date:20200712

[issue27777] cgi.FieldStorage can't parse simple body with Content-Length and no Content-Disposition

2020-07-12 Thread Aron Podrigal



Change by Aron Podrigal :


--
pull_requests: +20604
pull_request: https://github.com/python/cpython/pull/21457

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41276] Min / Max returns different values depending on parameter order

2020-07-12 Thread Calvin Davis



Calvin Davis  added the comment:

You say that confusing IDLE with Python is common for beginners, do you mean to 
suggest that IDLE isn't a Python interpreter? I know IDLE is essentially just 
an IDE and distinctly different than the python shell, but I wasn't aware the 
differences would affect anything. I expect my sample code would work the same 
in IDLE or a python file, no confusion there.

I guess I'm not sure what you mean by reducing confusion, because to me IDLE 
and the python shell are similar enough, and both distinctly different than 
executing a .py file, though both should have the same behavior right?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41289] '%' character in help= for argparse causes ValueError: incomplete format

2020-07-12 Thread Neil Godber



Neil Godber  added the comment:

Hi, yes I did just then and indeed this worked. Wasn't aware of this. Further, 
curiously I am no longer able recreate this issue so I will close this for now. 
Sorry for the bother.

--
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37095] [Feature Request]: Add zstd support in tarfile

2020-07-12 Thread Anatol Pomozov



Anatol Pomozov  added the comment:

Is there any progress with this feature development?

Arch Linux uses Python tar library for its toolset. Arch devs are looking to 
add ZSTD support to the toolset but it needs this feature to be implemented.

--
nosy: +Anatol Pomozov

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41276] Min / Max returns different values depending on parameter order

2020-07-12 Thread Terry J. Reedy



Terry J. Reedy  added the comment:

Calvin, min and max are builtin functions and part of 'Interpreter Core'.  
Confusing IDLE with Python is common for beginners who use IDLE.  Do you think 
I could reduce the confusion by somehow changing the message printed at the top 
of Shell, before '>>>'?

--
assignee: terry.reedy -> 
components: +Interpreter Core -IDLE

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41210] Docs: More description of reason about LZMA1 data handling with FORMAT_ALONE

2020-07-12 Thread Hiroshi Miura



Hiroshi Miura  added the comment:

Lasse Collin gives me explanation of LZMA1 data format and suggestion how to 
implement.

I'd like to change an issue to a documentation issue to add more description 
about limitation on FORMAT_ALONE and LZMA1.

A suggestion from Lasse is as follows:

> liblzma cannot be used to decode data from .7z files except in certain
> cases. This isn't a bug, it's a missing feature.
>
> The raw encoder and decoder APIs only support streams that contain an
> end of payload marker (EOPM) alias end of stream (EOS) marker. .7z
> files use LZMA1 without such an end marker. Instead, the end is handled
> by the decoder knowing the exact uncompressed size of the data.
>
> The API of liblzma supports LZMA1 without end marker via
> lzma_alone_decoder(). That API can be abused to properly decode raw
> LZMA1 with known uncompressed size by feeding the decoder a fake 13-byte
> header. Everything else in the public API requires some end marker.
>
> Decoding LZMA1 without BCJ or other extra filters from .7z with
> lzma_raw_decoder() kind of works but you will notice that it will never
> return LZMA_STREAM_END, only LZMA_OK. This is because it will never see
> an end marker. A minor downside is that it won't then do a small
> integrity check at the end either (one variable in the range decoder
> state will be 0 at the end of any valid LZMA1 stream);
> lzma_alone_decoder() does this check even when end marker is missing.
>
> If you use lzma_raw_decoder() for end-markerless LZMA1, make sure that
> you never give it more output space than the real uncompressed size. In
> rare cases this could result in extra output or an error since the
> decoder would try to decode more output using the input it has gotten
> so far. Overall I think the hack with lzma_alone_decoder() is a better
> way with the current API.
>
> BCJ filters process the input data in chunks of a few bytes long, thus
> they need to hold a few bytes of look-ahead buffer. With some filters
> like ARM the look-ahead is aligned and if the uncompressed size is a
> multiple of this alignment, lzma_raw_decoder() will give you all the
> data even when the LZMA1 layer doesn't have an end marker. The x86
> filter has one-byte alignment but needs to see five bytes from the
> future before producing output. When LZMA1 layer doesn't return
> LZMA_STREAM_END, the x86 filter doesn't know that the end was reached
> and cannot flush the last bytes out.
>
> Using liblzma to decode .7z works in these cases:
>
> - LZMA1 using a fake 13-byte header with lzma_alone_decoder():
>
> 1 byte LZMA properties byte that encodes lc/lp/pb
> 4 bytes dictionary size as little endian uint32_t
> 8 bytes uncompressed size as little endian uint64_t;
> UINT64_MAX means unknown and then (and only then)
> EOPM must be present

