[issue15082] [httplib] httplib.BadStatusLine on any HTTPS connection in certain unknown cases.

Martin v. Löwis added the comment: I can reproduce this, and it seems to stem from the openssl version used (0.9.8l). Running openssl s_client -connect grooveshark.com:443 with 0.9.8l gives CONNECTED(0003) depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy

[issue15081] No documentation for PyState_FindModule()

Martin v. Löwis added the comment: It's in PEP 3121, but it never made it to the documentation. -- ___ Python tracker ___ ___ Python-

[issue15075] XincludeTest failure in test_xml_etree

Eli Bendersky added the comment: Opened #15083 to track the *actual* solution to this problem, which should restructure the tests to be safer. -- superseder: -> Rewrite ElementTree tests in a cleaner and safer way ___ Python tracker

[issue15083] Rewrite ElementTree tests in a cleaner and safer way

New submission from Eli Bendersky : As #15075 demonstrated, the ET tests are sensitive to execution order because of the way they operate. Two sets of tests (one for the C module and one for the pure Python module) operate from the same test code, monkey-patching the imported module. This som

[issue15075] XincludeTest failure in test_xml_etree

Roundup Robot added the comment: New changeset 5782efaa8d68 by Eli Bendersky in branch 'default': Make the test more resilient to test-run order (closes #15075) http://hg.python.org/cpython/rev/5782efaa8d68 -- nosy: +python-dev resolution: -> fixed stage: test needed -> committed/rejec

[issue15061] hmac.secure_compare() leaks information about length of strings

Jon Oberheide added the comment: On a side note, it may be useful to follow the conventions that already exist in OpenBSD for their timingsafe_bcmp(3): http://www.rootr.net/man/man/timingsafe_bcmp/3 "timingsafe" may be a more reasonable naming convention that is a bit less strong the "secure

[issue15061] hmac.secure_compare() leaks information about length of strings

Jon Oberheide added the comment: Wow, that escalated quickly. :-) Nick, thanks for keeping things focused and on track. To recap, the primary motivation here is two-fold. First, folks are using == pretty frequently in an unsafe manner when comparing digests, signatures, and other fixed-lengt

[issue14377] Modify serializer for xml.etree.ElementTree to allow forcing the use of long tag closing

Ariel Poliak added the comment: Ideally, this would be taken care by the _serialize_xml() with a parameter specified when called from within write(). However, the signature for the _serialize_xml() function cannot be changed, as it needs to match the signature for the rest of the _serialize_*

[issue15082] [httplib] httplib.BadStatusLine on any HTTPS connection in certain unknown cases.

New submission from George Stephanos : When trying to POST /anything/ @ https://grooveshark.com/, I get an httplib.BadStatusLine exception (server returns nothing at all. It's a timeout since it waits a while). The many Grooveshark webclients however works perfectly, along with a curl command

[issue13825] Datetime failing while reading active directory time attribute

Changes by Alexander Belopolsky : -- status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: htt

[issue15078] Change os.sendfile so its arguments are stable

Larry Hastings added the comment: > There are some other functions with strange/variable prototype: > http://docs.python.org/dev/library/fcntl.html?highlight=ioctl#fcntl.ioctl > http://docs.python.org/dev/library/mmap.html?highlight=mmap.mmap#mmap.mmap It does not follow that this behavior is d

[issue15006] Allow equality comparison between naive and aware datetime objects

Changes by Alexander Belopolsky : -- keywords: -needs review, patch nosy: -Alexander.Belopolsky resolution: -> fixed stage: commit review -> committed/rejected ___ Python tracker

[issue15006] Allow equality comparison between naive and aware datetime objects

Changes by Alexander Belopolsky : -- status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: htt

[issue15006] Allow equality comparison between naive and aware datetime objects

Roundup Robot added the comment: New changeset 8272699973cb by Alexander Belopolsky in branch 'default': Issue #15006: Allow equality comparison between naive and aware time http://hg.python.org/cpython/rev/8272699973cb -- nosy: +python-dev ___ Pytho

[issue15081] No documentation for PyState_FindModule()

