Alex Gaynor added the comment:
Yes, it can execute arbitrary code, but I think we should prefer raising
"specific" error messages, instead of failing inside tuple details.
--
___
Python tracker
<http://bugs.python.o
New submission from Alex Gaynor:
>>> pickle.loads(b'(o.\x7f.')
Traceback (most recent call last):
File "", line 1, in
SystemError: Objects/tupleobject.c:71: bad argument to internal function
(Or the equivalent using cPickle on Python 2)
Found using h
Alex Gaynor added the comment:
I'm concerned the _ssl changes will make security backports significantly more
difficult.
--
___
Python tracker
<http://bugs.python.org/is
New submission from Alex Gaynor:
The spec is available at https://http2.github.io/
--
components: Library (Lib)
messages: 239424
nosy: alex
priority: normal
severity: normal
status: open
title: http package should support HTTP/2
___
Python tracker
New submission from Alex Gaynor:
On Thursday OpenSSL will disclose some security issues and issue new releases:
https://mta.openssl.org/pipermail/openssl-announce/2015-March/20.html
When that happens, Python's that bundle an OpenSSL should be upgraded.
--
keywords: security_
Alex Gaynor added the comment:
I believe RC4 will still be used under 2.7.9 on clients, this is changed for
2.7.10
--
___
Python tracker
<http://bugs.python.org/issue23
Alex Gaynor added the comment:
+1 on this -- for pyca/cryptography we're also making this leap in our next
release.
--
nosy: +alex
___
Python tracker
<http://bugs.python.org/is
Alex Gaynor added the comment:
This seems like it probably will report something useless (and ultimately be
disabled) on PyPy, where runs before and after the JIT will display significant
variance.
--
nosy: +alex, arigo, fijall
___
Python tracker
Alex Gaynor added the comment:
It looks like the existing `verify_flags` param is actually the same thing, so
we can just use it. That said, I think this should be on by default, I can't
think of a scenario you don't want it.
--
___
Pyth
Alex Gaynor added the comment:
I'm attaching a patch that does what Donald suggests.
--
keywords: +patch
Added file: http://bugs.python.org/file38287/store.diff
___
Python tracker
<http://bugs.python.org/is
Changes by Alex Gaynor :
--
nosy: +alex
___
Python tracker
<http://bugs.python.org/issue23515>
___
___
Python-bugs-list mailing list
Unsubscribe:
New submission from Alex Gaynor:
In addition to the security concerns, it is now a violation of RFC7465 to offer
a cipher suite with RC4 in a ClientHello: https://tools.ietf.org/html/rfc7465
--
components: Library (Lib)
files: rc4.diff
keywords: patch
messages: 236202
nosy: alex
Changes by Alex Gaynor :
Added file: http://bugs.python.org/file37543/issue23115.diff
___
Python tracker
<http://bugs.python.org/issue23115>
___
___
Python-bugs-list m
New submission from Alex Gaynor:
This makes the urandom codebase easier to maintain by allowing porting patches
between 2.7 and 3.x easier; it also improves support for the OpenBSD platform.
Support for porting patches is not just a theoretical concern, it's likely that
Linux's
New submission from Alex Gaynor:
Whether __builtins__ is a module or a dict is undefined in CPython. Use the
reliably well defined `import __builtin__` instead.
--
components: Library (Lib)
files: mock-backport.diff
keywords: patch
messages: 232838
nosy: alex, benjamin.peterson
Alex Gaynor added the comment:
Python 2.7.9 enabled certificate validation by default for HTTP connections,
see PEP476.
The server you're connecting to does not have a certificate that is trusted by
your client. pysphere should configure SSL appropriately for this use case.
--
Alex Gaynor added the comment:
As a part of this, we might want to consider changing the implementation to not
compile the SANs into a regular expression. Constantly compiling new regexs can
cause churn in the `re` cache, which can degrade performance -- also, it's
probably much worse on
New submission from Alex Gaynor:
For almost any conceivable application, os.urandom is a preferable way to
access a CSPRNG, and is less error prone, the docs should point this out.
