[issue22922] asyncio: call_soon() should raise an exception if the event loop is closed
New submission from STINNER Victor: call_soon() call be called before the event loop starts and after run_forever(), the call will be executed by the next call to run_forever() (or run_until_complete). But calling call_soon() after close() does not make sense and the user may be surprised to not see its function called. It can be obvious in a simple program, but not in a large application. -- components: asyncio keywords: easy messages: 231549 nosy: gvanrossum, haypo, yselivanov priority: normal severity: normal status: open title: asyncio: call_soon() should raise an exception if the event loop is closed versions: Python 3.4, Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22922 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22923] No prompt for display all X possibilities on completion-enabled input()
New submission from Yoha:
When running input() (or raw_input() for Python 2) while tab-completion has
been enabled using `readline.parse_and_bind('tab: complete')`, pressing the tab
key twice display the message `Display all X possibilities? (y or n)` when
there are more than 100 remaining possibilities (default value). However, I am
not asked any input to answer the question, and readline then proceeds to
display all possibilities.
Steps to reproduce:
* run the following code:
`__import__('readline').parse_and_bind('tab:complete');input()`
* press tab twice
If your current directory has more than 100 files, the message `Display all X
possibilities? (y or n)` should show, following by a list of the files.
The bug still shows up with:
* rlcompleter or custom completer
* versions 2.7.3, 2.7.8, 3.2.3 and 3.4.2
* bash or zsh
* tty, screen, ssh+screen, xterm, urxvt, gnome-terminal
* command-line flags -S (no `site` module), -u (unbuffered) or -Su
* being run as script, as `-c` command-line argument, or in the interactive
interpreter
* `import readline;readline.` or `from readline import *` in stead of
`__import__('readline').`
On the other hand, the C program #include readline/readline.h,
main(){readline(0);} behaves as expected: after the message is displayed,
user input is waited for and typing y lists the possibilities, n resumes
the line editing, and anything else is ignored.
--
components: IO, Library (Lib)
messages: 231550
nosy: yoha
priority: normal
severity: normal
status: open
title: No prompt for display all X possibilities on completion-enabled input()
type: behavior
versions: Python 2.7, Python 3.2, Python 3.4
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22923
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22923] No prompt for display all X possibilities on completion-enabled input()
Yoha added the comment: Forgot to list the system: the bug has been tested and reproduced on Debian amd64, both wheezie and jessie. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22923 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22924] Use of deprecated cgi.escape
New submission from Serhiy Storchaka: Deprecated cgi.escape() is used in Tools/scripts/gprof2html.py and Tools/scripts/highlight.py. It should be replaced by html.escape(). Unfortunately the html module clashes with the html parameter in highlight.py so I left this issue for Reymond. -- assignee: rhettinger components: Demos and Tools keywords: easy messages: 231552 nosy: rhettinger, serhiy.storchaka priority: normal severity: normal stage: needs patch status: open title: Use of deprecated cgi.escape type: behavior versions: Python 3.4, Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22924 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22915] sax.parser cannot get xml data from a subprocess pipe
Serhiy Storchaka added the comment: This bug should be fixed in other place. Here is a patch. -- assignee: - serhiy.storchaka nosy: +christian.heimes, serhiy.storchaka stage: needs patch - patch review Added file: http://bugs.python.org/file37252/sax_non_str_file_name.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22915 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue1610654] cgi.py multipart/form-data
Serhiy Storchaka added the comment: New test fail with non-modified code. Either there is a bug in current code or tests are wrong. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue1610654 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2175] Expat sax parser silently ignores the InputSource protocol
Serhiy Storchaka added the comment: Ping. -- keywords: +needs review versions: +Python 3.5 -Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue2175 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22923] No prompt for display all X possibilities on completion-enabled input()
Yoha added the comment: I have found the culprit. It is actually coming from libreadline: http://git.savannah.gnu.org/cgit/readline.git/tree/complete.c#n517 where the answer is always set to yes in callback mode. According to `git blame`, this is has been so since version 6.2 at least three years ago. Should Python patch its code to fix readline's behavior? Should I a bug be filed in the GNU maling list for readline? Should I wait and hope this is fixed someday? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22923 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22921] SSLContext's check_hostname needlessly intertwined with SNI
Changes by Antoine Pitrou pit...@free.fr: -- components: +Library (Lib) stage: - needs patch type: enhancement - behavior versions: +Python 2.7, Python 3.4, Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22921 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22921] SSLContext's check_hostname needlessly intertwined with SNI
Antoine Pitrou added the comment: This sounds ok to me, but are there still SNI-less OpenSSLs around? -- nosy: +pitrou ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22921 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22638] ssl module: the SSLv3 protocol is vulnerable (POODLE attack)