New submission from Christian Heimes : Dear Martin, I can't find any documentation of PyState_FindModule() in the official. According to hg annotate you are the creator of the function. -- assignee: loewis components: Documentation messages: 162944 nosy: christian.heimes, loewis priori

[issue15006] Allow equality comparison between naive and aware datetime objects

Alexander Belopolsky added the comment: Added documentation and simplified changes to python implementation. I think this can go to 3.3. -- versions: +Python 3.3 -Python 3.4 Added file: http://bugs.python.org/file26023/issue15006a.diff ___ Python t

[issue14938] 'import my_pkg.__init__' creates duplicate modules

Changes by Brett Cannon : -- resolution: -> fixed stage: patch review -> committed/rejected status: open -> closed ___ Python tracker ___ ___

[issue14938] 'import my_pkg.__init__' creates duplicate modules

Roundup Robot added the comment: New changeset 240b7467e65c by Brett Cannon in branch 'default': Issue #14938: importlib.abc.SourceLoader.is_package() now takes the http://hg.python.org/cpython/rev/240b7467e65c -- nosy: +python-dev ___ Python tracker

[issue9247] imp.reload() doesn't take import lock

Brett Cannon added the comment: We have gone this long without a lock for reload(), I don't see a reason to start caring now. -- resolution: -> works for me status: open -> closed ___ Python tracker _

[issue13959] Re-implement parts of imp in pure Python

Roundup Robot added the comment: New changeset 034c814eb187 by Brett Cannon in branch 'default': Issue #13959: Add to imp.find_module() and load_module's docstrings http://hg.python.org/cpython/rev/034c814eb187 -- ___ Python tracker

[issue15078] Change os.sendfile so its arguments are stable

STINNER Victor added the comment: > As I keep saying on python-dev: I think that the argument list for a function > should be stable. There are some other functions with strange/variable prototype: http://docs.python.org/dev/library/fcntl.html?highlight=ioctl#fcntl.ioctl http://docs.python.org

[issue14982] pkgutil.walk_packages seems to not work properly on Python 3.3a

Changes by Brett Cannon : -- resolution: -> fixed status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list Uns

[issue14982] pkgutil.walk_packages seems to not work properly on Python 3.3a

Roundup Robot added the comment: New changeset b92fa1c5a96b by Brett Cannon in branch 'default': Closes issue #14982: Document that pkgutil's walk_packages() and http://hg.python.org/cpython/rev/b92fa1c5a96b -- nosy: +python-dev ___ Python tracker <

[issue15078] Change os.sendfile so its arguments are stable

Changes by Antoine Pitrou : -- nosy: +haypo ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.

[issue15078] Change os.sendfile so its arguments are stable

Larry Hastings added the comment: > os.sendfile(out, in, offset, nbytes, *, headers=None, trailers=None, > diskio=True, wait=True, sync=False) I probably prefer this. If the original implementers are okay with it then I'd be happy to do it that way. But at the very least I want to get rid o

[issue15080] Cookie library doesn't parse date properly

Jeremy Gillick added the comment: I'm using Python 2.6.1 -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: ht

[issue15080] Cookie library doesn't parse date properly

Roger Serwy added the comment: 2.6.8 is the latest source-only release of the 2.6 series. Here's what I get: Python 2.6.8 (unknown, Jun 15 2012, 15:51:46) [GCC 4.5.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import Cookie >>> cook

[issue14059] Implement multiprocessing.Barrier

Changes by Richard Oudkerk : -- resolution: -> fixed stage: -> committed/rejected status: open -> closed ___ Python tracker ___ ___

[issue15026] Faster UTF-16 encoding

Roundup Robot added the comment: New changeset 35667fc5f785 by Antoine Pitrou in branch 'default': Mention the UTF-16 encoding speedup in the whatsnew (issue #15026). http://hg.python.org/cpython/rev/35667fc5f785 -- ___ Python tracker

[issue15026] Faster UTF-16 encoding

STINNER Victor added the comment: It would be nice to mention the improvement in the What's New in Python 3.3 doc (Optimizations section). -- ___ Python tracker ___ ___