--
assignee: docs@python
components: Documentation
files: rand.diff
keywords: patch
messages: 232436
nosy
Alex Gaynor added the comment:
I agree this is a bug, but I believe the correct output is:
no yes yes yes yes yes
--
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
This will cause it to not validate in some cases where it currently is
validating? That seems like a regression to me.
--
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
Attached patch fixes it for Python3.
--
Added file: http://bugs.python.org/file37323/issue22960-3.diff
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
Attached is a patch for 2.7
--
keywords: +patch
Added file: http://bugs.python.org/file37321/issue22960.diff
___
Python tracker
<http://bugs.python.org/issue22
Changes by Alex Gaynor :
--
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
versions: +Python 2.7
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
Good to know, thanks.
--
___
Python tracker
<http://bugs.python.org/issue22935>
___
___
Python-bugs-list mailing list
Unsubscribe:
Alex Gaynor added the comment:
FWIW, Debian expiremental appears to be using a different #define for this.
Here's how we handled it in pyca/cryptography:
https://github.com/pyca/cryptography/commit/04a3f1f2c4086c0d7162b6dd79b6332d9115b2c0
--
nosy: +alex, christian.heimes, ds
Changes by Alex Gaynor :
--
keywords: +patch
Added file: http://bugs.python.org/file37263/issue22927.diff
___
Python tracker
<http://bugs.python.org/issue22
New submission from Alex Gaynor:
With the pep476 backport, we need a way to pass a context argument to urrlib
--
components: Library (Lib)
messages: 231588
nosy: alex, benjamin.peterson, dstufft
priority: normal
severity: normal
status: open
title: Expose an SSLContext parameter on
Alex Gaynor added the comment:
Attached patch backports this to 2.7.
--
Added file: http://bugs.python.org/file37261/issue22417.diff
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
In a post-pep476 world, this method will be used on Python2.7, so it would be
good to backport now.
--
___
Python tracker
<http://bugs.python.org/issue22
Changes by Alex Gaynor :
--
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
FWIW, that code is all significantly simplified by the patch in
http://bugs.python.org/issue22559
--
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
FWIW, I'm not convinced the pure python fallback code is sufficient either;
time.time() doesn't have the necessary resolution AFAIK? Also clock_seq is
generated using the random module's messerne twister, not SystemRandom().
---
Alex Gaynor added the comment:
Quick pass at a patch. No docs, and it should proabbly be an error to pass
context with secure=False.
--
keywords: +needs review, patch
Added file: http://bugs.python.org/file37124/issue22788.diff
___
Python tracker
Alex Gaynor added the comment:
Hah! I didn't realize you meant *logging.handlers.HTTPHandler*, I thought you
meant *urllib.request.HTTPHandler*.
--
___
Python tracker
<http://bugs.python.org/is
Alex Gaynor added the comment:
I'm not sure I follow, where does HTTPHandler ever construct an HTTPSConnection?
--
nosy: +alex
___
Python tracker
<http://bugs.python.org/is
Alex Gaynor added the comment:
Fix for the failing test_ssl testes.
--
Added file: http://bugs.python.org/file37123/issue22417.diff
___
Python tracker
<http://bugs.python.org/issue22
Changes by Alex Gaynor :
--
keywords: +needs review
___
Python tracker
<http://bugs.python.org/issue22787>
___
___
Python-bugs-list mailing list
Unsubscribe:
Alex Gaynor added the comment:
Latest patch fixes the urllib2_localnet tests.
--
Added file: http://bugs.python.org/file37122/issue22417.diff
___
Python tracker
<http://bugs.python.org/issue22
Changes by Alex Gaynor :
--
keywords: +patch
Added file: http://bugs.python.org/file37121/issue22787.diff
___
Python tracker
<http://bugs.python.org/issue22
Changes by Alex Gaynor :
--
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
New patch uses self-signed.pythontest.net, instead of svn.python.org.
svn.python.org is signed by CACert, which is in the root on some machines.
