PublicArchive/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2026-05-06 12:49:07 -04:00
Code Issues Packages Projects Releases Wiki Activity
116,816 Commits 6 Branches 654 Tags
3.11
Commit Graph

116816 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Miss Islington (bot) 9a23b75355 [3.11] gh-141707: Skip TarInfo DIRTYPE normalization during GNU long name handling (#145815) 
gh-141707: Skip TarInfo DIRTYPE normalization during GNU long name handling
(cherry picked from commit 42d754e34c)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Eashwar Ranganathan <eashwar@eashwar.com>
 2026-04-30 22:18:47 +01:00
Miss Islington (bot) 69ddd9bb2c [3.11] gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_code (GH-145507) (#145515) 
* gh-145506: Fixes CVE-2026-2297 by ensuring SourcelessFileLoader uses io.open_code (GH-145507)
(cherry picked from commit a51b1b512d)

Co-authored-by: Steve Dower <steve.dower@python.org>

* Fix docs reference

---------

Co-authored-by: Steve Dower <steve.dower@python.org>
 2026-04-30 22:18:42 +01:00
Stan Ulbrych e20c6c9667 [3.11] gh-148395: Fix a possible UAF in {LZMA,BZ2}Decompressor (GH-148396) (#148504) 
Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress

(cherry picked from commit 8fc66aef6d)
 2026-04-13 22:42:36 +01:00
Stan Ulbrych f4654824ae [3.11] gh-148169: Fix webbrowser %action substitution bypass of dash-prefix check (GH-148170) (#148520) 
(cherry picked from commit d22922c8a7)
 2026-04-13 22:41:51 +01:00
Hugo van Kemenade 776d39f2be [3.11] Default GHA permissions to contents: read (GH-148346) (#148389) 
(cherry picked from commit 9c9df8ac8c)
 2026-04-12 09:38:51 +03:00
Stan Ulbrych 642865ddf4 [3.11] gh-145986: Avoid unbound C recursion in conv_content_model in pyexpat.c (CVE 2026-4224) (GH-145987) (#146000) 
* [3.11] gh-145986: Avoid unbound C recursion in `conv_content_model` in `pyexpat.c` (CVE 2026-4224) (GH-145987)

Fix C stack overflow (CVE-2026-4224) when an Expat parser
with a registered `ElementDeclHandler` parses inline DTD
containing deeply nested content model.

---------
(cherry picked from commit eb0e8be3a7)
(cherry picked from commit e5caf45faa)

Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>

* Update Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst

---------

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
 2026-04-08 11:27:39 +01:00
Stan Ulbrych 0d046dec11 [3.11] gh-146083: Upgrade bundled Expat to 2.7.5 (GH-146085) (#146607) 
(cherry picked from commit e39d84a37d)
 2026-04-08 11:27:19 +01:00
Miss Islington (bot) 0ec71cd104 [3.11] gh-137586: Open external osascript program with absolute path (GH-137584) (#148176) 
Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
 2026-04-07 03:35:21 +00:00
Hugo van Kemenade f07b4005d9 [3.11] gh-145098: Use macos-15-intel instead of unstable macos-26-…intel in {jit,tail-call}.yml (GH-148126) (#148138) 
* [3.11] gh-145098: Use `macos-15-intel` instead of unstable `macos-26-intel` in `{jit,tail-call}.yml` (GH-148126)
(cherry picked from commit bce96a1813)

Co-authored-by: Stan Ulbrych <stan@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

