 2022
…pythonGH-93879)

Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-bot
Copy link

GH-94093 is a backport of this pull request to the 3.9 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.9 only security fixes label Jun 21, 2022
@bedevere-bot
Copy link

GH-94094 is a backport of this pull request to the 3.8 branch.

@bedevere-bot bedevere-bot removed the needs backport to 3.8 only security fixes label Jun 21, 2022
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jun 21, 2022
…pythonGH-93879)

Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-bot
Copy link

GH-94095 is a backport of this pull request to the 3.7 branch.

miss-islington added a commit that referenced this pull request Jun 21, 2022
…3879)

Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
miss-islington added a commit that referenced this pull request Jun 21, 2022
…3879)

Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
ambv pushed a commit that referenced this pull request Jun 22, 2022
…3879) (GH-94093)

Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
ambv pushed a commit that referenced this pull request Jun 22, 2022
…3879) (GH-94094)

Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
ned-deily pushed a commit that referenced this pull request Jun 22, 2022
…3879) (GH-94095)

Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
serhiy-storchaka added a commit that referenced this pull request Jun 26, 2022
* GH-93444: remove redundant fields from basicblock: b_nofallthrough, b_exit, b_return (GH-93445)

* netrc: Remove unused "import shlex" (#93311)

* gh-92886: Fix test that fails when running with `-O` in `test_imaplib.py` (#93237)

* Fix missing word in sys.float_info docstring (GH-93489)

* [doc] Correct a grammatical error in a docstring. (GH-93441)

* gh-93442: Make C++ version of _Py_CAST work with 0/NULL. (#93500)

Add C++ overloads for _Py_CAST_impl() to handle 0/NULL.  This will allow
C++ extensions that pass 0 or NULL to macros using _Py_CAST() to
continue to compile.  Without this, you get an error like:

    invalid ‘static_cast’ from type ‘int’ to type ‘_object*’

The modern way to use a NULL value in C++ is to use nullptr.  However,
we want to not break extensions that do things the old way.

Co-authored-by: serge-sans-paille

* gh-93442: Add test for _Py_CAST(nullptr). (gh-93505)

* gh-90473: wasmtime does not support absolute symlinks (GH-93490)

* gh-89973: Fix re.error in the fnmatch module. (GH-93072)

Character ranges with upper bound less that lower bound (e.g. [c-a])
are now interpreted as empty ranges, for compatibility with other glob
pattern implementations. Previously it was re.error.

* Document LOAD_FAST_CHECK opcode (#93498)

* gh-93247: Fix assert function in asyncio locks test (#93248)

* gh-90473: WASI requires proper open(2) flags (GH-93529)

* GH-92308 What's New: list pending removals in 3.13 and future versions (#92562)

* gh-90473: Skip POSIX tests that don't apply to WASI (GH-93536)

* asyncio.Barrier docs: Fix typo (#93371)

taks -> tasks

* gh-83728: Add hmac.new default parameter deprecation (GH-91939)

* gh-90473: Make chmod a dummy on WASI, skip chmod tests (GH-93534)

WASI does not have the ``chmod(2)`` syscall yet.

* Remove action=None kwarg from Barrier docs (GH-93538)

* [docs] fix some asyncio.Barrier.wait docs grammar (GH-93552)

* gh-93475: Expose FICLONE and FICLONERANGE constants in fcntl (#93478)

* gh-89018: Improve documentation of `sqlite3` exceptions (#27645)

- Order exceptions as in PEP 249
- Reword descriptions, so they match the current behaviour

Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>

* bpo-42658: Use LCMapStringEx in ntpath.normcase to match OS behaviour for case-folding (GH-32010)

* Fix contributor name in WhatsNew 3.11 (GH-93556)

* Grammar fix to socket error string (GH-93523)

* gh-86986: bump min sphinx version to 3.2 (GH-93337)

* gh-79096: Protect cookie file created by {LWP,Mozilla}CookieJar.save() (GH-93463)

Note: This change is not effective on Microsoft Windows.

Cookies can store sensitive information and should therefore be protected
against unauthorized third parties. This is also described in issue #79096.

The filesystem permissions are currently set to 644, everyone can read the
file. This commit changes the permissions to 600, only the creater of the file
can read and modify it. This improves security, because it reduces the attack
surface. Now the attacker needs control of the user that created the cookie or
a ways to circumvent the filesystems permissions.

This change is backwards incompatible. Systems that rely on world-readable
cookies will breake. However, one could argue that those are misconfigured in
the first place.

* gh-93162: Add ability to configure QueueHandler/QueueListener together (GH-93269)

Also, provide getHandlerByName() and getHandlerNames() APIs.

Closes #93162.

* gh-57539: Increase calendar test coverage (GH-93468)

Co-authored-by: Sean Fleming
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>

* gh-88831: In docs for asyncio.create_task, explain why strong references to tasks are needed (GH-93258)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>

* Shrink the LOAD_METHOD cache by one codeunit. (#93537)

* Fix MSVC compiler warnings in ceval.c (#93569)

* gh-93162: test_config_queue_handler requires threading (GH-93572)

* gh-84461: Emscripten's faccessat() does not accept flags (GHß92353)

* gh-92592: Allow logging filters to return a LogRecord. (GH-92591)

* Fix `PurePath.relative_to` links in the pathlib documentation. (GH-93268)

These are currently broken as they refer to :meth:`Path.relative_to` rather than :meth:`PurePath.relative_to`, and `relative_to` is a method on `PurePath`.

* GH-93481: Suppress expected deprecation warning in test_pyclbr (GH-93483)

* gh-93370: Deprecate sqlite3.version and sqlite3.version_info (#93482)

Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>

* GH-93521: For dataclasses, filter out `__weakref__` slot if present in bases (GH-93535)

* gh-93421: Update sqlite3 cursor.rowcount only after SQLITE_DONE (#93526)

* gh-93584: Make all install+tests targets depends on all (GH-93589)

All install targets use the "all" target as synchronization point to
prevent race conditions with PGO builds. PGO builds use recursive make,
which can lead to two parallel `./python setup.py build` processes that
step on each others toes.

