[issue28265] builtin_function_or_method's __getattribute__ not applicable to self

Alexander Sosedkin added the comment: Oh, I see. The invocation b.__getattribute__(b, attrname) worked on so many objects that I didn't even think it could be incorrect. Sorry for wasting your time. -- resolution: -> not a bug status: pending -> closed

[issue28266] setup.py uses build Python's configuration when cross-compiling

Rouslan Korneychuk added the comment: Here is an updated patch for 3.6b1. I was able to compile Python with the changes, natively (x86_64 linux) and for ARM, using an Android "isolated toolchain." However, with the ARM build, a file named _sysconfigdata_m_linux_x86_64-linux-gnu.py ended up in

[issue28266] setup.py uses build Python's configuration when cross-compiling

Zachary Ware added the comment: Could you try 3.6b1 and see if it works correctly for you? Cross-building support has changed significantly in 3.6. -- nosy: +doko, xdegaye, zach.ware ___ Python tracker

[issue23505] Urlparse insufficient validation leads to open redirect

Martin Panter added the comment: It is not clear what Yassine’s bug is. Maybe it is about round-tripping from urlparse() → urlunparse(). If so, it could be solved by fixing either of the following two problems: 1. urlunparse() forgets the initial pair of slashes when netloc="". That might be

[issue21109] tarfile: Traversal attack vulnerability

Changes by Larry Hastings : -- nosy: -larry ___ Python tracker ___ ___ Python-bugs-list

[issue7412] distutils install race condition

Christian Heimes added the comment: This is not a security problem per se. It's rather a request to chance the behavior of package installation. -- type: security -> behavior ___ Python tracker

[issue28266] setup.py uses build Python's configuration when cross-compiling

New submission from Rouslan Korneychuk: When building Python, the setup.py script will use values from sysconfig, even when cross compiling. When cross compiling, the interpreter that runs setup.py is configured for the build system, not the host system, so the wrong values are used. This

[issue21109] tarfile: Traversal attack vulnerability

Martin Panter added the comment: Issue 17102 is open about the specific problem of escaping the destination directory. Maybe it is a duplicate, but this bug also discusses other problems. -- dependencies: +tarfile extract can write files outside the destination path

[issue28265] builtin_function_or_method's __getattribute__ not applicable to self

Eric Snow added the comment: Hmm. It's not clear what you're after here. The error from your example code is correct. The valid invocation is: b.__getattribute__(abs, 'x') That works just fine. If you want to look up *class* attributes then you must call __getattribute__ on the class's

[issue25235] EmailMessage.add_attachment() creates parts with spurious MIME-Version header.

Barry A. Warsaw added the comment: On Sep 24, 2016, at 05:06 PM, R. David Murray wrote: >Barry, would you care to render an opinion on this proposed fix? I think the general approach is probably the best you can do. I noticed a couple of things though with RDM's v.2 patch. First, I get test

[issue25300] Enable Intel MPX (Memory protection Extensions) feature

Christian Heimes added the comment: Let's have another look at this enhancement for 3.7. Hopefully we have some machines to develop with and test MPX, too. I don't have any machine at home that supports hardware MPX. Does any of our buildbots have a Skylake with MPX? -- nosy:

[issue27778] PEP 524: Add os.getrandom()

Christian Heimes added the comment: I think the documentation is too specific. We typically don't document all possible error numbers. Something along the lines "fails with OSError when getrandom is not supported" is sufficient. -- assignee: -> docs@python components: +Documentation

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

Changes by Christian Heimes : -- dependencies: -ssl: get CPU cap flags for AESNI and PCLMULQDQ resolution: -> fixed stage: commit review -> resolved status: open -> closed ___ Python tracker

[issue24201] _winreg PyHKEY Type Confusion

Steve Dower added the comment: I think this requires arbitrary code execution as a minimum - there's no way anyone would pass a user-provided value here - so the security implications are less interesting. All we can really do is restrict the types accepted here, which I don't think is

[issue28207] SQLite headers are not searched in custom locations

Santiago Castro added the comment: Okay, that did work. But shouldn't it call pkg-config, so I don't need to set the flags manually? I mean, I'm running this in my user's home, in a computer which I don't have root access, and I used Linuxbrew (https://github.com/Linuxbrew/brew) for this,

[issue28265] builtin_function_or_method's __getattribute__ not applicable to self