Antoine Pitrou added the comment: I was looking into a 2.7 backport but it turns out _create_stdlib_context() isn't used anywhere in 2.7 (yet?), so the backport wouldn't achieve anything. I will backport to 3.4 at least. -- versions: -Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22638 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22638] ssl module: the SSLv3 protocol is vulnerable (POODLE attack)
Roundup Robot added the comment: New changeset 653dfb1240d5 by Antoine Pitrou in branch '3.4': Issue #22638: SSLv3 is now disabled throughout the standard library. https://hg.python.org/cpython/rev/653dfb1240d5 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22638 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22638] ssl module: the SSLv3 protocol is vulnerable (POODLE attack)
Alex Gaynor added the comment: In a post-pep476 world, this method will be used on Python2.7, so it would be good to backport now. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22638 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22895] test failure introduced by the fix for issue #22462
Antoine Pitrou added the comment: What about using “not sysconfig.is_python_build()”? I had forgotten about it, thank you. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22895 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22894] unittest.TestCase.subTest causes all subsequent tests to be skipped in failfast mode
Roundup Robot added the comment: New changeset 993e8f795194 by Antoine Pitrou in branch '3.4': Issue #22894: TestCase.subTest() would cause the test suite to be stopped when in failfast mode, even in the absence of failures. https://hg.python.org/cpython/rev/993e8f795194 New changeset 04103cece49d by Antoine Pitrou in branch 'default': Issue #22894: TestCase.subTest() would cause the test suite to be stopped when in failfast mode, even in the absence of failures. https://hg.python.org/cpython/rev/04103cece49d -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22894 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22894] unittest.TestCase.subTest causes all subsequent tests to be skipped in failfast mode
Changes by Antoine Pitrou pit...@free.fr: -- resolution: - fixed stage: patch review - resolved status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22894 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22638] ssl module: the SSLv3 protocol is vulnerable (POODLE attack)
Roundup Robot added the comment: New changeset f762cbb712de by Antoine Pitrou in branch '2.7': Backport disabling of SSLv3 in ssl._create_stdlib_context() (issue #22638). https://hg.python.org/cpython/rev/f762cbb712de -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22638 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22638] ssl module: the SSLv3 protocol is vulnerable (POODLE attack)
Antoine Pitrou added the comment: Ok, this is done. Is there anything left in this issue? -- versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22638 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22925] Backporting suppress context manager to 2.7
New submission from Bariša Obradović: Backport one of the context manager in 3.4, to 2.7: supressed The patch was created by copy pasting code from 3.4 branch to 2.7 branch, and removing a single 3.4 feature: -@support.requires_docstrings -- components: Build files: suppress.patch hgrepos: 280 keywords: patch messages: 231565 nosy: Bariša.Obradović priority: normal severity: normal status: open title: Backporting suppress context manager to 2.7 type: enhancement versions: Python 2.7 Added file: http://bugs.python.org/file37253/suppress.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22925 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22925] Backporting suppress context manager to 2.7
Berker Peksag added the comment: Thanks for the patch, but we don't backport new features to 2.7 unless they are related to PEP 434 and PEP 466. Please send your patch to https://bitbucket.org/ncoghlan/contextlib2 -- nosy: +berker.peksag resolution: - wont fix stage: - resolved status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22925 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22925] Backporting suppress context manager to 2.7
Changes by Berker Peksag berker.pek...@gmail.com: -- components: +Library (Lib) -Build ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22925 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22780] NotImplemented doc section needs update
Ethan Furman added the comment: Here's the latest patch. Thoughts? -- keywords: +patch stage: resolved - patch review Added file: http://bugs.python.org/file37254/issue22780.stoneleaf.01.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22780 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22915] sax.parser cannot get xml data from a subprocess pipe
R. David Murray added the comment: Serhiy's patch looks correct to me. Given that if the source doesn't have a name attribute it is simply not set in the existing code, this change should be safe (backward compatible). Elsewhere the possibility was raised of converting the int to a string (fdopen: N), but that issue is a more global one and would apply at the io module level...and if implemented this fix would automatically take advantage of it. So I think this should be committed. -- stage: patch review - commit review ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22915 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22925] Backporting suppress context manager to 2.7
Changes by R. David Murray rdmur...@bitdance.com: -- resolution: wont fix - rejected ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22925 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22926] asyncio:
New submission from STINNER Victor: The call_soon(), call_later() and call_at() methods of asyncio event loops should raise an exception in debug code when they are not called from the right thread. Currently, BaseEventLoop._assert_is_current_event_loop() does nothing if the event loop policy has no event loop for the current thread, when get_event_loop() raises an AssertionError. -- components: asyncio messages: 231569 nosy: gvanrossum, haypo, yselivanov priority: normal severity: normal status: open title: asyncio: versions: Python 3.4, Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22926 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22926] asyncio: raise an exception when called from the wrong thread
Changes by STINNER Victor victor.stin...@gmail.com: -- title: asyncio: - asyncio: raise an exception when called from the wrong thread ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22926 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20467] Confusing wording about __init__
Ethan Furman added the comment: Thoughts? -- keywords: +patch stage: - patch review versions: +Python 3.5 Added file: http://bugs.python.org/file37255/issue20467.stoneleaf.01.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20467 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22918] Doc for __iter__ makes inexact comment about dict.__iter__
Éric Araujo added the comment: I think the first half of the sentence is enough: “For mappings, it should iterate over the keys of the container.” -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22918 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22915] sax.parser cannot get xml data from a subprocess pipe
Jocelyn added the comment: The only explicit documentation I found on SystemId is from the java specification (it is my understanding that python sax implementation is adapted from Java one): http://www.saxproject.org/apidoc/org/xml/sax/InputSource.html#setSystemId%28java.lang.String%29 The documentation says that The system identifier is optional if there is a byte stream or a character stream. So, I agree that Serhiy's patch looks correct. Note that I'm not sure that my testcase with a subprocess is covered by Serhiy's tests, as these tests call parser() with a file object. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22915 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22919] Update PCBuild for VS 2015
Changes by Jeremy Kloth jeremy.kloth+python-trac...@gmail.com: -- nosy: +jkloth ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22919 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue9003] urllib.request and http.client should allow certificate checking
Roundup Robot added the comment: New changeset 1882157b298a by Benjamin Peterson in branch '2.7': allow passing cert/ssl information to urllib2.urlopen and httplib.HTTPSConnection https://hg.python.org/cpython/rev/1882157b298a -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue9003 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22366] urllib.request.urlopen should take a context (SSLContext) argument
Roundup Robot added the comment: New changeset 1882157b298a by Benjamin Peterson in branch '2.7': allow passing cert/ssl information to urllib2.urlopen and httplib.HTTPSConnection https://hg.python.org/cpython/rev/1882157b298a -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22366 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22921] SSLContext's check_hostname needlessly intertwined with SNI
Donald Stufft added the comment: I tested this patch on Python 3.5 compiled on CentOS 5.11 which does not have SNI enabled. The end result is that you can use server_hostname even when SNI isn't there to enable the SSL certificate checks. Of course the check will fail if the host your connecting to requires SNI to serve the expected certificate, but that's no different than it is today. The docs still need updated, I can do that a little bit later today, but figured I'd let people review this since it's done and working other than the docs. The basic gist of the patch is that we stash the hostname and use it for the validation checks, but we don't send it deeper into the stack if SNI is not available. -- keywords: +patch Added file: http://bugs.python.org/file37256/check-hostname-no-sni.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22921 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22921] SSLContext's check_hostname needlessly intertwined with SNI
Christian Heimes added the comment: Thanks a lot, Donald! Back then I didn't pursue the point because I wasn't sure about possible security implications. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22921 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue11145] '%o' % user-defined instance
Serhiy Storchaka added the comment: Here is new patch. It first split string on areas: numnondigits (sign+0x if F_ALT is not set), skipped (0x if F_ALT is set), numdigits and optional L suffix, and then construct new string either in-place (if the string is not shared and result fits in original string) or in new string. It uses not more allocations than current code and should not add overhead for common cases. -- Added file: http://bugs.python.org/file37257/issue11145_4.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue11145 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22921] SSLContext's check_hostname needlessly intertwined with SNI
Donald Stufft added the comment: Added docs. -- Added file: http://bugs.python.org/file37258/check-hostname-no-sni-with-docs.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22921 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22079] Ensure in PyType_Ready() that base class of static type is static
Serhiy Storchaka added the comment: Could anyone please make a review? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22079 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22921] SSLContext's check_hostname needlessly intertwined with SNI