[issue15080] Cookie library doesn't parse date properly

New submission from Jeremy Gillick : The cookie library doesn't seem to support the standard date format (RFC 822) for the expire property while parsing a cookie. For example, in the Python prompt: >>> import Cookie >>> cookie = Cookie.SimpleCookie('bcookie="123"; Expires=Sat, 14-Jun-

[issue15026] Faster UTF-16 encoding

Antoine Pitrou added the comment: Thank you for the quick turnaround! The patch is now pushed in 3.3. -- resolution: -> fixed stage: -> committed/rejected status: open -> closed ___ Python tracker __

[issue15026] Faster UTF-16 encoding

Roundup Robot added the comment: New changeset acca141fda80 by Antoine Pitrou in branch 'default': Issue #15026: utf-16 encoding is now significantly faster (up to 10x). http://hg.python.org/cpython/rev/acca141fda80 -- nosy: +python-dev ___ Python tr

[issue15026] Faster UTF-16 encoding

Serhiy Storchaka added the comment: > Serhiy, the tests crash here in debug mode: My fault. It's operator precedence issue in the assert expression. Gcc warns about it: Objects/unicodeobject.c: In function ‘_PyUnicode_EncodeUTF16’: Objects/unicodeobject.c:5401: warning: suggest parentheses aro

[issue15079] pickle: Possibly misplaced test

Changes by Collin Winter : -- nosy: -collinwinter ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.

[issue15074] Strange behaviour of python cmd module. (Ignores slash)

Changes by Ned Deily : -- resolution: -> invalid status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list Unsu

[issue15036] mailbox.mbox fails to pop two items in a row, flushing in between

R. David Murray added the comment: The news item isn't completely clear. It sounds like the mailbox is now automatically being flushed between pops, but what you really fixed is popping if the *application* does a flush between them, right? -- ___

[issue15036] mailbox.mbox fails to pop two items in a row, flushing in between

Changes by Petri Lehtinen : -- resolution: -> fixed stage: needs patch -> committed/rejected status: open -> closed ___ Python tracker ___ __

[issue15008] PEP 362 "Signature Objects" reference implementation

Yury Selivanov added the comment: Attaching the new version of the patch. Summary: 1. 'is_*' family was replaced with 'Parameter.kind' 2. 'signature()' function was updated to check for '__wrapped__' attribute in all callables 3. 'is_implemented' -> 'implemented' 4. Added support for POSITION

[issue15036] mailbox.mbox fails to pop two items in a row, flushing in between

Roundup Robot added the comment: New changeset 0add70dd3c43 by Petri Lehtinen in branch '2.7': #15036: Make a repeated changes and flushes work with single-file mailboxes http://hg.python.org/cpython/rev/0add70dd3c43 New changeset 714b8f91f3d4 by Petri Lehtinen in branch '3.2': #15036: Make a r

[issue15075] XincludeTest failure in test_xml_etree

Eli Bendersky added the comment: Here is a patch that solves the current problem. A longer term solution would be to have a cleaner test plan for ET in general, without monkey-patching at all, and without state that causes test-order dependencies. -- keywords: +patch Added file: http

[issue14874] Faster charmap decoding

Changes by Antoine Pitrou : -- stage: -> patch review ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://m

[issue15026] Faster UTF-16 encoding

Antoine Pitrou added the comment: Serhiy, the tests crash here in debug mode: $ ./python -m test -v test_unicode == CPython 3.3.0a4+ (default:b17c8005e08a+, Jun 15 2012, 19:28:56) [GCC 4.5.2] == Linux-2.6.38.8-desktop-10.mga-x86_64-with-mandrake-1-Official little-endian == /home/antoine/cpy

[issue14059] Implement multiprocessing.Barrier

Roundup Robot added the comment: New changeset 2d2f206d040e by Richard Oudkerk in branch 'default': Issue #14059: Implement multiprocessing.Barrier http://hg.python.org/cpython/rev/2d2f206d040e -- nosy: +python-dev ___ Python tracker

[issue14933] Misleading documentation about weakrefs

Changes by Antoine Pitrou : -- resolution: -> fixed stage: -> committed/rejected status: open -> closed ___ Python tracker ___ ___ P