* macos-26-intel -> macos-15-intel

---------

Co-authored-by: Stan Ulbrych <stan@python.org>
 2026-04-06 01:12:13 +03:00
Miss Islington (bot) 7d2ecdf4e9 [3.11] gh-94632: document the subprocess need for extra_groups=() with user= (GH-148129) (#148133) 
gh-94632: document the subprocess need for extra_groups=() with user= (GH-148129)
(cherry picked from commit a1cf4430ed)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
 2026-04-05 18:41:08 +00:00
Ezio Melotti a3347aaab9 [3.11] Add permissions: {} to all reusable workflows (#148114) (#148123) 2026-04-05 17:41:39 +03:00
Miss Islington (bot) 96fc504860 [3.11] gh-143930: Tweak the exception message and increase test coverage (GH-146476) (GH-148045) (GH-148051) (GH-148052) 
(cherry picked from commit cc02351123)
(cherry picked from commit 89bfb8e5ed)
(cherry picked from commit 3681d47a44)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
 2026-04-04 00:53:49 +02:00
Hugo van Kemenade a78cbed740 [3.11] Remove MSI build from security-only branch (GH-148007) (#148008) 2026-04-02 16:16:12 +03:00
William Woodruff 1729d99f09 [3.11] gh-146488: hash-pin all action references (gh-146489) (#147979) 2026-04-02 08:51:04 +03:00
Hugo van Kemenade 5ed08c4a82 [3.11] gh-145098: Run Apple Silicon macOS CI on macos-26 (Tahoe) (GH-145099) (GH-146412) (GH-146414) (GH-146635) (#146638) 
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: clintonsteiner <47841949+clintonsteiner@users.noreply.github.com>
 2026-03-30 16:10:43 +00:00
tomcruiseqi ceac1efc66 [3.11] gh-143930: Reject leading dashes in webbrowser URLs (GH-143931) (GH-146364) 
(cherry picked from commit 82a24a4442)

Co-authored-by: Seth Michael Larson <seth@python.org>
 2026-03-24 19:23:28 +01:00
Hugo van Kemenade 86a67f8acc [3.11] Add mkdirs to fix 3.11 docs build (#145571) 2026-03-06 00:30:59 +02:00
Miss Islington (bot) c7ab95ad0a [3.11] gh-145455: Show output of blurb & sphinx-build version commands (GH-145457) (#145491) 
Co-authored-by: Petr Viktorin <encukou@gmail.com>
 2026-03-05 22:39:19 +02:00
Pablo Galindo Salgado 30447075e3 Post 3.11.15 2026-03-03 01:07:09 +00:00
Pablo Galindo Salgado 2340a037f7 Python 3.11.15 v3.11.15 2026-03-03 00:52:57 +00:00
Stan Ulbrych d1475b568c [3.11] gh-144363: Update bundled libexpat to 2.7.4 (GH-144365) (#144514) 2026-03-02 23:58:17 +00:00
Miss Islington (bot) 286e3ac399 [3.11] gh-143916: Allow HTAB in wsgiref header values (#145139) 
gh-143916: Allow HTAB in wsgiref header values
(cherry picked from commit 66da7bf6fe)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Victor Stinner <vstinner@python.org>
 2026-03-02 22:59:25 +00:00
Serhiy Storchaka cefee7d118 [3.11] gh-119342: Fix a potential denial of service in plistlib (GH-119343) (#142150) 
Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
(cherry picked from commit 694922cf40)
 2026-03-02 22:55:04 +00:00
Miss Islington (bot) 0557a1fcbd [3.11] gh-100538: Add workflow to verify bundled libexpat (GH-145359) (#145408) 
gh-100538: Add workflow to verify bundled libexpat (GH-145359)

Add workflow to verify bundled libexpat.
(cherry picked from commit c9a5d9aae4)

Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
 2026-03-02 22:48:14 +00:00
Miss Islington (bot) 15c1d6a549 [3.11] gh-144833: Fix use-after-free in SSL module when SSL_new() fails (GH-144843) (#144861) 
Co-authored-by: Ramin Farajpour Cami <ramin.blackhat@gmail.com>
 2026-02-26 21:48:29 +00:00
Miss Islington (bot) ee902ce9e4 [3.11] gh-144484: Warn users not to use wsgiref in production 
gh-144484: Warn users not to use wsgiref in production
(cherry picked from commit 7e777c587f)