--
title: LZMADecompressor.decompress(FORMAT_RAW) truncate output when input is 
paticular LZMA+BCJ  data -> Docs: More description of reason about LZMA1 data 
handling with FORMAT_ALONE

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41289] '%' character in help= for argparse causes ValueError: incomplete format

2020-07-12 Thread Karthikeyan Singaravelan



Change by Karthikeyan Singaravelan :


--
nosy: +paul.j3, rhettinger

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41288] Pickle crashes using a crafted datetime object

2020-07-12 Thread Karthikeyan Singaravelan



Change by Karthikeyan Singaravelan :


--
nosy: +belopolsky, p-ganssle

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41287] doc attribute is not set in property-derived classes

2020-07-12 Thread Karthikeyan Singaravelan



Change by Karthikeyan Singaravelan :


--
nosy: +xtreak

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41286] Built-in platform module does not offer to check for processor instructions

2020-07-12 Thread Boštjan Mejak


Boštjan Mejak  added the comment:

This feature is needed for a chess GUI application because the Stockfish chess 
engine is offered in different builds: a build that supports the POPCNT 
processor instruction and a build that doesn't, a build that supports the 
BMI/BMI2 processor instruction set, a 32-bit build and a 64-bit build, also a 
Windows build and a Linux build.

Then the chess GUI application can check if the processor supports the POPCNT 
instruction or the BMI/BMI2 processor instruction set and can load an 
appropriate Stockfish build to analyze a chess game or play against a human 
chess player by using the appropriate Stockfish build for the machine the chess 
GUI application is running on.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41289] '%' character in help= for argparse causes ValueError: incomplete format

2020-07-12 Thread Eric V. Smith



Eric V. Smith  added the comment:

Did you try doubling the % char?


help='%%-age of the value'

--
nosy: +eric.smith

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41289] '%' character in help= for argparse causes ValueError: incomplete format

2020-07-12 Thread Neil Godber



New submission from Neil Godber :

'%' character in help= for argparse causes ValueError: incomplete format. I am 
attempting to use the percentage character in my help string but get the above 
error. Presumably argparse assumes % denotes formatting when this is not the 
case. I have tried f-strings, escape and raw strings, none of which rectify the 
issue. The only solution is that dev's cannot use % character in argpase help 
strings which is something of an oddity.

--
components: Interpreter Core
messages: 373578
nosy: Neil Godber
priority: normal
severity: normal
status: open
title: '%' character in help= for argparse causes ValueError: incomplete format
type: behavior
versions: Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

2020-07-12 Thread Rishi



Rishi  added the comment:

Thank you. I have signed the CLA agreement. I have pushed my code changes and 
also written a testcase for this issue

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39017] Infinite loop in the tarfile module

2020-07-12 Thread Rishi



Change by Rishi :


--
keywords: +patch
pull_requests: +20602
stage: test needed -> patch review
pull_request: https://github.com/python/cpython/pull/21454

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41288] Pickle crashes using a crafted datetime object

2020-07-12 Thread Serhiy Storchaka



Change by Serhiy Storchaka :


--
assignee:  -> serhiy.storchaka
components: +Extension Modules -Interpreter Core
nosy: +serhiy.storchaka

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41288] Pickle crashes using a crafted datetime object

2020-07-12 Thread Christian Heimes



Christian Heimes  added the comment:

datetime_new assumes that args is a tuple. load_newobj_ex() doesn't check that 
args is a tuple and kwargs is a dictionary. The demo exploit passes ``True`` as 
args, which triggers a segfault in PyTuple_GET_SIZE in datetime_new.