[issue14933] Misleading documentation about weakrefs

Roundup Robot added the comment: New changeset 69177ff1a643 by Antoine Pitrou in branch '3.2': Issue #14933: fix misleading doc about weakref support in extension types. http://hg.python.org/cpython/rev/69177ff1a643 New changeset b17c8005e08a by Antoine Pitrou in branch 'default': Issue #14933:

[issue15079] pickle: Possibly misplaced test

R. David Murray added the comment: It would be best to have the pickle tests always run against both the C and python code. We do this for other modules that have C versions of some or all of the Python code. And yes, making the two consistent is also good. Since pickle is generally not us

[issue15068] fileinput requires two EOF when reading stdin

Antoine Pitrou added the comment: > Oh, it seems that the mail server again ate some lines of my examples. This is a bug in the e-mail gateway. You can lobby for a fix at http://psf.upfronthosting.co.za/roundup/meta/issue264 -- ___ Python tracker <

[issue15079] pickle: Possibly misplaced test

New submission from Stefan M : After issue7455 was fixed, a test was created to reflect the fix (Lib/test/pickletester.py @ AbstractPickleModuleTests.test_bad_input). The test makes sure that an UnpicklingError is raised whenever pickled data attempts to pop on an empty stack. Although tests o

[issue14904] test_unicode_repr_oflw (in test_bigmem) crashes

Roundup Robot added the comment: New changeset 1c9635109079 by Antoine Pitrou in branch '2.7': Skip test_bigmem.test_unicode_repr_oflw, since it crashes (issue #14904). http://hg.python.org/cpython/rev/1c9635109079 -- nosy: +python-dev ___ Python tra

[issue15068] fileinput requires two EOF when reading stdin

Serhiy Storchaka added the comment: > > > > qwert > > 'qwert\n' Oh, it seems that the mail server again ate some lines of my examples. > Well, did you try readline() or readlines()? Yes, it's my mistake, I used readline(). -- ___ Python tracker

[issue15068] fileinput requires two EOF when reading stdin

Serhiy Storchaka added the comment: > But sys.stdin does not implement RawIOBase, it implements TextIOBase. sys.stdin.buffer.raw implements RawIOBase. -- ___ Python tracker ___

[issue15064] multiprocessing should use more context manager

Changes by Tshepang Lekhonkhobe : -- nosy: +tshepang ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mai

[issue14955] hmac.secure_compare() is not time-independent for unicode strings

Jon Oberheide added the comment: Sounds good to me, Nick. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: h

[issue15061] hmac.secure_compare() leaks information about length of strings

Antoine Pitrou added the comment: > Secondly, it seems to me that the proposed lower level feature may > make more sense as a bytes method rather than as a function in the > operator module. If it's a function, though, it can compare all kinds of buffer-like objects (bytearrays, memoryviews, et

[issue15068] fileinput requires two EOF when reading stdin

Antoine Pitrou added the comment: > > so the readlines function should always return at least as many bytes as > > its first parameter. Is this assumption wrong? > > qwert > 'qwert\n' > > You type five characters "qwert" end press . Python immediately > receives these six characters, and ret

[issue15068] fileinput requires two EOF when reading stdin

Serhiy Storchaka added the comment: > Forget other filelike objects. The FileInput class only works with actual > files, No. sys.stdin can be reassigned before using FileInput. And FileInput has openhook parameter (for read compressed files or get files from Web, for example). > so the readl

[issue15068] fileinput requires two EOF when reading stdin

Antoine Pitrou added the comment: Le vendredi 15 juin 2012 à 14:41 +, Serhiy Storchaka a écrit : > >From io.RawIOBase.read docs: > > """ > Read up to n bytes from the object and return them. As a convenience, if > n is unspecified or -1, readall() is called. Otherwise, only one system > cal

[issue15068] fileinput requires two EOF when reading stdin

R. David Murray added the comment: The _pyio.py version of readlines does read until the count is equaled or exceeded. This could, however, be an implementation detail and not part of the spec. -- ___ Python tracker