"test" targets now correctly compile PGO build in a clean repo.

* gh-87961: Remove outdated notes from functions that aren't in the Limited API (GH-93581)

* Remove outdated notes from functions that aren't in the Limited API

Nowadays everything that *is* in the Limited API has a note added
automatically.
These notes could mislead people to think that these functions
could never be added to the limited API. Remove them.

* Also remove forgotten note on tp_vectorcall_offset not being finalized

* gh-93180: Update os.copy_file_range() documentation (#93182)

* gh-93575: Use correct way to calculate PyUnicode struct sizes (GH-93602)

* gh-93575: Use correct way to calculate PyUnicode struct sizes

* Add comment to keep test_sys and test_unicode in sync

* Fix case code < 256

* gh-90473: Define HOSTRUNNER for WASI (GH-93606)

* gh-79096: Fix/improve http cookiejar tests (GH-93614)

Fixup of GH-93463:
- remove stray print
- use proper way to check file mode
- add working chmod decorator

Co-authored-by: Łukasz Langa <lukasz@langa.pl>

* gh-93616: Fix env changed issue in test_modulefinder (GH-93617)

* gh-90494: Reject 6th element of the __reduce__() tuple (GH-93609)

copy.copy() and copy.deepcopy() now always raise a TypeError if
__reduce__() returns a tuple with length 6 instead of silently ignore
the 6th item or produce incorrect result.

* Doc: Update references and examples of old, unsupported OSes and uarches (GH-92791)

* bpo-45383: Get metaclass from bases in PyType_From* (GH-28748)

This checks the bases of of a type created using the FromSpec
API to inherit the bases metaclasses.  The metaclass's alloc
function will be called as is done in `tp_new` for classes
created in Python.

Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@protonmail.com>

* Improve logging documentation with example and additional cookbook re… (GH-93644)

* gh-90473: disable user site packages on WASI/Emscripten (GH-93633)

* gh-90473: Skip get_config_h() tests on WASI (GH-93645)

* gh-90549: Fix leak of global named resources using multiprocessing spawn (#30617)

Co-authored-by: XD Trol <milestonejxd@gmail.com>
Co-authored-by: Antoine Pitrou <pitrou@free.fr>

* gh-92434: Silence compiler warning in Modules/_sqlite/connection.c on 32-bit systems (#93090)

* gh-90763: Modernise xx template module initialisation (#93078)

Use C APIs such as PyModule_AddType instead of PyModule_AddObject.
Also remove incorrect module decrefs if module fails to initialise.

* gh-93491: Add support tier detection to configure (GH-93492)

Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Steve Dower <steve.dower@microsoft.com>
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@protonmail.com>

* gh-93466: Document PyType_Spec doesn't accept repeated slot IDs; raise where this was problematic (GH-93471)

* gh-93671: Avoid exponential backtracking in deeply nested sequence patterns in match statements (GH-93680)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>

* gh-81790: support "UNC" device paths in `ntpath.splitdrive()` (GH-91882)

* GH-93621: reorder code in with/async-with exception exit path to reduce the size of the exception table (GH-93622)

* gh-93461: Invalidate sys.path_importer_cache entries with relative paths (GH-93653)

* gh-91317: Document that Path does not collapse initial `//` (GH-32193)



Documentation for `pathlib` says:

> Spurious slashes and single dots are collapsed, but double dots ('..') are not, since this would change the meaning of a path in the face of symbolic links:

However, it omits that initial double slashes also aren't collapsed.

Later, in documentation of `PurePath.drive`, `PurePath.root`, and `PurePath.name` it mentions UNC but:

- this abbreviation says nothing to a person who is unaware about existence of UNC (Wikipedia doesn't help either by [giving a disambiguation page](https://en.wikipedia.org/wiki/UNC))
- it shows up only if a person needs to use a specific property or decides to fully learn what the module provides.

For context, see the BPO entry.

* gh-92886: Fix tests that fail when running with optimizations (`-O`) in `test_zipimport.py` (GH-93236)

* gh-92930: _pickle.c: Acquire strong references before calling save() (GH-92931)

* gh-84461: Use HOSTRUNNER to run regression tests (GH-93694)

Co-authored-by: Brett Cannon <brett@python.org>

* gh-90473: Skip test_queue when threading is not available (GH-93712)

* gh-90153:  whatsnew: "z" option in format spec (GH-93624)

Add what's new entry for PEP 682 in Python 3.11.

* gh-86404: [doc] A make sucpicious false positive. (GH-93710)

* Change list to view object (#93661)

* gh-84508: tool to generate cjk traditional chinese mappings (gh-93272)

* Remove usage of _Py_IDENTIFIER from math module (#93739)

* gh-91162: Support splitting of unpacked arbitrary-length tuple over TypeVar and TypeVarTuple parameters (alt) (GH-93412)

For example:

  A[T, *Ts][*tuple[int, ...]] -> A[int, *tuple[int, ...]]
  A[*Ts, T][*tuple[int, ...]] -> A[*tuple[int, ...], int]

* gh-93728: fix memory leak in deepfrozen code objects (GH-93729)

* gh-93747: Fix Refleak when handling multiple Py_tp_doc slots (gh-93749)

* GH-90699: use statically allocated strings in typeobject.c (gh-93751)

* Add more FOR_ITER specialization stats (GH-32151)

* gh-89653: PEP 670: Convert PyFunction macros (#93765)

Convert PyFunction macros to static inline functions.

* Remove ANY_VARARGS() macro from the C API (#93764)

The macro was exposed by mistake.

* gh-84623: Remove unused imports in stdlib (#93773)

* gh-91731: Don't define 'static_assert' in C++11 where is a keyword to avoid UB (GH-93700)

* gh-84623: Remove unused imports in tests (#93772)

* gh-93353: Fix importlib.resources._tempfile() finalizer (#93377)

Fix the importlib.resources.as_file() context manager to remove the
temporary file if destroyed late during Python finalization: keep a
local reference to the os.remove() function. Patch by Victor Stinner.