#0  datetime_new (type=0x7fffea5d2740 , args=True, 
kw=b'\x07\xb2\x01\x01\x00\x00\x00\x00\x00\x00') at 
/usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_datetimemodule.c:4737
#1  0x7fffea637b1e in load_newobj_ex (self=0x7fffea7a7820) at 
/usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_pickle.c:6008
#2  0x7fffea632e7a in load (self=0x7fffea7a7820) at 
/usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_pickle.c:6943
#3  0x7fffea63795e in _pickle_load_impl (module=, 
buffers=0x0, errors=0x7fffea639149 "strict", encoding=0x7fffea6391fa "ASCII", 
fix_imports=1, file=<_io.BytesIO at remote 0x7fffea888180>)
at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_pickle.c:1688
#4  _pickle_load (module=, args=, 
nargs=, kwnames=) at 
/usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/clinic/_pickle.c.h:731
#5  0x77bd1ced in cfunction_vectorcall_FASTCALL_KEYWORDS 
(func=, 
args=, nargsf=, kwnames=0x0)
at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Objects/methodobject.c:437

--
nosy: +christian.heimes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41208] An exploitable segmentation fault in marshal module

2020-07-12 Thread Iman Sharafodin



Iman Sharafodin  added the comment:

@serhiy.storchaka Thank you. Please find it here 
https://bugs.python.org/issue41288 .

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41288] Pickle crashes using a crafted datetime object

2020-07-12 Thread Iman Sharafodin



New submission from Iman Sharafodin :

The following code generates a segfault on the Pickle module [it's a crafted 
datetime object] (Python 3.10.0a0 (heads/master:b40e434, Jul  4 2020), Python 
3.6.11 and Python 3.7.2):

import io
import pickle


hex_string = 
"8004952A008C086461746574696D65948C086461746574696D65949388430A07B2010192059452942E"
myb = bytes.fromhex(hex_string)
f = io.BytesIO(myb)
print(f)
data = pickle.load(f)
print(data)
print('We have segfault but we cannot see!')

--
components: Interpreter Core
messages: 373573
nosy: Iman Sharafodin
priority: normal
severity: normal
status: open
title: Pickle crashes using a crafted datetime object
type: crash
versions: Python 3.10

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41208] An exploitable segmentation fault in marshal module

2020-07-12 Thread Serhiy Storchaka



Serhiy Storchaka  added the comment:

Thank you. Indeed, it is a pickle specific crash. Please open a new issue and 
I'll provide a fix.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41287] doc attribute is not set in property-derived classes

2020-07-12 Thread Sergei Izmailov



New submission from Sergei Izmailov :

MRE: 

class Property(property):
pass

print(Property(None, None, None, "hello").__doc__)

Expected: 
hello

Actual:
None

--
messages: 373571
nosy: Sergei Izmailov
priority: normal
severity: normal
status: open
title: __doc__ attribute is not set in property-derived classes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41257] mimetypes.guess_extension('video/x-matroska') return wrong value

2020-07-12 Thread Ammar Askar



Ammar Askar  added the comment:

This looks the same as issue38656, feel free to re-open if its not.

--
nosy: +ammar2
resolution:  -> duplicate
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41208] An exploitable segmentation fault in marshal module

2020-07-12 Thread Iman Sharafodin



Iman Sharafodin  added the comment:

@serhiy.storchaka you name it, you have it. The following code generates a 
segfault on the Pickle module [it's a crafted datetime object] (Python 3.10.0a0 
(heads/master:b40e434, Jul  4 2020), Python 3.6.11 and Python 3.7.2):

import io
import pickle


hex_string = 
"8004952A008C086461746574696D65948C086461746574696D65949388430A07B2010192059452942E"
myb = bytes.fromhex(hex_string)
f = io.BytesIO(myb)
print(f)
data = pickle.load(f)
print(data)
print('We have segfault but we cannot see!')

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41176] revise Tkinter mainloop dispatching flag behavior

2020-07-12 Thread E. Paine



E. Paine  added the comment:

I have just finished reviewing the proposed PR, and am happy with the content. 
During the process of developing the PR, we established that the behaviour that 
should be deprecated is the error after a second of waiting in a thread. 
Instead, on `WaitForMainloop` removal, we should pass straight through and use 
the tcl queue to wait for mainloop.