[issue15068] fileinput requires two EOF when reading stdin

R. David Murray added the comment: So the real question is: does readlines block until the byte count is satisified? It might, but the docs for io.IOBase.readlines leave open the possibility that fewer lines will be read, and do not limit that to the EOF case. It's not clear, however, if th

[issue15068] fileinput requires two EOF when reading stdin

R. David Murray added the comment: fileinput should work (for some definition of work) for anything that can be opened by name using the open syscall on unix. That includes many more things than files. Named pipes are a particularly interesting example in this context. -- _

[issue15068] fileinput requires two EOF when reading stdin

Joey Geralnik added the comment: Forget other filelike objects. The FileInput class only works with actual files, so the readlines function should always return at least as many bytes as its first parameter. Is this assumption wrong? -- ___ Python

[issue15068] fileinput requires two EOF when reading stdin

Joey Geralnik added the comment: But this is calling the readlines function, which continually reads from the file until more bytes have been read than the specified argument. >From bz2.readlines: "size can be specified to control the number of lines read: no further lines will be read once t

[issue15068] fileinput requires two EOF when reading stdin

Serhiy Storchaka added the comment: > The patch I've attached checks if the number of bytes read from the file is > less than the size of the buffer (which means that the file has ended). >From io.RawIOBase.read docs: """ Read up to n bytes from the object and return them. As a convenience,

[issue15066] make install error: ImportError: No module named _struct

suzhengchun added the comment: Thank for your attention. I try it: suzc@linux-opensuse:22:02:51:Python-2.7.3$ PYTHONPATH=/WORK/suzc/installed/python/lib/python2.7 ./python -c 'import sys; print(sys.path)' ['', '/WORK/suzc/installed/python/lib/python2.7', '/WORK/suzc/installed/python/lib/pyth

[issue15068] fileinput requires two EOF when reading stdin

Joey Geralnik added the comment: First off, I'm a complete noob looking at the python source code for the first time so forgive me if I've done something wrong. What if the length of the chunk is checked as well? The following code works fine: import sys while True: chunk = sys.stdin.rea

[issue15019] String termination on Linux

Amaury Forgeot d'Arc added the comment: Jānis: > Prints "11 This is not what I get on Linux: I see "11 Hithere:)" because the console chooses to not print the \x00. The character is present in the output stream though. Did you really got a truncated output? How did you run the above script

[issue15052] Outdated comments in build_ssl.py

Jeremy Kloth added the comment: I would suggest trying to build OpenSSL (build_ssl.py) *without* Perl installed. On Windows (7,64-bit at least) a dialog box pops up many times asking which program to use to run XXX.pl. This is using the externals from svn.python.org. -- nosy: +jeremy.

[issue15078] Change os.sendfile so its arguments are stable

Serhiy Storchaka added the comment: I believe, that instead of a integer flags will be better and more portable to use boolean parameters (diskio=True, wait=True, sync=False). All additional parameters should be keyword-only. os.sendfile(out, in, offset, nbytes, *, headers=None, trailers=None

[issue15061] hmac.secure_compare() leaks information about length of strings

Nick Coghlan added the comment: (Ah, the dangers of using a real text editor for edit fields. This got rather long, but I think it's all still relevant) I'm persuaded that a C implementation is a good idea in the long run. However, I *don't* think we should rush the design of it. It doesn't s

[issue15074] Strange behaviour of python cmd module. (Ignores slash)

Peter Otten <__pete...@web.de> added the comment: Not a python bug. You are ommitting an important detail of the stackoverflow example in your code: # we want to treat '/' as part of a word, so override the delimiters readline.set_completer_delims(' \t\n;') Please turn to the Python mailing li

[issue15073] commands.getoutput() does not work on windows

Pavel Fedin added the comment: I see it's deprecated and dropped, but anyway, why not to fix it to work on Windows? From 10197 i see the fix is quite simple, and there is lots of legacy code i believe. -- ___ Python tracker

[issue15078] Change os.sendfile so its arguments are stable

Changes by Antoine Pitrou : -- nosy: +giampaolo.rodola, neologix ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue15077] Regexp match goes into infinite loop