Donald Stufft added the comment: A new patch that achieves the same thing in a simpler way at benjamin's suggestion. -- Added file: http://bugs.python.org/file37259/check-hostname-no-sni-with-docs-2.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22921 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22921] SSLContext's check_hostname needlessly intertwined with SNI
Donald Stufft added the comment: Uploaded a third patch, this is the same technique as in the -2 patch, except it fixes a missed spot in Lib/ssl.py where I needed a better error message. Additionally this goes through and unskips all of the tests that were marked as depending on HAS_SNI when what they really depended on was the ability to set SSLContext().check_hostname = True. This also fixes a number of tests that are currently failing whenever HAS_SNI = False that started to fail as fallout of PEP 476. -- Added file: http://bugs.python.org/file37260/check-hostname-no-sni-with-docs-3.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22921 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22921] SSLContext's check_hostname needlessly intertwined with SNI
Roundup Robot added the comment: New changeset f2d4beb90a5b by Benjamin Peterson in branch '3.4': don't require OpenSSL SNI to pass hostname to ssl functions (#22921) https://hg.python.org/cpython/rev/f2d4beb90a5b New changeset 24dfe7310cc1 by Benjamin Peterson in branch 'default': merge 3.4 (#22921) https://hg.python.org/cpython/rev/24dfe7310cc1 -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22921 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22417] PEP 476: verify HTTPS certificates by default
Alex Gaynor added the comment: Attached patch backports this to 2.7. -- Added file: http://bugs.python.org/file37261/issue22417.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22417 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue20530] Change the text signature format (again) to be more robust
Jesús Cea Avión added the comment: Preparing a presentation about Python Magic methods I found something weird: (Python 3.4) help(int.__lt__) Help on wrapper_descriptor: __lt__(self, value, /) - THIS!! Return selfvalue. I am amused about the /) suffix in the signature. It happens to all magic methods. -- nosy: +jcea ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue20530 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22921] SSLContext's check_hostname needlessly intertwined with SNI
Donald Stufft added the comment: Added a patch for Python 2.7 -- Added file: http://bugs.python.org/file37262/check-hostname-no-sni-with-docs-py27.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22921 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22921] SSLContext's check_hostname needlessly intertwined with SNI
Roundup Robot added the comment: New changeset ce4073afd992 by Benjamin Peterson in branch '2.7': allow hostname to be passed to SSLContext even if OpenSSL doesn't support SNI (closes #22921) https://hg.python.org/cpython/rev/ce4073afd992 -- resolution: - fixed stage: needs patch - resolved status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22921 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22921] SSLContext's check_hostname needlessly intertwined with SNI
Roundup Robot added the comment: New changeset 40f9e91f3626 by Benjamin Peterson in branch '2.7': add NEWS note for #22921 https://hg.python.org/cpython/rev/40f9e91f3626 New changeset 060fd5d09063 by Benjamin Peterson in branch '3.4': add NEWS note for #22921 https://hg.python.org/cpython/rev/060fd5d09063 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22921 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22927] Expose an SSLContext parameter on urllib APIs
New submission from Alex Gaynor: With the pep476 backport, we need a way to pass a context argument to urrlib -- components: Library (Lib) messages: 231588 nosy: alex, benjamin.peterson, dstufft priority: normal severity: normal status: open title: Expose an SSLContext parameter on urllib APIs versions: Python 2.7 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22927 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22927] Expose an SSLContext parameter on urllib APIs
Changes by Alex Gaynor alex.gay...@gmail.com: -- keywords: +patch Added file: http://bugs.python.org/file37263/issue22927.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22927 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22788] allow logging.handlers.HTTPHandler to take an SSLContext
Roundup Robot added the comment: New changeset 5864ec6ba484 by Benjamin Peterson in branch '3.4': add context parameter to HTTPHandler (closes #22788) https://hg.python.org/cpython/rev/5864ec6ba484 New changeset ec4d19736b15 by Benjamin Peterson in branch 'default': merge 3.4 (#22788) https://hg.python.org/cpython/rev/ec4d19736b15 -- nosy: +python-dev resolution: - fixed stage: needs patch - resolved status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22788 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22928] HTTP header injection in urrlib2/urllib/httplib/http.client
New submission from Guido Vranken:
Proof of concept:
# Script for Python 2
import urllib2
opener = urllib2.build_opener()
opener.addheaders = [('User-agent', 'Mozilla/5.0' + chr(0x0A) + Location:
header injection)]
response = opener.open(http://localhost:;)
# Data sent is:
GET / HTTP/1.1
Accept-Encoding: identity
Host: localhost:
Connection: close
User-Agent: Mozilla/5.0
Location: header injection
# End of script
# Python 3
from urllib.request import urlopen, build_opener
opener = build_opener()
opener.addheaders = [('User-agent', 'Mozilla/5.0' + chr(0x0A) + Location:
header injection)]
opener.open(http://localhost:;)
# Data sent is:
GET / HTTP/1.1
Accept-Encoding: identity
Host: localhost:
Connection: close
User-Agent: Mozilla/5.0
Location: header injection
# End of script
It is the responsibility of the developer leveraging Python and its HTTP client
libraries to ensure that their (web) application acts in accordance to official
HTTP specifications and that no threats to security will arise from their code.
