Matti Picus pushed to branch branch/py3.7 at PyPy / pypy
Commits: 813e2389 by Matti Picus at 2020-09-10T09:27:03+03:00 revert changes merged from default in 8f8ff88976cb: py3.6 threading is different --HG-- branch : py3.6 - - - - - 70de54d0 by Michał Górny at 2020-09-10T10:53:59+02:00 prevent header injection in http methods (bpo-39603) Port the patch from Python 3.6 (f02de961b9) to our stdlib: reject control chars in http method in http.client.putrequest to prevent http header injection. --HG-- branch : py3.6 - - - - - 49a96f40 by Matti Picus at 2020-09-10T12:07:19+03:00 test, implement easy part of PyMemoryView_GetContiguous --HG-- branch : py3.6 - - - - - 28d9e895 by Michał Górny at 2020-09-10T11:28:03+02:00 fix regex in AbstractBasicAuthHandler (CVE-2020-8492 / bpo-39503) Port the patch from Python 3.6 (69cdeeb93e) to our stdlib: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge. --HG-- branch : py3.6 - - - - - 92978c45 by Matti Picus at 2020-09-10T23:25:18+03:00 Merge fixes for bpo-39603 --HG-- branch : py3.6 - - - - - 99f5151f by Matti Picus at 2020-09-10T23:25:57+03:00 merge fixes for bpo-39503 --HG-- branch : py3.6 - - - - - ccc6278e by Michał Górny at 2020-09-10T23:08:27+02:00 sync http.client module with py3.6 to fix CVE-2019-18348 Sync http.client module as well as test_httplib and test_urllib to include better CVE-2019-18348 protection via validating hostname for control characters. This also includes refactoring of path validation that makes it possible to override it. --HG-- branch : py3.6 - - - - - b1a2c935 by Michał Górny at 2020-09-10T23:12:16+02:00 sync email.headerregistry with py3.6 to fix bpo-39073 Sync email.headerregistry module and the relevant test to CPython 3.6 branch. The only change is disallowing CR/LF in email.headerregistry.Address that aims to prevent header injection. --HG-- branch : py3.6 - - - - - b5c7c9d5 by Michał Górny at 2020-09-10T23:15:18+02:00 sync asyncio.base_events with py3.6 to fix bpo-37228 Sync asyncio.base_events and the matching test with CPython 3.6 branch to fix bpo-37228. This includes the change banning reuse_address parameter to loop.create_datagram_endpoint() because of security concerns with doing that. --HG-- branch : py3.6 - - - - - 66df0127 by Michał Górny at 2020-09-10T23:18:03+02:00 sync uu to py3.6 to fix bpo-38945 Sync uu, encodings.uu_codec and relevant tests to CPython 3.6 branch to fix bpo-38945. This is a fix preventing newline in filename from corrupting the output format. --HG-- branch : py3.6 - - - - - a3d3a77b by Michał Górny at 2020-09-10T23:20:30+02:00 sync cookiejar to py3.6 to fix bpo-38804 Sync cookiejar and matching tests to CPython 3.6 branch to fix bpo-38804 or REDoS in cookiejar. --HG-- branch : py3.6 - - - - - 11180268 by Michał Górny at 2020-09-10T23:23:15+02:00 sync xmlrpc.server to py3.6 to fix bpo-38243 Sync xmlrpc.server and the matching tset to CPython 3.6 branch to fix bpo-38243, that is escape the server title when rendering as HTML. --HG-- branch : py3.6 - - - - - 5a721904 by Michał Górny at 2020-09-10T23:29:33+02:00 sync email to py3.6 to fix bpo-37461 and bpo-34155 Sync email._header_value_parser, email._parseaddr and their respective tests to include fixes for bpo-37461 and bpo-34155. The former is DoS via infinite loop while parsing specially crafted email headers, the latter is accepting domains containing '@'. --HG-- branch : py3.6 - - - - - ba16be06 by Matti Picus at 2020-09-11T10:50:40+03:00 fix translation --HG-- branch : py3.6 - - - - - 6d21fd2f by Matti Picus at 2020-09-11T11:45:16+03:00 merge stdlib fixes to py3.6 --HG-- branch : py3.6 - - - - - 17fd4b4a by Matti Picus at 2020-09-11T12:28:21+03:00 merge py3.6 into py3.7. This might make future updates to stdlib harder :( --HG-- branch : py3.7 - - - - - 24 changed files: - lib-python/3/asyncio/base_events.py - lib-python/3/email/_header_value_parser.py - lib-python/3/email/_parseaddr.py - lib-python/3/email/headerregistry.py - lib-python/3/encodings/uu_codec.py - lib-python/3/http/client.py - lib-python/3/http/cookiejar.py - lib-python/3/test/test_asyncio/test_base_events.py - lib-python/3/test/test_docxmlrpc.py - lib-python/3/test/test_email/test__header_value_parser.py - lib-python/3/test/test_email/test_email.py - lib-python/3/test/test_email/test_headerregistry.py - lib-python/3/test/test_http_cookiejar.py - lib-python/3/test/test_httplib.py - lib-python/3/test/test_urllib.py - lib-python/3/test/test_urllib2.py - lib-python/3/test/test_uu.py - lib-python/3/urllib/request.py - lib-python/3/uu.py - lib-python/3/xmlrpc/server.py - pypy/module/cpyext/api.py - pypy/module/cpyext/memoryobject.py - pypy/module/cpyext/test/test_memoryobject.py - pypy/module/pypyjit/test_pypy_c/test_thread.py View it on GitLab: https://foss.heptapod.net/pypy/pypy/-/compare/a33cb4bb70007615fa418600ce5d7eb70e89e61d...17fd4b4a2b9ee0dabf95091d58b51301c3dbe215 -- View it on Heptapod: https://foss.heptapod.net/pypy/pypy/-/compare/a33cb4bb70007615fa418600ce5d7eb70e89e61d...17fd4b4a2b9ee0dabf95091d58b51301c3dbe215 You're receiving this email because of your account on foss.heptapod.net.
_______________________________________________ pypy-commit mailing list [email protected] https://mail.python.org/mailman/listinfo/pypy-commit