--
Added file: http://bugs.python.org/file37113/issue22417.diff
Alex Gaynor added the comment:
New version of the patch based on feedback from benjamin, should make it easier
to do the 3.4 branch stuff.
--
Added file: http://bugs.python.org/file37094/issue22417.diff
___
Python tracker
<http://bugs.python.
Alex Gaynor added the comment:
Updates to teh docs based on teh feedback from Antoine.
--
Added file: http://bugs.python.org/file37081/issue22417.diff
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
Patch now makes more precise assertions about the type of error that's
occurring.
--
Added file: http://bugs.python.org/file37077/issue22417.diff
___
Python tracker
<http://bugs.python.org/is
Alex Gaynor added the comment:
Are you able to test this against the 2.7 branch from hg? The ssl module
received some significant attention for 2.7.9.
--
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
___
Python tracker
Alex Gaynor added the comment:
Yes, that would be good. Need to make sure all the changes are completely
applicable -- the SSLv3 change wasn't backported.
--
___
Python tracker
<http://bugs.python.org/is
Alex Gaynor added the comment:
Benjamin, do you have an opinion on backporting this to 2.7?
--
___
Python tracker
<http://bugs.python.org/issue22638>
___
___
Pytho
New submission from Alex Gaynor:
https://www.openssl.org/news/secadv_20141015.txt
--
components: Extension Modules
keywords: security_issue
messages: 229462
nosy: alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou,
steve.dower, tim.golden, zach.ware
priority: normal
Alex Gaynor added the comment:
It's been implemented in boringssl:
https://boringssl.googlesource.com/boringssl/+/2970779684c6f164a0e261e96a3d59f331123320
I don't believe it's in OpenSSL though.
--
___
Python tracker
<http
Alex Gaynor added the comment:
Debian is also considering this, and link some statistics on IE6 specifically
(one of the, if not the single, largest SSLv3 users):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765347
--
___
Python tracker
<h
Alex Gaynor added the comment:
CloudFlare published some statistics:
https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/
--
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
create_default_context already disables SSLv3! (Good work everybody :-))
FWIW many vendors are already moving to disable SSLv3, e.g. cloudflare already
did.
--
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
This patch disables SSLv3 by default for Python. Uesrs can get it back by
specifiying SSL_PROTOCOLv3 explicitly.
--
keywords: +needs review, patch
nosy: +alex
Added file: http://bugs.python.org/file36926/issue22638.diff
Changes by Alex Gaynor :
--
nosy: +christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
___
Python tracker
<http://bugs.python.org/issue22638>
___
___
Changes by Alex Gaynor :
--
resolution: -> fixed
status: open -> closed
___
Python tracker
<http://bugs.python.org/issue22626>
___
___
Python-bugs-list
New submission from Alex Gaynor:
Very simple patch.
--
assignee: docs@python
components: Documentation
files: https.diff
keywords: patch
messages: 229266
nosy: alex, docs@python
priority: normal
severity: normal
status: open
title: Documentation should point people to bugs. over HTTPS
Alex Gaynor added the comment:
Patch with the implementation, and initial work on documentation. Needs review
please, I suspect we need more docs in more places. Feedback please!
--
keywords: +needs review
Added file: http://bugs.python.org/file36901/issue22417.diff
Alex Gaynor added the comment:
Would you be ok with it going into 2.7.10? The biggest argument in favor of
this is that it significantly reduces the diff between 2.x and 3.x's SSL
module, specifically it removes the one major difference between the two of
Alex Gaynor added the comment:
Updated patch cherry-picks in some of the documentation updates that were
pushed by Victor.
--
Added file: http://bugs.python.org/file36868/issue22559.diff
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
As I said on the other ticket, using arc4random() indiscriminately would be a
very poor idea, on some platforms (such as OS X) arc4random() really does use
ARC4, which means there are serious security concerns with it
Alex Gaynor added the comment:
New patch is the same, it just rebases the socket changes out since Benjamin
landed that (thanks!)
--
Added file: http://bugs.python.org/file36829/issue22559.diff
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
New patch works and passes all tests. It's on top of issue22569.