* gh-84461: Fix parallel testing on WebAssembly (GH-93768)

* gh-89653: PEP 670: Macros always cast arguments in cpython/ (#93766)

Header files in the Include/cpython/ are only included if
the Py_LIMITED_API macro is not defined.

* gh-93353: Add test.support.late_deletion() (#93774)

* gh-93741: Add private C API _PyImport_GetModuleAttrString() (GH-93742)

It combines PyImport_ImportModule() and PyObject_GetAttrString()
and saves 4-6 lines of code on every use.

Add also _PyImport_GetModuleAttr() which takes Python strings as arguments.

* gh-79512: Fixed names and __module__ value of weakref classes (GH-93719)

Classes ReferenceType, ProxyType and CallableProxyType have now correct
atrtributes __module__, __name__ and __qualname__.
It makes them (types, not instances) pickleable.

* gh-91810: Fix regression with writing an XML declaration with encoding='unicode' (GH-93426)

Suppress writing an XML declaration in open files in ElementTree.write()
with encoding='unicode' and xml_declaration=None.

If file patch is passed to ElementTree.write() with encoding='unicode',
always open a new file in UTF-8.

* gh-93761: Fix test to avoid simple delay when synchronizing. (GH-93779)

* gh-89546: Clean up PyType_FromMetaclass (GH-93686)



When changing PyType_FromMetaclass recently (GH-93012, GH-93466, GH-28748)
I found a bunch of opportunities to improve the code. Here they are.

Fixes: #89546

Automerge-Triggered-By: GH:encukou

* gh-91321: Fix compatibility with C++ older than C++11 (#93784)

Fix the compatibility of the Python C API with C++ older than C++11.

_Py_NULL is only defined as nullptr on C++11 and newer.

* GH-93662: Make sure that column offsets are correct in multi-line method calls. (GH-93673)

* GH-93516: Store offset of first traceable instruction in code object (GH-93769)

* gh-90473: Include stdlib dir in wasmtime PYTHONPATH (GH-93797)

* GH-93429: Merge `LOAD_METHOD` back into `LOAD_ATTR` (GH-93430)

* gh-93353: regrtest checks for leaked temporary files (#93776)

When running tests with -jN, create a temporary directory per process
and mark a test as "environment changed" if a test leaks a temporary
file or directory.

* gh-79579: Improve DML query detection in sqlite3 (#93623)

The fix involves using pysqlite_check_remaining_sql(), not only to check
for multiple statements, but now also to strip leading comments and
whitespace from SQL statements, so we can improve DML query detection.

pysqlite_check_remaining_sql() is renamed lstrip_sql(), to more
accurately reflect its function, and hardened to handle more SQL comment
corner cases.

* GH-93678: reduce boilerplate and code repetition in the compiler (GH-93682)

* gh-91877: Fix WriteTransport.get_write_buffer_{limits,size} docs (#92338)

- Amend docs for WriteTransport.get_write_buffer_limits
- Add docs for WriteTransport.get_write_buffer_size

* GH-93429: Document `LOAD_METHOD` removal (GH-93803)

* Include freelists in allocation total. (GH-93799)

* gh-93795: Use test.support TESTFN/unlink in sqlite3 tests (#93796)

* Remove LOAD_METHOD stats. (GH-93807)

* Rename 'LOAD_METHOD' specialization stat consts to 'ATTR'. (GH-93812)

* gh-93353: Fix regrtest for -jN with N >= 2 (GH-93813)

* [docs] Fix LOAD_ATTR version changed (GH-93816)

* gh-93814: Add infinite test for itertools.chain.from_iterable (GH-93815)



fix #93814

Automerge-Triggered-By: GH:rhettinger

* gh-93735: Split Docs CI to speed-up the build (GH-93736)

* gh-93183: Adjust wording in socket docs (#93832)

package => packet

Co-authored-by: Victor Norman

* gh-93829: In sqlite3, replace Py_BuildValue with faster APIs (#93830)

- In Modules/_sqlite/connection.c, use PyLong_FromLong
- In Modules/_sqlite/microprotocols.c, use PyTuple_Pack

* Add test.support.busy_retry() (#93770)

Add busy_retry() and sleeping_retry() functions to test.support.

* gh-87260: Update sqlite3 signature docs to reflect actual implementation (#93840)

Align the docs for the following methods with the actual implementation:

- sqlite3.complete_statement()
- sqlite3.Connection.create_function()
- sqlite3.Connection.create_aggregate()
- sqlite3.Connection.set_progress_handler()

* test_thread uses support.sleeping_retry() (#93849)

test_thread.test_count() now fails if it takes longer than
LONG_TIMEOUT seconds.

* Use support.sleeping_retry() and support.busy_retry() (#93848)

* Replace time.sleep(0.010) with sleeping_retry() to
  use an exponential sleep.
* support.wait_process(): reuse sleeping_retry().
* _test_eintr: remove unused variables.

* Update includes in call.c (GH-93786)

* gh-93857: Fix broken audit-event targets in sqlite3 docs (#93859)

Corrected targets for the following audit-events:

- sqlite3.enable_load_extension => sqlite3.Connection.enable_load_extension
- sqlite3.load_extension => sqlite3.Connection.load_extension

* GH-93850: Fix test_asyncio exception ignored tracebacks (#93854)

* gh-93824: Reenable installation of shell extension on Windows ARM64 (GH-93825)

* test_asyncio: run_until() implements exponential sleep (#93866)

run_until() of test.test_asyncio.utils now uses an exponential sleep
delay (max: 1 second), rather than a fixed delay of 1 ms. Similar
design than support.sleeping_retry() wait strategy that applies
exponential backoff.

* test_asyncore: Optimize capture_server() (#93867)

Remove time.sleep(0.01) in test_asyncore capture_server(). The sleep
was redundant and inefficient, since the loop starts with
select.select() which also implements a sleep (poll for socket data
with a timeout).