Serhiy Storchaka added the comment: This is not infinite loop. This is O(2**len(prefix_before_first_quote)) computation. Measure times of matching for "INSER(`id`...", "INSERT(`id`...", "INSERT (`id`...", "INSERT I(`id`...", etc. Better use r'''(?:[^`';]+|'(?:''|[^'])*'|`(?:``|[^`])*`)+;''' r

[issue15061] hmac.secure_compare() leaks information about length of strings

Antoine Pitrou added the comment: > > The point of supporting unicode would precisely be to avoid a > > unicode->bytes conversion when unicode strings are received. > > A byte-wise comparison of the memory representation would work IFF both > sides have the same type and unicode kind. Anything

[issue15073] commands.getoutput() does not work on windows

R. David Murray added the comment: Hmm. Maybe issue 10197 should be reclassified as an enhancement... -- nosy: +r.david.murray resolution: wont fix -> duplicate superseder: -> subprocess.getoutput fails on win32 title: commands.getoutput() is broken -> commands.getoutput() does not wo

[issue15061] hmac.secure_compare() leaks information about length of strings

Christian Heimes added the comment: Am 15.06.2012 14:21, schrieb Antoine Pitrou: > I like the fact that a C implementation can be audited much more easily. > Who knows what kind of effects the Python implementation can trigger, if > some optimizations get added in the future. Secondly we can pr

[issue15061] hmac.secure_compare() leaks information about length of strings

Antoine Pitrou added the comment: > 2. Providing a C implementation via the operator module (given the > restriction to bytes values, and the assumption of caching for all > relevant integers, would a C reimplementation really be buying us much > additional security?) I like the fact that a C i

[issue15061] hmac.secure_compare() leaks information about length of strings

Nick Coghlan added the comment: OK, the worst aspects (the misleading name and documentation) have been dealt with, so that leaves the questions of: 1. Avoiding leaking the length information (seems unnecessary, since most digests are part of protocols where they have a known, published lengt

[issue15036] mailbox.mbox fails to pop two items in a row, flushing in between

Petri Lehtinen added the comment: As I suspected, all single-file mailboxes(mbox, MMDF, Babyl) have this issue. Attached a patch with tests. -- keywords: +patch Added file: http://bugs.python.org/file26017/issue15036.patch ___ Python tracker

[issue14955] hmac.secure_compare() is not time-independent for unicode strings

Nick Coghlan added the comment: As a result of the discussions on #15061, I removed unicode comparison support altogether in f36af3766a20 (updating the warning on the hexdigest() method accordingly). Are folks happy to close this issue on that basis? (I'll raise the question of a separate C

[issue15061] hmac.secure_compare() leaks information about length of strings

Roundup Robot added the comment: New changeset f36af3766a20 by Nick Coghlan in branch 'default': Issue #15061: Don't oversell the capabilities of the new non-shortcircuiting comparison function in hmac http://hg.python.org/cpython/rev/f36af3766a20 -- nosy: +python-dev

[issue14423] Getting the starting date of iso week from a week number and a year.

Erik Cederstrand added the comment: I would like to point out that http://bugs.python.org/issue12006 provides a solution (including patches) based on %G%, V and %u directives for use in strptime()/strftime(). These directives are defined in (FreeBSD) libc, and PHP has them, too. I think the

[issue15078] Change os.sendfile so its arguments are stable

New submission from Larry Hastings : As I keep saying on python-dev: I think that the argument list for a function should be stable. If you have a function where some abilities are only available on certain platforms, it's best to always accept default no-op parameters for those parameters, r

[issue15061] hmac.secure_compare() leaks information about length of strings

Nick Coghlan added the comment: As a first step, I'm going to make a change to: 1. Rename the function to "compare_digest" 2. Remove the support for comparing strings 3. Update the documentation to be much clearer about its limitations (including why it's considered OK to leak the expected len

[issue15075] XincludeTest failure in test_xml_etree

Eli Bendersky added the comment: As suspected, the cause is that xinclude_loader manages to somehow import the C version of ET, although test_xml_etree tries to enforce the Python version. This is probably because test___all__ imports all modules and leaves stuff in the import cache. What ca