--
Added file: http://bugs.python.org/file36827/issue225593.diff
___
Python tracker
<http://bugs.python.org/is
Alex Gaynor added the comment:
As suggested by Benjamin, I've filed issue22569 to add weakref support to
_socket.socket; that will address this and further reduce teh diff with Python3.
--
dependencies: +Add support for weakrefs to _socket.s
New submission from Alex Gaynor:
This is needed to keep the _ssl module reasonably in sync with it's Python3
counterpart.
--
files: weakref-me-captain.diff
keywords: needs review, patch
messages: 228695
nosy: alex, benjamin.peterson
priority: normal
severity: normal
status: open
Changes by Alex Gaynor :
--
nosy: +alex
___
Python tracker
<http://bugs.python.org/issue22564>
___
___
Python-bugs-list mailing list
Unsubscribe:
Alex Gaynor added the comment:
Unfortunately it can't be a weakref in python2 :-(
In Python3 socket._socketobject *subclasses* _socket.socket, so when we pass
"self" to stuff, it's has the right C-level fields but it's also a Python-levle
object so it can have a we
Alex Gaynor added the comment:
Right, socket._socketobject mearly nulls out the reference to _socket.socket,
and lets reference counting take care of the rest.
I've more of less got this figured out:
* When do_handshake() raises an exception (say, a CertificateError), then a
reference
New submission from Alex Gaynor:
Attached patch is a first-cut at a backport patch. Note that it is not quite a
1-1 with the original:
The SSL module backport added a new field for the Python-level "SSLSocket"
reference (ssl_sock), which was a different object from the _soc
Alex Gaynor added the comment:
Attached patch also adds a test -- I'm not convinced this is the best way to
test this, but I don't see any other way either.
--
Added file: http://bugs.python.org/file36793/issue22449.diff
___
Python trac
Alex Gaynor added the comment:
arc4random() should be avoided IMO, on many systems (including OS X) it really
is still arc4; this is basically a dupe of http://bugs.python.org/issue22181
--
nosy: +alex
resolution: -> duplicate
status: open ->
Alex Gaynor added the comment:
Updated patch fixes a refcounting issue spotted by gutworth.
--
Added file: http://bugs.python.org/file36775/issue22523.diff
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
New patch resolves the issue. Turns out there were tests, but they weren't
being run. Now they are.
--
Added file: http://bugs.python.org/file36771/issue22523.diff
___
Python tracker
<http://bugs.python.org/is
Alex Gaynor added the comment:
My patch is incomplete, I'm working on an improved one.
--
___
Python tracker
<http://bugs.python.org/issue22523>
___
___
Pytho
Alex Gaynor added the comment:
Attached patch sound fix the issue. I guess this function has no tests :-(
--
keywords: +needs review, patch
Added file: http://bugs.python.org/file36770/issue22523.diff
___
Python tracker
<http://bugs.python.
Alex Gaynor added the comment:
Stefan, this is not the right forum for this issue, please do not reopen it.
--
status: open -> closed
___
Python tracker
<http://bugs.python.org/issu
Alex Gaynor added the comment:
This bug tracker isn't really the right place to track this -- that said I
don't know where is, so I've added Donald Stufft to the nosy list, hopefully he
can help direct this appropriately.
What license is the bytereef text available under? The
Alex Gaynor added the comment:
Does this effect anything besides causing SSL_CERT_DIR and SSL_CERT_FILE to be
respected?
--
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
I can't say that I've ever used // on floats, but it seems to me anyone doing
so (as opposed to normal division + explicit rounding) *intentionally* might be
broken by this change, but anyone doing this incidentally is not really in a
"gotcha&qu
Alex Gaynor added the comment:
This can be closed then I think?
--
___
Python tracker
<http://bugs.python.org/issue22440>
___
___
Python-bugs-list mailin
Alex Gaynor added the comment:
If check_hostname is set on the context then do_handshake() will already
perform the hostname check:
https://hg.python.org/cpython/file/default/Lib/ssl.py#l787
--
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
Just wanted to ping you on this Senthil about committing this.