* Tests call sleeping_retry() with SHORT_TIMEOUT (#93870)

Tests now call busy_retry() and sleeping_retry() with SHORT_TIMEOUT
or LONG_TIMEOUT (of test.support), rather than hardcoded constants.

Add also WAIT_ACTIVE_CHILDREN_TIMEOUT constant to
_test_multiprocessing.

* gh-84461: Document how to install SDKs manually (GH-93844)

Co-authored-by: Brett Cannon <brett@python.org>

* gh-93820: Fix copy() regression in enum.Flag (GH-93876)



GH-26658 introduced a regression in copy / pickle protocol for combined
`enum.Flag`s. `copy.copy(re.A | re.I)` would fail with
`AttributeError: ASCII|IGNORECASE`.

`enum.Flag` now has a `__reduce_ex__()` method that reduces flags by
combined value, not by combined name.

* Call busy_retry() and sleeping_retry() with error=True (#93871)

Tests no longer call busy_retry() and sleeping_retry() with
error=False: raise an exception if the loop times out.

* gh-87347: Add parenthesis around PyXXX_Check() arguments (#92815)

* gh-91321: Fix test_cppext for C++03 (#93902)

Don't build _testcppext.cpp with -Wzero-as-null-pointer-constant when
testing C++03: only use this compiler flag with C++11.

* gh-91577: SharedMemory move imports out of methods (#91579)

SharedMemory.unlink() uses the unregister() function from resource_tracker. Previously it was imported in the method, but this can fail if the method is called during interpreter shutdown, for example when unlink is part of a __del__() method.

Moving the import to the top of the file, means that the unregister() method is available during interpreter shutdown.

The register call in SharedMemory.__init__() can also use this imported resource_tracker.

* gh-92547: Amend What's New (#93872)

* Fix BINARY_SUBSCR_GETITEM stats (GH-93903)

* gh-93847: Fix repr of enum of generic aliases (GH-93885)

* gh-93353: regrtest supports checking tmp files with -j2 (#93909)

regrtest now also implements checking for leaked temporary files and
directories when using -jN for N >= 2. Use tempfile.mkdtemp() to
create the temporary directory. Skip this check on WASI.

* GH-91389: Fix dis position information for CACHEs (GH-93663)

* gh-91985: Ensure in-tree builds override platstdlib_dir in every path calculation (GH-93641)

* GH-83658: make multiprocessing.Pool raise an exception if maxtasksperchild is not None or a positive int (GH-93364)



Closes #83658.

* test_logging: Fix BytesWarning in SysLogHandlerTest (GH-93920)

* gh-91404: Revert "bpo-23689: re module, fix memory leak when a match is terminated by a signal or allocation failure (GH-32283) (#93882)

Revert "bpo-23689: re module, fix memory leak when a match is terminated by a signal or memory allocation failure (GH-32283)"

This reverts commit 6e3eee5.

Manual fixups to increase the MAGIC number and to handle conflicts with
a couple of changes that landed after that.

Thanks for reviews by Ma Lin and Serhiy Storchaka.

* gh-89745: Avoid exact match when comparing program_name in test_embed on Windows (GH-93888)

* gh-93852: Add test.support.create_unix_domain_name() (#93914)

test_asyncio, test_logging, test_socket and test_socketserver now
create AF_UNIX domains in the current directory to no longer fail
with OSError("AF_UNIX path too long") if the temporary directory (the
TMPDIR environment variable) is too long.

Modify the following tests to use create_unix_domain_name():

* test_asyncio
* test_logging
* test_socket
* test_socketserver

test_asyncio.utils: remove unused time import.

* gh-77782: Py_FdIsInteractive() now uses PyConfig.interactive (#93916)

* gh-74953: Add _PyTime_FromMicrosecondsClamp() function (#93942)

* gh-74953: Fix PyThread_acquire_lock_timed() code recomputing the timeout (#93941)

Set timeout, don't create a local variable with the same name.

* gh-77782: Deprecate global configuration variable (#93943)

Deprecate global configuration variable like
Py_IgnoreEnvironmentFlag: the Py_InitializeFromConfig() API should be
instead.

Fix declaration of Py_GETENV(): use PyAPI_FUNC(), not PyAPI_DATA().

* gh-93911: Specialize `LOAD_ATTR_PROPERTY` (GH-93912)

* gh-92888: Fix memoryview bad `__index__` use after free (GH-92946)

Co-authored-by: chilaxan <35645806+chilaxan@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <3659035+serhiy-storchaka@users.noreply.github.com>

* GH-89858: Fix test_embed for out-of-tree builds (GH-93465)

* gh-92611: Add details on replacements for cgi utility funcs (GH-92792)



Per @brettcannon 's [suggestions on the Discourse thread](https://discuss.python.org/t/pep-594-take-2-removing-dead-batteries-from-the-standard-library/13508/51), discussed in #92611 and as a followup to PR #92612 , this PR add additional specific per-function replacement information for the utility functions in the `cgi` module deprecated by PEP 594 (PEP-594).

@brettcannon , should this be backported (without the `deprecated-removed` , which I would update it accordingly and re-add in my other PR adding that to the others for 3.11+), or just go in 3.11+?

* GH-77403: Fix tests which fail when PYTHONUSERBASE is not normalized (GH-93917)

* gh-91387: Strip trailing slash from tarfile longname directories (GH-32423)

Co-authored-by: Brett Cannon <brett@python.org>

* Add jaraco as primary owner of importlib.metadata and importlib.resources. (#93960)

* Add jaraco as primary owner of importlib.metadata and importlib.resources.

* Align indentation.

Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

* gh-84461: Fix circulare dependency on BUILDPYTHON (GH-93977)

* gh-89828: Do not relay the __class__ attribute in GenericAlias (#93754)

list[int].__class__ returned type, and isinstance(list[int], type)
returned True. It caused numerous problems in code that checks
isinstance(x, type).

* gh-84461: Fix pydebug Emscripten browser builds (GH-93982)

wasm_assets script did not take the ABIFLAG flag of sysconfigdata into
account.