New submission from Alexander Sosedkin: I've managed to obtain several objects, which __getattribute__ cannot be applied to them. Minimal non-working example (a more detailed one is attached): b = abs.__class__ b.__getattribute__(b, 'x') Proxying such objects turned out to be even harder that

[issue27235] Heap overflow occurred due to the int overflow (Python-2.7.11/Modules/posixmodule.c)

Christian Heimes added the comment: I agree with Xiang and Larry. I don't see how you can successfully create an overflow. -- nosy: +christian.heimes resolution: -> not a bug status: open -> pending ___ Python tracker

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

Changes by Christian Heimes : -- assignee: -> docs@python components: +Documentation -Extension Modules nosy: +docs@python type: security -> enhancement versions: +Python 3.7 -Python 3.2, Python 3.3, Python 3.4 ___ Python tracker

[issue18789] XML Vunerability Table Unclear

Changes by Mark Lawrence : -- nosy: -BreamoreBoy ___ Python tracker ___ ___

[issue12989] Consistently handle path separator in Py_GetPath on Windows

Changes by Mark Lawrence : -- nosy: -BreamoreBoy ___ Python tracker ___ ___

[issue17405] Add _Py_memset_s() to securely clear memory

Changes by Christian Heimes : -- priority: normal -> low versions: +Python 3.7 -Python 3.5 ___ Python tracker ___

[issue24778] mailcap.findmatch: document shell command Injection danger in filename parameter

Changes by Christian Heimes : -- versions: +Python 3.7 -Python 3.4 ___ Python tracker ___

[issue12238] Readline module loading in interactive mode

Christian Heimes added the comment: Steve took care of the readline import for isolated mode in #28192. We can't change the default behavior. If you want to prevent Python from important files from either cwd, user packages or env vars, you have to use isolated mode. System scripts should use

[issue23505] Urlparse insufficient validation leads to open redirect

Christian Heimes added the comment: What's the verdict on this bug? It's been dangling for almost one and half year. -- nosy: +christian.heimes versions: +Python 3.7 -Python 3.2, Python 3.3, Python 3.4 ___ Python tracker

[issue24201] _winreg PyHKEY Type Confusion

Christian Heimes added the comment: Steve, Zach, please have a look. -- assignee: -> steve.dower nosy: +christian.heimes stage: -> needs patch ___ Python tracker

[issue18789] XML Vunerability Table Unclear

Changes by Christian Heimes : -- keywords: +easy type: security -> enhancement versions: +Python 3.5, Python 3.6, Python 3.7 -Python 3.3, Python 3.4 ___ Python tracker

[issue12989] Consistently handle path separator in Py_GetPath on Windows

Christian Heimes added the comment: Steve, is this bug still relevant and a security problem? -- assignee: -> steve.dower nosy: +christian.heimes versions: +Python 3.6, Python 3.7 -Python 3.2, Python 3.3, Python 3.4 ___ Python tracker

[issue22187] commands.mkarg() buggy in East Asian locales

Changes by Christian Heimes : -- priority: normal -> low stage: -> needs patch type: security -> behavior ___ Python tracker ___

[issue22519] integer overflow in computing byte's object representation

Christian Heimes added the comment: The code doesn't crash any more. It took me more than 5 GB of resident memory and about 90 CPU seconds to reproduce the circumstances of the overflow. -- nosy: +christian.heimes resolution: -> fixed status: open -> closed type: security -> behavior

[issue21109] tarfile: Traversal attack vulnerability

Changes by Christian Heimes : -- priority: normal -> high versions: +Python 3.6, Python 3.7 -Python 3.5 ___ Python tracker ___

[issue28252] Tuples used before introduction to tuple in tutorial

Raymond Hettinger added the comment: The highly interrelated nature of Python makes it necessary for the early parts of any tutorial to have some forward references. This doesn't appear to have impaired its usability in practice. -- nosy: +rhettinger resolution: -> not a bug status:

[issue18893] invalid exception handling in Lib/ctypes/macholib/dyld.py

Changes by INADA Naoki : -- versions: +Python 2.7, Python 3.5, Python 3.6 -Python 3.2, Python 3.3, Python 3.4 ___ Python tracker

[issue18893] invalid exception handling in Lib/ctypes/macholib/dyld.py

INADA Naoki added the comment: lgtm -- nosy: +inada.naoki ___ Python tracker ___ ___ Python-bugs-list mailing

[issue27942] Default value identity regression

Raymond Hettinger added the comment: It would be nice to get this fixed. -- nosy: +rhettinger ___ Python tracker ___

[issue25268] Support pointing frozen modules to the corresponding source files, if available.