--
___
Python tracker
<http://bugs.python.org/issue22366>
___
___
Alex Gaynor added the comment:
(It didn't have any direct tests as far as I can tell, which is why I didn't
catch the "regression")
--
___
Python tracker
<http://bug
Alex Gaynor added the comment:
It looks like something was removed from the `_ssl` module; is that considered
an implementation detail, or does it need to be added back?
--
___
Python tracker
<http://bugs.python.org/issue22
New submission from Alex Gaynor:
https://github.com/eventlet/eventlet/issues/135
--
components: Library (Lib)
messages: 227067
nosy: alex, benjamin.peterson, christian.heimes, dstufft, giampaolo.rodola,
janssen, pitrou
priority: normal
severity: normal
status: open
title: eventlet
Alex Gaynor added the comment:
Filed http://bugs.python.org/issue22438 to track it.
--
___
Python tracker
<http://bugs.python.org/issue21308>
___
___
Python-bug
Changes by Alex Gaynor :
--
nosy: +dstufft
___
Python tracker
<http://bugs.python.org/issue22417>
___
___
Python-bugs-list mailing list
Unsubscribe:
Alex Gaynor added the comment:
I believe something like the following diff restores the previous behavior
(untested!):
diff --git a/Lib/logging/__init__.py b/Lib/logging/__init__.py
index a61c2b0..4a8f83e 100644
--- a/Lib/logging/__init__.py
+++ b/Lib/logging/__init__.py
@@ -129,7 +129,7
Alex Gaynor added the comment:
Replied to the review; let me know if you agree with my comment.
--
assignee: alex -> orsenthil
___
Python tracker
<http://bugs.python.org/issu
Alex Gaynor added the comment:
New patch switches to a ValueError and includes a test case that it's raised.
--
Added file: http://bugs.python.org/file36580/urlopen-context.diff
___
Python tracker
<http://bugs.python.org/is
Alex Gaynor added the comment:
Added a versionchanged directive to the docs.
--
Added file: http://bugs.python.org/file36576/urlopen-context.diff
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
Attached patch against the default branch adds support for this.
--
keywords: +needs review, patch
Added file: http://bugs.python.org/file36573/urlopen-context.diff
___
Python tracker
<http://bugs.python.org/issue22
New submission from Alex Gaynor:
Instead of the ca* arguments it currently takes, these can all be encapsulated
into an SSLContext argument, which the underlying http.client already supports.
--
components: Library (Lib)
messages: 226594
nosy: alex, christian.heimes, dstufft
Changes by Alex Gaynor :
--
nosy: +alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
Patch looks good to me.
--
___
Python tracker
<http://bugs.python.org/issue22131>
___
___
Python-bugs-list mailing list
Unsub
Alex Gaynor added the comment:
Attached patch backports it (only change is the use of `closing()` and
resolving the conflict in Misc/NEWS). I'll leave it up to benjamin whether he
wants to commit (input from others welcome). My view is to prefer backporting
stuff since it helps keep the
Alex Gaynor added the comment:
Should this be backported to 2.7.9?
--
___
Python tracker
<http://bugs.python.org/issue20421>
___
___
Python-bugs-list mailin
Alex Gaynor added the comment:
Attached patch fixes this up.
--
keywords: +needs review, patch
nosy: +alex
Added file: http://bugs.python.org/file36505/t22301.diff
___
Python tracker
<http://bugs.python.org/issue22
Alex Gaynor added the comment:
This is resolved now.
--
resolution: -> fixed
status: open -> closed
___
Python tracker
<http://bugs.python.org/i
Alex Gaynor added the comment:
Victor -- new patch is in `hg` format.
--
Added file: http://bugs.python.org/file36497/backport-urandom.diff
___
Python tracker
<http://bugs.python.org/issue21
Alex Gaynor added the comment:
This patch adds the finalizer to the backport -- not sure how I missed this the
first time.
--
Added file: http://bugs.python.org/file36496/backport-urandom.diff
___
Python tracker
<http://bugs.python.org/issue21
101 - 200 of 465 matches
Mail list logo