However, newlines inside headers are arguably a special case of breaking the
conformity with RFC's in regard to the allowed character set. No illegal
character used inside a HTTP header is likely to have a compromising side
effect on back-end clients and servers and the integrity of their
communication, as a result of the leniency of most web servers. However, a
newline character (0x0A) embedded in a HTTP header invariably has the semantic
consequence of denoting the start of an additional header line. To put it
differently, not sanitizing headers in complete accordance to RFC's could be
seen as as virtue in that it gives the programmer a maximum amount of freedom,
without having to trade it for any likely or severe security ramifications, so
that they may use illegal characters in testing environments and environments
that are outlined by an expliticly less strict interpretation of the HTTP
protocol. Newlines are special in that they enable anyone who is able to
influence the header
content, to, in effect, perform additional invocations to add_header().
In issue 17322 ( http://bugs.python.org/issue17322 ) there is some discussion
as to the general compliance to RFC's by the HTTP client libraries. I'd like to
opt to begin with prohibiting newline characters to be present in HTTP headers.
Although this issue is not a hard vulnerability such as a buffer overflow, it
does translate to a potentially equal level of severity when considered from
the perspective of a web-enabled application, for which purpose the HTTP
libraries are typically used for. Lack of input validation on the application
developer's end will faciliate header injections, for example if user-supplied
data will end up as cookie content verbatim.
Adding this proposed additional layer of validation inside Python minimizes the
likelihood of a successful header injection while functionality is not notably
affected.
I'm inclined to add this validation to putheader() in the 'http' module rather
than in urllib, as this will secure all invocations to 'http' regardless of
intermediate libraries such as urllib.
Included is a patch for the latest checkout of the default branch that will
cause CannotSendHeader() to be raised if a newline character is detected in
either a header name or its value. Aside from detecting \n, it also breaks on
\r as their respective implications can be similar. Feel free to adjust,
rewrite and transpose this to other branches where you feel this is appropriate.
Guido Vranken
Intelworks
--
components: Library (Lib)
files: disable_http_header_injection.patch
keywords: patch
messages: 231590
nosy: Guido
priority: normal
severity: normal
status: open
title: HTTP header injection in urrlib2/urllib/httplib/http.client
type: security
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6
Added file: http://bugs.python.org/file37264/disable_http_header_injection.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue22928
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22927] Expose an SSLContext parameter on urllib APIs
Roundup Robot added the comment: New changeset c84f36a5f556 by Benjamin Peterson in branch '2.7': give urllib.urlopen a context parameter (closes #22927) https://hg.python.org/cpython/rev/c84f36a5f556 -- nosy: +python-dev resolution: - fixed stage: - resolved status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22927 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22417] PEP 476: verify HTTPS certificates by default
Roundup Robot added the comment: New changeset fb83916c3ea1 by Benjamin Peterson in branch '2.7': pep 476: verify certificates by default (#22417) https://hg.python.org/cpython/rev/fb83916c3ea1 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22417 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22919] Update PCBuild for VS 2015
Steve Dower added the comment: Added some fixes to the python3.dll build (and xxlimited test project) which I noticed thanks to Antoine's feedback. -- Added file: http://bugs.python.org/file37265/python3.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22919 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22366] urllib.request.urlopen should take a context (SSLContext) argument
Changes by Benjamin Peterson benja...@python.org: -- versions: +Python 2.7 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22366 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22417] PEP 476: verify HTTPS certificates by default
Changes by Benjamin Peterson benja...@python.org: -- resolution: - fixed status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22417 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22231] httplib: unicode url will cause an ascii codec error when combined with a utf-8 string header
Bob Chen added the comment: Someone come and pick up this? It has been a long time... -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22231 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22231] httplib: unicode url will cause an ascii codec error when combined with a utf-8 string header
Changes by Bob Chen 175818...@qq.com: -- type: crash - behavior ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22231 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