* gh-93955: Use unbound methods for slot `__getattr__` and `__getattribute__` (GH-93956)

* gh-91387: Fix tarfile test on WASI (GH-93984)

WASI's rmdir() syscall does not like the trailing slash.

* gh-93975: Nicer error reporting in test_venv (GH-93959)



- gh-93957: Provide nicer error reporting from subprocesses in test_venv.EnsurePipTest.test_with_pip.
- Update changelog

This change does three things:

1. Extract a function for trapping output in subprocesses.
2. Emit both stdout and stderr when encountering an error.
3. Apply the change to `ensurepip._uninstall` check.

* GH-93990: fix refcounting bug in `add_subclass` in `typeobject.c` (GH-93989)

* What's new in 3.10: fix link to issue (#93968)

* What's new in 3.10: fix link to issue

* What's new in 3.10: fix link to GH issue

Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>

* gh-93761: Fix test_logging test_config_queue_handler() race condition (#93952)

Fix a race condition in test_config_queue_handler() of test_logging.

* gh-74953: Reformat PyThread_acquire_lock_timed() (#93947)

Reformat the pthread implementation of PyThread_acquire_lock_timed()
using a mutex and a conditioinal variable.

* Add goto to avoid multiple indentation levels and exit quickly
* Use "while(1)" and make the control flow more obvious.
* PEP 7: Add braces around if blocks.

* gh-93937, C API: Move PyFrame_GetBack() to Python.h (#93938)

Move the follow functions and type from frameobject.h to pyframe.h,
so the standard <Python.h> provide frame getter functions:

* PyFrame_Check()
* PyFrame_GetBack()
* PyFrame_GetBuiltins()
* PyFrame_GetGenerator()
* PyFrame_GetGlobals()
* PyFrame_GetLasti()
* PyFrame_GetLocals()
* PyFrame_Type

Remove #include "frameobject.h" from many C files. It's no longer
needed.

* gh-93991: Use boolean instead of 0/1 for condition check (GH-93992)



# gh-93991: Use boolean instead of 0/1 for condition check

* gh-84461: Fix Emscripten umask and permission issues (GH-94002)

- Emscripten's default umask is too strict, see
  emscripten-core/emscripten#17269
- getuid/getgid and geteuid/getegid are stubs that always return 0
  (root). Disable effective uid/gid syscalls and fix tests that use
  chmod() current user.
- Cannot drop X bit from directory.

* gh-84461: Skip test_unwritable_directory again on Emscripten (GH-94007)

GH-93992 removed geteuid() and enabled the test again on Emscripten.

* gh-93925: Improve clarity of sqlite3 commit/rollback, and close docs (#93926)

Co-authored-by: CAM Gerlach <CAM.Gerlach@Gerlach.CAM>

* gh-61162: Clarify sqlite3 connection context manager docs (GH-93890)



Explicitly note that transactions are only closed if there is an open
transation at `__exit__`, and that transactions are not implicitly
opened during `__enter__`.

Co-authored-by: CAM Gerlach <CAM.Gerlach@Gerlach.CAM>
Co-authored-by: Stanley <46876382+slateny@users.noreply.github.com>

Automerge-Triggered-By: GH:erlend-aasland

* gh-79009: sqlite3.iterdump now correctly handles tables with autoincrement (#9621)

Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>

* gh-84461: Silence some compiler warnings on WASM (GH-93978)

* GH-93897: Store frame size in code object and de-opt if insufficient space on thread frame stack. (GH-93908)

* GH-93516: Speedup line number checks when tracing. (GH-93763)

* Use a lookup table to reduce overhead of getting line numbers during tracing.

* gh-90539: doc: Expand on what should not go into CFLAGS, LDFLAGS (#92754)

* gh-87347: Add parenthesis around macro arguments (#93915)

Add unit test on Py_MEMBER_SIZE() and some other macros.

* gh-93937: PyOS_StdioReadline() uses PyConfig.legacy_windows_stdio (#94024)

On Windows, PyOS_StdioReadline() now gets
PyConfig.legacy_windows_stdio from _PyOS_ReadlineTState, rather than
using the deprecated global Py_LegacyWindowsStdioFlag variable.

Fix also a compiler warning in Py_SetStandardStreamEncoding().

* GH-93249: relax overly strict assertion on bounds->ar_start (GH-93961)

* gh-94021: Address unreachable code warning in specialize code (GH-94022)

* GH-93678: refactor compiler so that optimizer does not need the assembler and compiler structs (GH-93842)

* gh-93839: Move Lib/ctypes/test/ to Lib/test/test_ctypes/ (#94041)

* Move Lib/ctypes/test/ to Lib/test/test_ctypes/
* Remove Lib/test/test_ctypes.py
* Update imports and build system.

* gh-93839: Move Lib/unttest/test/ to Lib/test/test_unittest/ (#94043)

* Move Lib/unittest/test/ to Lib/test/test_unittest/
* Remove Lib/test/test_unittest.py
* Replace unittest.test with test.test_unittest
* Remove unittest.load_tests()
* Rewrite unittest __init__.py and __main__.py
* Update build system, CODEOWNERS, and wasm_assets.py

* GH-91432: Specialize FOR_ITER (GH-91713)

* Adds FOR_ITER_LIST and FOR_ITER_RANGE specializations.

* Adds _PyLong_AssignValue() internal function to avoid temporary boxing of ints.

* gh-94028: Clear and reset sqlite3 statements properly in cursor iternext (GH-94042)

* gh-94052: Don't re-run failed tests with --python option (#94054)

* gh-93839: Use load_package_tests() for testmock (GH-94055)



Fixes failing tests on WebAssembly platforms.

Automerge-Triggered-By: GH:tiran

* gh-54781: Move Lib/lib2to3/tests/ to Lib/test/test_lib2to3/ (#94049)

* Move Lib/lib2to3/tests/ to Lib/test/test_lib2to3/.
* Remove Lib/test/test_lib2to3.py.
* Update imports.
* all_project_files(): use different paths and sort files
  to make the tests more reproducible.
* Update references to tests.