Nick Coghlan added the comment: I agree with Marc-Andrew that it's hard to do anything more useful here than "-r" already does, as we can assume the source code won't be available on the target machine - it's the equivalent of having C/C++ debugging symbols available for C/C++ traceback

[issue28250] typing.NamedTuple instances are not picklable Two

Kurt Dally added the comment: My bad, I searched and found the issue, it very closely fit mine and the pickle module is new to me.  I hadn't yet got through  the details of  pickling.  Thanks for catching that. Kurt From: Mark Dickinson To:

[issue25235] EmailMessage.add_attachment() creates parts with spurious MIME-Version header.

R. David Murray added the comment: Barry, would you care to render an opinion on this proposed fix? -- stage: patch review -> commit review ___ Python tracker

[issue28203] complex() gives wrong error when the second argument has an invalid type

Mark Dickinson added the comment: Fixed; thanks. I made a couple of changes: - Use "argument" rather than "arg", to be consistent with the original code (but admittedly not consistent with the rest of the module, where there doesn't seem to be any consistent choice between "arg" and

[issue28203] complex() gives wrong error when the second argument has an invalid type

Roundup Robot added the comment: New changeset 92f4ce2d5ebb by Mark Dickinson in branch '3.5': Issue #28203: Fix incorrect type in error message from complex(1.0, {2:3}). Patch by Soumya Sharma. https://hg.python.org/cpython/rev/92f4ce2d5ebb New changeset a2d93e6bcbcf by Mark Dickinson in

[issue28263] Python 2.7's `-3` flag warns about __eq__ being implemented without __hash__ even if __hash__ is never accessed.

Christian Heimes added the comment: Antti is correct. Please add __hash__ = None to your class to silence the warning. -- nosy: +christian.heimes resolution: -> not a bug stage: -> resolved status: open -> closed ___ Python tracker

[issue28253] calendar.prcal(9999) output has a problem

Serhiy Storchaka added the comment: The problem with year 1 was reported in issue26650. -- ___ Python tracker ___

[issue28253] calendar.prcal(9999) output has a problem

Serhiy Storchaka added the comment: Having additional tests is always nice. After writing tests we can search whether there is other solution. AFAIK the dummy data needs also the day attribute. -- ___ Python tracker

[issue28260] mock._Any and mock._Call implement __eq__ but not __hash__

Changes by Ned Batchelder : -- nosy: +nedbat ___ Python tracker ___ ___

[issue28263] Python 2.7's `-3` flag warns about __eq__ being implemented without __hash__ even if __hash__ is never accessed.

Changes by Ned Batchelder : -- nosy: +nedbat ___ Python tracker ___ ___

[issue28207] SQLite headers are not searched in custom locations

Chi Hsuan Yen added the comment: Could you try this: CPPFLAGS=-I/home//local/include/ LDFLAGS=-L/home//local/lib bash -x /usr/bin/pyenv install 3.5.2 -- ___ Python tracker

[issue27942] Default value identity regression

Kay Hayen added the comment: Same with 3.6b1, still present. -- nosy: +kayhayen ___ Python tracker ___ ___

[issue28250] typing.NamedTuple instances are not picklable Two

Mark Dickinson added the comment: I don't think this has anything to do with namedtuple; it's true whenever you create a class in an inner scope (rather than at module level). This is by design, and these restrictions are documented:

[issue28143] ASDL compatibility with Python 3 system interpreter

Malthe Borch added the comment: I have updated the patch with requested changes. Note that the original code also added space after '\t' characters. I have not changed this on purpose. -- Added file: http://bugs.python.org/file44801/0001-Allow-make-to-be-run-under-Python-3.patch

[issue28263] Python 2.7's `-3` flag warns about __eq__ being implemented without __hash__ even if __hash__ is never accessed.

Antti Haapala added the comment: I am very negative to this idea. Correct code in Python **2** would either set `__hash__ = None` or redefine `__hash__` in *any* class that defines `__eq__`. That it just wasn't used like that is no excuse. This warning is even more important if even Ned