[issue43882] [security] urllib.parse should sanitize urls containing ASCII newline and tabs.
Seth Michael Larson added the comment: Leaving a thought here, I'm highlighting that we're now implementing two different standards, RFC 3986 with hints of WHATWG-URL. There are pitfalls to doing so as now a strict URL parser for RFC 3986 (like the one used by urllib3/requests) will give different results compared to Python and thus opens up the door for SSRF vulnerabilities [1]. [1]: https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf -- nosy: +sethmlarson ___ Python tracker <https://bugs.python.org/issue43882> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue29704] Can't read data from Transport after asyncio.SubprocessStreamProtocol closes
Changes by Seth Michael Larson <sethmichaellar...@protonmail.com>: -- components: +asyncio nosy: +gvanrossum type: -> behavior ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue29704> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue29704] Can't read data from Transport after asyncio.SubprocessStreamProtocol closes
New submission from Seth Michael Larson: Copied from https://github.com/python/asyncio/issues/484 """ >From https://bugs.python.org/issue23242#msg284930 The following script is used to reproduce the bug: import asyncio async def execute(): process = await asyncio.create_subprocess_exec( "timeout", "0.1", "cat", "/dev/urandom", stdout=asyncio.subprocess.PIPE) while True: data = await process.stdout.read(65536) print('read %d bytes' % len(data)) if data: await asyncio.sleep(0.3) else: break asyncio.get_event_loop().run_until_complete(execute()) will produce following output and terminate with exception: read 65536 bytes read 65536 bytes Traceback (most recent call last): File "read_subprocess.py", line 18, in asyncio.get_event_loop().run_until_complete(execute()) File "/usr/lib/python3.6/asyncio/base_events.py", line 466, in run_until_complete return future.result() File "read_subprocess.py", line 9, in execute data = await process.stdout.read(65536) File "/usr/lib/python3.6/asyncio/streams.py", line 634, in read self._maybe_resume_transport() File "/usr/lib/python3.6/asyncio/streams.py", line 402, in _maybe_resume_transport self._transport.resume_reading() File "/usr/lib/python3.6/asyncio/unix_events.py", line 401, in resume_reading self._loop._add_reader(self._fileno, self._read_ready) AttributeError: 'NoneType' object has no attribute '_add_reader' When the process exits https://github.com/python/asyncio/blob/master/asyncio/unix_events.py#L444 is called which sets this._loop = None Next time read() is called on the pipe the above exception is thrown. I have tried to fix this issue myself but would sometimes have read terminate too early and miss the last chunks of data. """ - BotoX -- messages: 288839 nosy: SethMichaelLarson, yselivanov priority: normal pull_requests: 337 severity: normal status: open title: Can't read data from Transport after asyncio.SubprocessStreamProtocol closes ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue29704> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue29091] Python 3.5+ socket.socketpair fallback incorrectly implemented
Seth Michael Larson added the comment: Sorry for making noise, yes I was using the implementation in Python 2.x. I will do better investigation in the future. -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue29091> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue29091] Python 3.5+ socket.socketpair fallback incorrectly implemented
New submission from Seth Michael Larson: The socket.socketpair() fallback for Python 3.5+ is incorrectly implemented from the original source. The fallback doesn't provide a backlog argument to the lsock.listen() function call. When running the function it gives the following error: `TypeError: listen() takes exactly one argument (0 given)` Issue can be seen here on line 514: https://hg.python.org/cpython/file/3.6/Lib/socket.py Should add 1 as the argument to listen() to bring the implementation in line with the source implementation at: https://gist.github.com/geertj/4325783 -- components: Library (Lib) messages: 284158 nosy: SethMichaelLarson priority: normal severity: normal status: open title: Python 3.5+ socket.socketpair fallback incorrectly implemented type: behavior versions: Python 3.5, Python 3.6, Python 3.7 ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue29091> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com