* gh-74953: _PyThread_cond_after() uses _PyTime_t (#94056)

pthread _PyThread_cond_after() implementation now uses the _PyTime_t
type to handle properly overflow: clamp to the maximum value.

Remove MICROSECONDS_TO_TIMESPEC() function.

* GH-93841: Allow stats to be turned on and off, cleared and dumped at runtime. (GH-93843)

* gh-86986: Drop compatibility support for Sphinx 2 (GH-93737)

* Revert "bpo-42843: Keep Sphinx 1.8 and Sphinx 2 compatibility (GH-24282)"

This reverts commit 5c1f15b

* Revert "bpo-42579: Make workaround for various versions of Sphinx more robust (GH-23662)"

This reverts commit b63a620.

* gh-94068: Remove HVSOCKET_CONTAINER_PASSTHRU constant because it has been removed from Windows (GH-94069)



Fixes #94068

Automerge-Triggered-By: GH:zware

* Closes gh-94038: Update Release Schedule in README.rst from PEP 664 to PEP 693 (GH-94046)

* gh-93851: Fix all broken links in Doc/ (GH-93853)

* gh-93675: Fix typos in `Doc/` (GH-93676)

Closes #93675

* Minor optimization for Fractions.limit_denominator (GH-93730)

When we construct the upper and lower candidates in limit_denominator,
the numerator and denominator are already relatively prime (and the
denominator positive) by construction, so there's no need to go through
the usual normalisation in the constructor. This saves a couple of
potentially expensive gcd calls.

Suggested by Michael Scott Asato Cuthbert in GH-93477.

* gh-93240: clarify wording in IO tutorial (GH-93276)

Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>

* Tutorial: specify match cases don't fall through (GH-93615)

* gh-93021: Fix __text_signature__ for __get__ (GH-93023)

Because of the way wrap_descr_get is written, the second argument
to __get__ methods implemented through the wrapper is always
optional.

* gh-82927: Update files related to HTML entities. (GH-92504)

* DOC: correct bytesarray -> bytearray in comments (GH-92410)

* gh-87389: Fix an open redirection vulnerability in http.server. (#93879)

Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].

* gh-89336: Remove configparser APIs that were deprecated for 3.12 (#92503)

https://github.com/python/cpython/issue/89336: Remove configparser 3.12 deprecations.

Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>

* bpo-30535: [doc] state that sys.meta_path is not empty by default (GH-94098)

Co-authored-by: Windson yang <wiwindson@outlook.com>

* gh-88123: Implement new Enum __contains__ (GH-93298)

Co-authored-by: Ethan Furman <ethan@stoneleaf.us>

* Stats: Add summary of top instructions for misses and deferred specialization. (GH-94072)

* gh-74696: Do not change the current working directory in shutil.make_archive() if possible (GH-93160)

It is no longer changed when create a zip or tar archive.

It is still changed for custom archivers registered with shutil.register_archive_format()
if root_dir is not None.

Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>

* gh-94101 Disallow instantiation of SSLSession objects (GH-94102)



Fixes #94101

Automerge-Triggered-By: GH:tiran

* Fix typo in _io.TextIOWrapper Clinic input (#94037)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>

* gh-93951: In test_bdb.StateTestCase.test_skip, avoid including auxiliary importers. (GH-93962)

Co-authored-by: Brett Cannon <brett@python.org>

* gh-91172: Create a workflow for verifying bundled pip and setuptools (GH-31885)

Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>

* gh-94114: Remove obsolete reference to python.org mirrors (GH-94115)



* gh-94114

* gh-84623: Remove unused imports (#94132)

* gh-54781: Move Lib/tkinter/test/test_ttk/ to Lib/test/test_ttk/ (#94070)

* Move Lib/tkinter/test/test_tkinter/ to Lib/test/test_tkinter/.
* Move Lib/tkinter/test/test_ttk/ to Lib/test/test_ttk/.
* Add Lib/test/test_ttk/__init__.py based on test_ttk_guionly.py.
* Add Lib/test/test_tkinter/__init__.py
* Remove old Lib/test/test_tk.py.
* Remove old Lib/test/test_ttk_guionly.py.
* Add __main__ sub-modules.
* Update imports and update references to rename files.

* gh-84623: Move imports in doctests (#94133)

Move imports in doctests to prevent false alarms in pyflakes.

* Add ABI dump Makefile target (#94136)

* gh-84623: Remove unused imports in idlelib (#94143)

Remove commented code in test_debugger_r.py.

Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>

* gh-85308: argparse: Use filesystem encoding for arguments file (GH-93277)

* Closes gh-94152: Update pyvideo.org URL (GH-94075)

The URL is now https://pyvideo.org, which uses HTTPS and avoids a redirect.

* gh-91456: [Enum] Deprecate default auto() behavior with mixed value types (GH-91457)

When used with plain Enum, auto() returns the last numeric value assigned, skipping any incompatible member values (such as strings); starting in 3.13 the default auto() for plain Enums will require all the values to be of compatible types, and will return a new value that is 1 higher than any existing value.

Co-authored-by: Ethan Furman <ethan@stoneleaf.us>

* gh-84461: Fix test_sqlite for Emscripten/WASI (#94125)

* gh-86404: [doc] Fix missing backtick and double target name. (#94120)

* gh-89121: Keep the number of pending SQLite statements to a minimum (#30379)

Make sure statements that have run to completion or errored are
reset and cleared off the cursor for all paths in execute() and
executemany().

* GH-91742: Fix pdb crash after jump  (GH-94171)

* [Enum] fix typo (GH-94158)

* gh-92858: Improve error message for some suites with syntax error before ':' (#92894)

* gh-93771: Clarify how deepfreeze.py is run (#94150)

* gh-91219: Add an index_pages default list and parameter to SimpleHTTPRequestHandler (GH-31985)

* Add an index_pages default list to SimpleHTTPRequestHandler and an
optional constructor parameter that allows the default indexes pages
list to be overridden.  This makes it easy to set a new index page name
without having to override send_head.