@Serhiy, is waiting for the tcl queue acceptable behaviour? It seemed to behave 
correctly during my tests and if it is acceptable, both me and Richard would 
really appreciate your review of the PR.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41208] An exploitable segmentation fault in marshal module

2020-07-12 Thread Serhiy Storchaka



Serhiy Storchaka  added the comment:

It depends. pickle is not vulnerable to the kind of error reported in this 
issue. If you find some way to crash Python specific to pickle it will likely 
be fixed if it is possible without significant performance or memory cost. If 
it depends on arbitrary code execution, it is not a pickle issue.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41286] Built-in platform module does not offer to check for processor instructions

2020-07-12 Thread Eric V. Smith



Eric V. Smith  added the comment:

What would you use this information for, if it were available from Python code?

--
nosy: +eric.smith

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41286] Built-in platform module does not offer to check for processor instructions

2020-07-12 Thread Christian Heimes



Christian Heimes  added the comment:

Python's standard library doesn't aim to solve all problems. Python also 
supports a lot of platforms and CPU architectures. We'd have to implement this 
on major platforms like BSD, Linux, and Windows as well as other supported 
platforms like AIX or VMS multiplied by all support CPUs architectures like 
X86, X86_64, multiple ARMs, ...

This sounds like a feature that can be implemented in a PyPI package.

--
nosy: +christian.heimes
versions:  -Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41208] An exploitable segmentation fault in marshal module

2020-07-12 Thread Christian Heimes



Christian Heimes  added the comment:

Linux containers like Docker are not a security boundary. They are a merely a 
mechanism to package, deliver, and run software. Dan Walsh coined the phrase 
"Containers Don't Contain" a while ago. It's possible to tighten security of 
containers. This starts at "Don't execute arbitrary and potentially malicious 
code".

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41146] Convert signal.default_int_handler() to Argument Clinic

2020-07-12 Thread Serhiy Storchaka



Change by Serhiy Storchaka :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41286] Built-in platform module does not offer to check for processor instructions

2020-07-12 Thread Boštjan Mejak


New submission from Boštjan Mejak :

The platform module does not offer to check whether a processor supports the 
POPCNT or BMI/BMI2 processor instructions. Am I missing something or is it 
actually missing this feature?

--
components: Library (Lib)
messages: 373563
nosy: PedanticHacker
priority: normal
severity: normal
status: open
title: Built-in platform module does not offer to check for processor 
instructions
type: enhancement
versions: Python 3.10, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 
3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41146] Convert signal.default_int_handler() to Argument Clinic

2020-07-12 Thread Serhiy Storchaka



Serhiy Storchaka  added the comment:


New changeset b0689ae7f9d904bc2126994aedbc552f03479e40 by Serhiy Storchaka in 
branch 'master':
bpo-41146: Convert signal.default_int_handler() to Argument Clinic (GH-21197)
https://github.com/python/cpython/commit/b0689ae7f9d904bc2126994aedbc552f03479e40


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue20175] Derby #6: Convert 50 sites to Argument Clinic across 8 files

2020-07-12 Thread Serhiy Storchaka



Change by Serhiy Storchaka :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41187] Convert the _msi module to Argument Clinic

2020-07-12 Thread Serhiy Storchaka



Change by Serhiy Storchaka :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue20181] Derby #12: Convert 50 sites to Argument Clinic across 4 files

2020-07-12 Thread Serhiy Storchaka



Change by Serhiy Storchaka :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue20175] Derby #6: Convert 50 sites to Argument Clinic across 8 files

2020-07-12 Thread Serhiy Storchaka



Serhiy Storchaka  added the comment:


New changeset 545b54d2abbc7970aa66b179a18ff2ac4440a8f9 by Zackery Spytz in 
branch 'master':
bpo-20175: Convert Modules/_multiprocessing to the Argument Clinic (GH-14245)
https://github.com/python/cpython/commit/545b54d2abbc7970aa66b179a18ff2ac4440a8f9


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41285] memoryview does not support subclassing

2020-07-12 Thread Christian Heimes



Change by Christian Heimes :


--
versions:  -Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue20181] Derby #12: Convert 50 sites to Argument Clinic across 4 files

2020-07-12 Thread Serhiy Storchaka



Serhiy Storchaka  added the comment:


New changeset b7047e59a40649d81061acf0044e74cfd426f064 by Zackery Spytz in 
branch 'master':
bpo-20181: Convert the readline module to the Argument Clinic (#14326)
https://github.com/python/cpython/commit/b7047e59a40649d81061acf0044e74cfd426f064


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41284] High Level API for json file parsing

2020-07-12 Thread Serhiy Storchaka



Serhiy Storchaka  added the comment:

json.load() is already a high level API. json.JSONDecoder is more low level API.

