gh-141707: Skip TarInfo DIRTYPE normalization during GNU long name handling
(cherry picked from commit 42d754e34c)
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Eashwar Ranganathan <eashwar@eashwar.com>
* gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_code (GH-145507)
(cherry picked from commit a51b1b512d)
Co-authored-by: Steve Dower <steve.dower@python.org>
* Regenerate importlib_external.h
* Fix blurb entry
The `:cve:` role is not available on this branch.
---------
Co-authored-by: Steve Dower <steve.dower@python.org>
Co-authored-by: Stan Ulbrych <stan@ulbrych.org>
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
* [3.10] gh-145098: Use `macos-15-intel` instead of unstable `macos-26-intel` in `{jit,tail-call}.yml` (GH-148126)
(cherry picked from commit bce96a1813)
Co-authored-by: Stan Ulbrych <stan@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
* Add 'permissions: {}' to all workflows
---------
Co-authored-by: Stan Ulbrych <stan@python.org>
gh-94632: document the subprocess need for extra_groups=() with user= (GH-148129)
(cherry picked from commit a1cf4430ed)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Fix a bug in the folding of comments when flattening an email message
using a modern email policy. Comments consisting of a very long sequence of
non-foldable characters could trigger a forced line wrap that omitted the
required leading space on the continuation line, causing the remainder of
the comment to be interpreted as a new header field. This enabled header
injection with carefully crafted inputs.
(cherry picked from commit 17d1490)
Co-authored-by: Seth Michael Larson seth@python.org
Co-authored-by: Denis Ledoux dle@odoo.com
- Issue: Fix folding of long comments of unfoldable characters in email headers #143935
Signed-off-by: Edgar Ramírez Mondragón <edgarrm358@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
gh-144833: Fix use-after-free in SSL module when SSL_new() fails (GH-144843)
In newPySSLSocket(), when SSL_new() returns NULL, Py_DECREF(self)
was called before _setSSLError(get_state_ctx(self), ...), causing
a use-after-free. Additionally, get_state_ctx() was called with
self (PySSLSocket*) instead of sslctx (PySSLContext*), which is
a type confusion bug.
Fix by calling _setSSLError() before Py_DECREF() and using
sslctx instead of self for get_state_ctx().
(cherry picked from commit c91638ca06)
Co-authored-by: Ramin Farajpour Cami <ramin.blackhat@gmail.com>
Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
(cherry picked from commit 694922cf40)
gh-119451: Fix a potential denial of service in http.client (GH-119454)
Reading the whole body of the HTTP response could cause OOM if
the Content-Length value is too large even if the server does not send
a large amount of data. Now the HTTP client reads large data by chunks,
therefore the amount of consumed memory is proportional to the amount
of sent data.
(cherry picked from commit 5a4c4a033a)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
[3.14] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-142216)
The CGI server on Windows could consume the amount of memory specified
in the Content-Length header of the request even if the client does not
send such much data. Now it reads the POST request body by chunks,
therefore the memory consumption is proportional to the amount of sent
data.
(cherry picked from commit 0e4f4f1a46)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917)
* Add 'test.support' fixture for C0 control characters
* gh-143916: Reject control characters in wsgiref.headers.Headers
(cherry picked from commit f7fceed79c)
(cherry picked from commit 22e4d55285)
Co-authored-by: Seth Michael Larson <seth@python.org>
Support records with "zip64 extensible data" if there are no bytes
prepended to the ZIP file.
(cherry picked from commit 333d4a6f49)
(cherry picked from commit 162997bb70)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
"] ]>" and "]] >" no longer end the CDATA section.
Make CDATA section parsing context depending.
Add private method HTMLParser._set_support_cdata() to change the context.
If called with True, "<[CDATA[" starts a CDATA section which ends with "]]>".
If called with False, "<[CDATA[" starts a bogus comments which ends with ">".
(cherry picked from commit 0cbbfc4621)
(cherry picked from commit dcf24768c9)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
* gh-139400: Make sure that parent parsers outlive their subparsers in `pyexpat` (#139403)
* Modules/pyexpat.c: Disallow collection of in-use parent parsers.
Within libexpat, a parser created via `XML_ExternalEntityParserCreate`
is relying on its parent parser throughout its entire lifetime.
Prior to this fix, is was possible for the parent parser to be
garbage-collected too early.
(cherry picked from commit 6edb2ddb5f)
* Move news item to from section "Core and Builtins" to section "Security"
ensurepip installs a bundled copy of distutils, which overrides
the stdlib module. This affects several tests. This commit:
- skips distutils in test___all__, as we're unlikely to break
`__all__` in a security-fix-only branch (and if we do it's not
much of a a big deal)
- skips importability tests of distutils submodules if the
setuptools hack is detected
(cherry picked from commit 987af36a71)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Emma Smith <emma@emmatyping.dev>
Miss Islington (bot)