* [Enum] Remove automatic docstring generation (GH-94188)

* Add ABI dump script (#94135)

* Add more tests for throwing into yield from (GH-94097)

* gh-94169: Remove deprecated io.OpenWrapper (#94170)

Remove io.OpenWrapper and _pyio.OpenWrapper, deprecated in Python
3.10: just use :func:`open` instead. The open() (io.open()) function
is a built-in function. Since Python 3.10, _pyio.open() is also a
static method.

* gh-94199: Remove ssl.RAND_pseudo_bytes() function (#94202)

Remove the ssl.RAND_pseudo_bytes() function, deprecated in Python
3.6: use os.urandom() or ssl.RAND_bytes() instead.

* gh-94196: Remove gzip.GzipFile.filename attribute (#94197)

gzip: Remove the filename attribute of gzip.GzipFile,
deprecated since Python 2.6, use the name attribute instead. In write
mode, the filename attribute added '.gz' file extension if it was not
present.

* gh-93692: remove "build finished successfully" message from setup.py (#93693)

The message was only emitted when the build succeeded _and_ there were
missing modules.

* gh-84461: Fix ctypes and test_ctypes on Emscripten (#94142)

- c_longlong and c_longdouble need experimental WASM bigint.
- Skip tests that need threading
- Define ``CTYPES_MAX_ARGCOUNT`` for Emscripten. libffi-emscripten 2022-06-23 supports up to 1000 args.

* gh-94205: Ensures all required DLLs are copied on Windows for underpth tests (GH-94206)

* gh-84461: Build Emscripten with WASM BigInt support (#94219)

* gh-94172: urllib.request avoids deprecated check_hostname (#94193)

The urllib.request no longer uses the deprecated check_hostname
parameter of the http.client module.

Add private http.client._create_https_context() helper to http.client,
used by urllib.request.

Remove the now redundant check on check_hostname and verify_mode in
http.client: the SSLContext.check_hostname setter already implements
the check.

* IDLE: replace if statement with expression (#94228)

* Docs: Remove `Provides [...]` from `multiprocessing.shared_memory` description (#92761)

* gh-93382: Sync up `co_code` changes with 3.11 (GH-94227)

Sync up co_code changes with 3.11 commit 852b4d4.

* gh-94217: Skip import tests when _testcapi is a builtin (GH-94218)

* gh-85308: Add argparse tests for reading non-ASCII arguments from file (GH-94160)

* bpo-46642: Explicitly disallow subclassing of instaces of TypeVar, ParamSpec, etc (GH-31148)

The existing test covering this case passed only incidentally. We
explicitly disallow doing this and add a proper error message.

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

* bpo-26253: Add compressionlevel to tarfile stream (GH-2962)

`tarfile` already accepts a compressionlevel argument for creating
files. This patch adds the same for stream-based tarfile usage.
The default is 9, the value that was previously hard-coded.

* gh-70441: Fix test_tarfile on systems w/o bz2 (gh-2962) (#94258)

* gh-94199: Remove ssl.match_hostname() function (#94224)

* gh-94207: Fix struct module leak (GH-94239)

Make _struct.Struct a GC type

This fixes a memory leak in the _struct module, where as soon
as a Struct object is stored in the cache, there's a cycle from
the _struct module to the cache to Struct objects to the Struct
type back to the module. If _struct.Struct is not gc-tracked, that
cycle is never collected.

This PR makes _struct.Struct GC-tracked, and adds a regression test.

* gh-94245: Test pickling and copying of typing.Tuple[()] (GH-94259)

* gh-77560: Report possible errors in restoring builtins at finalization (GH-94255)

Seems in the past the copy of builtins was not made in some scenarios,
and the error was silenced. Write it now to stderr, so we have a chance
to see it.

* gh-90016: Reword sqlite3 adapter/converter docs (#93095)

Also add adapters and converter recipes.

Co-authored-by: CAM Gerlach <CAM.Gerlach@Gerlach.CAM>
Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com

* bpo-39971: Change examples to be runnable (GH-32172)

* gh-70474: [doc] fix wording of GET_ANEXT doc (GH-94048)

* gh-93259: Validate arg to ``Distribution.from_name``. (GH-94270)

Syncs with importlib_metadata 4.12.0.

Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>
Co-authored-by: Ulises Ojeda <ulises.odysseus22@gmail.com>
Co-authored-by: jackh-ncl <1750152+jackh-ncl@users.noreply.github.com>
Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
Co-authored-by: Colin Delahunty <72827203+colin99d@users.noreply.github.com>
Co-authored-by: Neil Schemenauer <nas-github@arctrix.com>
Co-authored-by: Christian Heimes <christian@python.org>
Co-authored-by: Dennis Sweeney <36520290+sweeneyde@users.noreply.github.com>
Co-authored-by: Cyker Way <cykerway@gmail.com>
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Co-authored-by: Omer Katz <omer.katz@omerkatz.com>
Co-authored-by: Stanley <46876382+slateny@users.noreply.github.com>
Co-authored-by: Thomas Grainger <tagrain@gmail.com>
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@protonmail.com>
Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>
Co-authored-by: AN Long <aisk@users.noreply.github.com>
Co-authored-by: Samodya Abeysiriwardane <379594+sransara@users.noreply.github.com>
Co-authored-by: Evorage <owner@evorage.com>
Co-authored-by: Davide Rizzo <sorcio@gmail.com>
Co-authored-by: Pascal Wittmann <mail@pascal-wittmann.de>
Co-authored-by: Vinay Sajip <vinay_sajip@yahoo.co.uk>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Andreas Grommek <76997441+agrommek@users.noreply.github.com>
Co-authored-by: Mark Shannon <mark@hotpy.org>
Co-authored-by: Ken Jin <kenjin4096@gmail.com>
Co-authored-by: Adrian Garcia Badaracco <1755071+adriangb@users.noreply.github.com>
Co-authored-by: jacksonriley <52106215+jacksonriley@users.noreply.github.com>
Co-authored-by: Kalyan <kalyan.ben10@live.com>
Co-authored-by: Bluenix <bluenixdev@gmail.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: CAM Gerlach <CAM.Gerlach@Gerlach.CAM>
Co-authored-by: Sebastian Berg <sebastian@sipsolutions.net>
Co-authored-by: Leo Trol <milestone.jxd@gmail.com>
Co-authored-by: XD Trol <milestonejxd@gmail.com>
Co-authored-by: Antoine Pitrou <pitrou@free.fr>
Co-authored-by: neonene <53406459+neonene@users.noreply.github.com>
Co-authored-by: Steve Dower <steve.dower@microsoft.com>
Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
Co-authored-by: Barney Gale <barney.gale@gmail.com>
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Brett Cannon <brett@python.org>
Co-authored-by: John Belmonte <john@neggie.net>
Co-authored-by: Julien Palard <julien@palard.fr>
Co-authored-by: Pamela Fox <pamela.fox@gmail.com>
Co-authored-by: Dong-hee Na <donghee.na@python.org>
Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Sanket Shanbhag <TechieBoy@users.noreply.github.com>
Co-authored-by: Jeong YunWon <69878+youknowone@users.noreply.github.com>
Co-authored-by: Steve Dower <steve.dower@python.org>
Co-authored-by: samtygier <samtygier@yahoo.co.uk>
Co-authored-by: Ken Jin <kenjin@python.org>
Co-authored-by: Brandt Bucher <brandtbucher@microsoft.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: chilaxan <35645806+chilaxan@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <3659035+serhiy-storchaka@users.noreply.github.com>
Co-authored-by: Chris Fernald <chrisf671@gmail.com>
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
Co-authored-by: Lei Zhang <leizhanghello@gmail.com>
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@innova.no>
Co-authored-by: itssme <itssme3000@gmail.com>
Co-authored-by: Matthias Köppe <mkoeppe@math.ucdavis.edu>
Co-authored-by: MilanJuhas <81162136+MilanJuhas@users.noreply.github.com>
Co-authored-by: luzpaz <luzpaz@users.noreply.github.com>
Co-authored-by: paulreece <96156234+paulreece@users.noreply.github.com>
Co-authored-by: max <36980911+pr2502@users.noreply.github.com>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
Co-authored-by: Thomas A Caswell <tcaswell@gmail.com>
Co-authored-by: Windson yang <wiwindson@outlook.com>
Co-authored-by: Carl Bordum Hansen <carl@bordum.dk>
Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Éric <merwok@netwok.org>
Co-authored-by: chgnrdv <52372310+chgnrdv@users.noreply.github.com>
Co-authored-by: fikotta <81991278+fikotta@users.noreply.github.com>
Co-authored-by: partev <petrosyan@gmail.com>
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
Co-authored-by: Inada Naoki <songofacandy@gmail.com>
Co-authored-by: Oscar R <89599049+oscar-LT@users.noreply.github.com>
Co-authored-by: wookie184 <wookie1840@gmail.com>
Co-authored-by: Guido van Rossum <guido@python.org>
Co-authored-by: Myron Walker <myron.walker@hotmail.com>
Co-authored-by: Sam Ezeh <sam.z.ezeh@gmail.com>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Gregory Beauregard <greg@greg.red>
Co-authored-by: Yaron de Leeuw <me@jarondl.net>
Co-authored-by: Mark Dickinson <mdickinson@enthought.com>
@jhadvig
Copy link

jhadvig commented Jul 8, 2022

@miss-islington any idea on ETA when the release that will include the fix will happen?
Thank you :)

frenzymadness pushed a commit to frenzymadness/cpython that referenced this pull request Sep 13, 2022
frenzymadness pushed a commit to frenzymadness/cpython that referenced this pull request Sep 14, 2022
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Upstream: python#93879
Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2120642

Co-authored-by: Gregory P. Smith <greg@krypto.org>
HerrCai0907 added a commit to llvm/llvm-project that referenced this pull request Mar 19, 2023
This patch make following change for coverage-report-server.py
- using uri `./{name}` from root in the old version python http.server can be handled as `//{name}`. But due to python/cpython#93879, it will be handled as `/{name}` now.

So I want to use a prefix to avoid double slashes issue.

Differential Revision: https://reviews.llvm.org/D146010
stratakis pushed a commit to stratakis/cpython that referenced this pull request Mar 11, 2024
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Upstream: python#93879
Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2120642

Co-authored-by: Gregory P. Smith <greg@krypto.org>
stratakis pushed a commit to stratakis/cpython that referenced this pull request Mar 11, 2024
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Upstream: python#93879
Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2120642

Co-authored-by: Gregory P. Smith <greg@krypto.org>
stratakis pushed a commit to stratakis/cpython that referenced this pull request Mar 20, 2024
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Upstream: python#93879
Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2120642

Co-authored-by: Gregory P. Smith <greg@krypto.org>
stratakis pushed a commit to stratakis/cpython that referenced this pull request Mar 20, 2024
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Upstream: python#93879
Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2120642

Co-authored-by: Gregory P. Smith <greg@krypto.org>
stratakis pushed a commit to stratakis/cpython that referenced this pull request Mar 20, 2024
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Upstream: python#93879
Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2120642

Co-authored-by: Gregory P. Smith <greg@krypto.org>
stratakis pushed a commit to stratakis/cpython that referenced this pull request Mar 20, 2024
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Upstream: python#93879
Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2120642

Co-authored-by: Gregory P. Smith <greg@krypto.org>
stratakis pushed a commit to stratakis/cpython that referenced this pull request Mar 25, 2024
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Upstream: python#93879
Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2120642

Co-authored-by: Gregory P. Smith <greg@krypto.org>
hroncok pushed a commit to fedora-python/cpython that referenced this pull request Mar 26, 2024
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target.  Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).

Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b)

Upstream: python#93879
Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2120642

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

8 participants