Co-authored-by: Seth Michael Larson <seth@python.org>
 2026-02-05 18:46:36 +00:00
Miss Islington (bot) 11a1e4e079 [3.11] gh-74453: Add stronger security warning to os.path.commonprefix 
gh-74453: Add stronger security warning to os.path.commonprefix (GH-144401)
(cherry picked from commit 4e15b8d95d)

Co-authored-by: Seth Michael Larson <seth@python.org>
 2026-02-03 14:29:07 +00:00
Miss Islington (bot) afc40bdd3d [3.11] gh-119451: Fix a potential denial of service in http.client (GH-119454) (#142141) 
gh-119451: Fix a potential denial of service in http.client (GH-119454)

Reading the whole body of the HTTP response could cause OOM if
the Content-Length value is too large even if the server does not send
a large amount of data. Now the HTTP client reads large data by chunks,
therefore the amount of consumed memory is proportional to the amount
of sent data.
(cherry picked from commit 5a4c4a033a)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
 2026-01-25 17:11:02 +00:00
Miss Islington (bot) a46c10ec9d [3.11] gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146) (#142212) 
* gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)

* Remove quadratic behavior in node ID cache clearing

Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>

* Add news fragment

---------
(cherry picked from commit 08d8e18ad8)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>

* [3.14] gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794) (#142818)

gh-142754: Ensure that Element & Attr instances have the ownerDocument attribute (GH-142794)
(cherry picked from commit 1cc7551b3f)

Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

* gh-142145: relax the no-longer-quadratic test timing (GH-143030)

* gh-142145: relax the no-longer-quadratic test timing

* require cpu resource
(cherry picked from commit 8d2d7bb2e7)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>

* merge NEWS entries into one

---------

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
 2026-01-25 17:10:53 +00:00
Miss Islington (bot) fa1aae0e34 [3.11] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-142216) (#142298) 
[3.14] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-142216)

The CGI server on Windows could consume the amount of memory specified
in the Content-Length header of the request even if the client does not
send such much data. Now it reads the POST request body by chunks,
therefore the memory consumption is proportional to the amount of sent
data.
(cherry picked from commit 0e4f4f1a46)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
 2026-01-25 17:10:45 +00:00
Miss Islington (bot) e9970f0772 [3.11] gh-143935: Email preserve parens when folding comments (GH-143936) (#144037) 
gh-143935: Email preserve parens when folding comments (GH-143936)

Fix a bug in the folding of comments when flattening an email message
using a modern email policy. Comments consisting of a very long sequence of
non-foldable characters could trigger a forced line wrap that omitted the
required leading space on the continuation line, causing the remainder of
the comment to be interpreted as a new header field. This enabled header
injection with carefully crafted inputs.
(cherry picked from commit 17d1490aa9)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Denis Ledoux <dle@odoo.com>
 2026-01-25 17:10:38 +00:00
Miss Islington (bot) b1869ff648 [3.11] gh-143919: Reject control characters in http cookies (#144092) 
gh-143919: Reject control characters in http cookies
(cherry picked from commit 95746b3a13)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Bartosz Sławecki <bartosz@ilikepython.com>
Co-authored-by: sobolevn <mail@sobolevn.me>
 2026-01-25 17:10:18 +00:00
Miss Islington (bot) 842ce19a0c [3.11] gh-144125: email: verify headers are sound in BytesGenerator (#144189) 
gh-144125: email: verify headers are sound in BytesGenerator
(cherry picked from commit 052e55e7d4)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Denis Ledoux <dle@odoo.com>
Co-authored-by: Denis Ledoux <5822488+beledouxdenis@users.noreply.github.com>
Co-authored-by: Petr Viktorin <302922+encukou@users.noreply.github.com>
Co-authored-by: Bas Bloemsaat <1586868+basbloemsaat@users.noreply.github.com>
 2026-01-25 17:09:56 +00:00
Seth Michael Larson 3f396ca9d7 [3.11] gh-143925: Reject control characters in data: URL mediatypes (#144114) 
(cherry picked from commit f25509e78e)
(cherry picked from commit 2c9c746077)
 2026-01-25 17:05:19 +00:00
Gregory P. Smith e4846a93ac [3.11] gh-143916: Reject control characters in wsgiref.headers.Headers 
gh-143916: Reject control characters in wsgiref.headers.Headers  (GH-143917)