Not every two lines of code should be added as a function in the stdlib. Also, 
such API would be too complex because you would need to combine parameters of 
open() (8 parameters) and json.load() (7 parameters). If you use these two 
lines many times in your code you can just add a simple function that supports 
only options needed for you.

--
nosy: +serhiy.storchaka
resolution:  -> rejected
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41208] An exploitable segmentation fault in marshal module

2020-07-12 Thread STINNER Victor



STINNER Victor  added the comment:

This bug tracker is not the right place to report issues of third party web
services. I don't see anything wrong with Python according to Python Threat
Model:
https://python-security.readthedocs.io/security.html#python-security-model

That's why pickle starts with a big warning about the lack of security.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41208] An exploitable segmentation fault in marshal module

2020-07-12 Thread Iman Sharafodin



Iman Sharafodin  added the comment:

There are many online Python interpreters, we can use this malicious file to 
escape their sandboxes and get control of their Docker container or system (and 
abuse them, for example, to conduct a DoS attack), as their fully trust that 
Python doesn't generate segfault.  
For example, the following code clearly kills the interpreter (and a shellcode 
can be attached), even though, they have protection mechanisms for file access 
and many other things.

---
https://www.programiz.com/python-programming/online-compiler/
---

import io
import marshal



hex_string = 
"FBE90100DA0136E90209720100720300DA0168A903720100720500DA026161DA026A6A7BDA0278785B0200720100DA01353030DA0170E7E10B930189E4414130"
myb = bytes.fromhex(hex_string)
f = io.BytesIO(myb)
print(f)
data = marshal.load(f)
print(data)
print('We have segfault but we cannot see!')
---

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41208] An exploitable segmentation fault in marshal module

2020-07-12 Thread STINNER Victor



STINNER Victor  added the comment:

By design, it is trivial to run arbritrary Python code using pickle. There
is no need to exploit a segfault for that.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41285] memoryview does not support subclassing

2020-07-12 Thread Karthikeyan Singaravelan



Change by Karthikeyan Singaravelan :


--
nosy: +skrah

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41284] High Level API for json file parsing

2020-07-12 Thread Karthikeyan Singaravelan



Karthikeyan Singaravelan  added the comment:

There was a previous issue to support filepath for json.load 
https://bugs.python.org/issue36378 . This just expands the json API that could 
already be done using one more operation.

--
nosy: +ezio.melotti, rhettinger, xtreak

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41285] memoryview does not support subclassing

2020-07-12 Thread Michiel de Hoon



New submission from Michiel de Hoon :

Currently memoryview does not support subclassing:

>>> class B(memoryview): pass
... 
Traceback (most recent call last):
  File "", line 1, in 
TypeError: type 'memoryview' is not an acceptable base type


Subclassing memoryview can be useful when
- class A supports the buffer protocol;
- class B wraps class A and should support the buffer protocol provided by 
class A;
- class A does not support subclassing.

In this situation,

class B(memoryview):
def __new__(cls, a):
return super(B, cls).__new__(cls, a)

where a is an instance of class A, would let instances of B support the buffer 
protocol provided by a.


Is there any particular reason why memoryview does not support subclassing?

--
components: C API
messages: 373554
nosy: mdehoon
priority: normal
severity: normal
status: open
title: memoryview does not support subclassing
type: enhancement
versions: Python 3.10, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 
3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41284] High Level API for json file parsing

2020-07-12 Thread Rémi Lapeyre


Rémi Lapeyre  added the comment:

Hi, using a file object is very common as it makes it possible to use something 
that is not a file, like an HTTP request or something already in memory. It 
makes the module serializing / de-serializing the data completely agnostic with 
regard to the actual physical storage which has some advantages, for example it 
will not raise FileNotFound.

If you want a oneliner to load data you already can use:



with open(filepath) as f: data = json.load(f)

--
nosy: +remi.lapeyre

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41284] High Level API for json file parsing

2020-07-12 Thread Wansoo Kim



Change by Wansoo Kim :


--
keywords: +patch
pull_requests: +20601
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/21453

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41284] High Level API for json file parsing

2020-07-12 Thread Wansoo Kim



New submission from Wansoo Kim :

Many Python users use the following snippets to read Json File.

```
with oepn(filepath, 'r') as f:
data = json.load(f)
```

I suggest providing this snippet as a function.


```
data = json.read(filepath)
```

Reading Json is very frequent task for python users. I think it is worth 
providing this with the High Level API.