[issue15077] Regexp match goes into infinite loop

New submission from Moriyoshi Koizumi : A peculiar pair of a regexp and a target string causes the runtime into an infinite loop. The same expression works with Perl. -- components: Regular Expressions files: x.py messages: 162883 nosy: ezio.melotti, moriyoshi, mrabarnett priority: nor

[issue15061] hmac.secure_compare() leaks information about length of strings

Antoine Pitrou added the comment: > I could wrap up a quick C implementation if you like. The operator > module is a better place for a total_compare() function. Do you a > agree? I think the function is fine in either hashlib or hmac. Putting it in one of these modules is a hint that it's secu

[issue15075] XincludeTest failure in test_xml_etree

Eli Bendersky added the comment: After some tinkering I found which test when run before test_xml_etree causes it to crash: $ ./python -m test.regrtest test___all__ test_xml_etree [1/2] test___all__ [2/2] test_xml_etree Fatal Python error: Segmentation fault Current thread 0x7f771ecec700:

[issue15061] hmac.secure_compare() leaks information about length of strings

Christian Heimes added the comment: Oh dead god, what have I done ... I threw a small stone and caused a major landslide. :) I'm all with Nick on this topic. A correctly named and documented function provides a tool to users that greatly reduced the change of a side channel attack. It's all

[issue15076] Sometimes couldn't import os, shown 'import site' failed, use -v for trackback

New submission from Leon Zhang : Hello Experts, I am using Python 2.6.2 on a Linux machine. I found sometimes I have problem to run my simple python script. > Linux version and Python version < leonz@fxcsgbu2c1% uname -a SunOS fxcsgbu2c1 5.8 Generic_117350-06 sun4u sparc SUNW,U

[issue15061] hmac.secure_compare() leaks information about length of strings

Changes by Armin Rigo : -- nosy: -arigo ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org

[issue5067] Error msg from using wrong quotes in JSON is unhelpful

Serhiy Storchaka added the comment: Patch adapted for Python 3.3. Consistently changed messages in C code, docs and docstrings. -- components: +Documentation nosy: +storchaka versions: +Python 2.7, Python 3.2, Python 3.3 -Python 2.6 Added file: http://bugs.python.org/file26014/json-mes

[issue15061] hmac.secure_compare() leaks information about length of strings

Martin v. Löwis added the comment: > That's why the vulnerable cases are far more likely to be related to > *signature* checking. In those you can generally provide both the > hash input (the message) and the hash target (the purported > "signature"). I see. I wonder how feasible this attack is

[issue1598083] Top-level exception handler writes to stdout unsafely

Serhiy Storchaka added the comment: It looks like another reason to replace codecs.open on io.open. -- nosy: +storchaka ___ Python tracker ___

[issue12508] Codecs Anomaly

Changes by Serhiy Storchaka : -- versions: +Python 2.7, Python 3.3 Added file: http://bugs.python.org/file26013/fffd-2.py ___ Python tracker ___ _

[issue15061] hmac.secure_compare() leaks information about length of strings

Nick Coghlan added the comment: FWIW, Petri's example also explains why leaking the expected length of the string is considered an acceptable optimisation in most reimplementations of this signature check comparison: the attacker is assumed to already know the expected length of the signature

[issue15073] commands.getoutput() is broken

Amaury Forgeot d'Arc added the comment: The documentation http://docs.python.org/library/commands.html prominently says "Platforms: Unix". This module does not work on Windows. You should really use the subprocess module: >>> import subprocess >>> output = subprocess.check_output("dir", shell=T

[issue15061] hmac.secure_compare() leaks information about length of strings

Petri Lehtinen added the comment: For example, Django uses time independent comparison to compare signatures of signed cookies. A signed cookie consists of a plain-text value followed by a signature. An attacker wants to construct a cookie that has a malformed value and a valid signature for

[issue15075] XincludeTest failure in test_xml_etree

Changes by Nick Coghlan : -- nosy: +ncoghlan ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python

  1   2   >