--
components: Library (Lib)
messages: 373552
nosy: ys19991
priority: normal
severity: normal
status: open
title: High Level API for json file parsing
versions: Python 3.10

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40275] test.support has way too many imports

2020-07-12 Thread Serhiy Storchaka



Change by Serhiy Storchaka :


--
nosy:  -serhiy.storchaka

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40275] test.support has way too many imports

2020-07-12 Thread Vinay Sajip



Change by Vinay Sajip :


--
nosy:  -vinay.sajip

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40275] test.support has way too many imports

2020-07-12 Thread hai shi



Change by hai shi :


--
pull_requests: +20600
pull_request: https://github.com/python/cpython/pull/21452

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40275] test.support has way too many imports

2020-07-12 Thread hai shi



Change by hai shi :


--
pull_requests: +20599
pull_request: https://github.com/python/cpython/pull/21451

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41283] The parameter name for imghdr.what in the documentation is wrong

2020-07-12 Thread Adam Eltawla



New submission from Adam Eltawla :

I noticed the parameter name for imghdr.what in the documentation is wrong

Link: https://docs.python.org/3.8/library/imghdr.html?highlight=imghdr
function imghdr.what(filename, h=None)

In reality:
def what(file, h=None):

It is 'file' not 'filename'.

--
assignee: docs@python
components: Documentation
messages: 373551
nosy: aeltawela, docs@python
priority: normal
severity: normal
status: open
title: The parameter name for imghdr.what in the documentation is wrong
type: enhancement
versions: Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27534] IDLE: Reduce number and time for user process imports

2020-07-12 Thread Cheryl Sabella



Cheryl Sabella  added the comment:

I'm going to close the PR for this as the change is out of date with newer 
changes to fetch_completions and fetch_completions is being rewritten for 
#37766.  It would be easiest to revisit this once the other changes to 
fetch_completions are set.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40275] test.support has way too many imports

2020-07-12 Thread hai shi



Change by hai shi :


--
pull_requests: +20598
pull_request: https://github.com/python/cpython/pull/21450

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40275] test.support has way too many imports

2020-07-12 Thread hai shi



Change by hai shi :


--
pull_requests: +20597
pull_request: https://github.com/python/cpython/pull/21449

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40275] test.support has way too many imports

2020-07-12 Thread hai shi



Change by hai shi :


--
pull_requests: +20596
pull_request: https://github.com/python/cpython/pull/21448

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41282] Deprecate and remove distutils

2020-07-12 Thread Jason R. Coombs



Change by Jason R. Coombs :


--
nosy: +steve.dower

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41282] Deprecate and remove distutils

2020-07-12 Thread Jason R. Coombs


Jason R. Coombs  added the comment:

Łukasz, would it be possible to add the deprecation warning and documented 
deprecation to Python 3.9?

--
nosy: +lukasz.langa

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41282] Deprecate and remove distutils

2020-07-12 Thread Jason R. Coombs



Change by Jason R. Coombs :


--
nosy: +ncoghlan, paul.moore

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41282] Deprecate and remove distutils

2020-07-12 Thread Jason R. Coombs



New submission from Jason R. Coombs :

Setuptools has adopted distutils as outlined in 
[pypa/packaging-problems#127](https://github.com/pypa/packaging-problems/issues/127).
 Although there are some straggling issues, the current release of Setuptools 
fully obviates distutils if a certain environment variable is set. Soon, that 
behavior will be default.

Additionally, the distutils codebase remains maintained at 
[pypa/distutils](https://github.com/pypa/distutils) in a form suitable for 
releasing as a third-party package, should the need arise (i.e. pip install 
distutils).

The plan now is to freeze, deprecate, and in Python N + 0.1, remove distutils.

Already, Setuptools is identifying emergent bugs and other defects in distutils 
and providing fixes for them (issue41207, 
[pypa/setuptools#2212](https://github.com/pypa/setuptools/issues/2212)). 
Keeping these changes in sync across three repos and different supported 
versions is tedious, so I'd like to move forward with the deprecation process 
as soon as possible.

--
components: Distutils
messages: 373548
nosy: dstufft, eric.araujo, jaraco
priority: normal
severity: normal
status: open
title: Deprecate and remove distutils
versions: Python 3.10, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

59 matches

Mail list logo