* Add 'test.support' fixture for C0 control characters
* gh-143916: Reject control characters in wsgiref.headers.Headers

(cherry picked from commit f7fceed79c)
(cherry picked from commit 22e4d55285)

Co-authored-by: Seth Michael Larson <seth@python.org>
 2026-01-20 22:51:58 +00:00
Hugo van Kemenade cf039bc7a1 [3.11] Bump GitHub Actions (GH-143757) (#143802) 2026-01-13 17:23:07 +02:00
Stan Ulbrych 0b8e4fe493 [3.11] gh-139436: Remove `dist-pdf` from the docs archives rebuild target (#139437) (#141164) 
(cherry picked from commit 0e2cdd313b)

Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
 2025-12-29 19:47:57 +01:00
Sebastian Pipping 9bbb68a524 [3.11] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234) (#139529) 
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
 2025-11-25 15:25:17 +00:00
Miss Islington (bot) 3b7d81da07 [3.11] gh-136063: fix quadratic-complexity parsing in email.message._parseparam (GH-136072) (GH-140830) 
(cherry picked from commit 680a5d070f)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
 2025-10-31 18:29:53 +01:00
Łukasz Langa 5dceb93486 [3.11] gh-136065: Fix quadratic complexity in os.path.expandvars() (GH-134952) (GH-140848) 
(cherry picked from commit f029e8db62)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
 2025-10-31 18:15:08 +01:00
Serhiy Storchaka a18b38172a [3.11] gh-137836: Support more RAWTEXT and PLAINTEXT elements in HTMLParser (GH-137837) (GH-140842) (GH-140852) 
(cherry picked from commit a17c57eee5)
(cherry picked from commit 0329bd11c7)

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
 2025-10-31 18:14:55 +01:00
Miss Islington (bot) 20fe1821d7 [3.11] gh-90953: Don't use deprecated AST nodes in clinic.py (GH-104322) (GH-140856) 
(cherry picked from commit fe694a6db6)

Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>
 2025-10-31 17:57:52 +01:00
Gregory P. Smith 0cd888b8d3 [3.11] gh-120384: gh-120298: Fix array-out-of-bounds & use after free list (GH-121345) 
(cherry picked from commit 8334a1b55c)

Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
 2025-10-31 15:19:07 +01:00
Pablo Galindo 88f3f5b5f1 Post 3.11.14 2025-10-09 19:11:08 +02:00
Pablo Galindo cd1c3a6342 Python 3.11.14 v3.11.14 2025-10-09 18:16:55 +02:00
Miss Islington (bot) 854c029d30 [3.11] gh-139310: skip test_aead_aes_gcm for Linux kernel between 6.16.0 and 6.17.x (GH-139552) (GH-139762) 
Currently, Fedora 42 uses a custom Linux Kernel 6.16.9 that backported an upstream change
from 6.17-rc7 [1,3] but not its subsequent fix [2]. Until the issue is resolved upstream,
we skip the failing test `test_socket.test_aead_aes_gcm` for kernel versions between 6.16
and 6.17.x.

[1] https://github.com/torvalds/linux/commit/1b34cbbf4f011a121ef7b2d7d6e6920a036d5285
[2] https://github.com/torvalds/linux/commit/d0ca0df179c4b21e2a6c4a4fb637aa8fa14575cb.
[3] https://gitlab.com/cki-project/kernel-ark/-/commit/45bcf60fe49b37daab1acee57b27211ad1574042
(cherry picked from commit 41712c4e09)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
 2025-10-09 11:06:51 +02:00
Jacob Coffee 7362ffdfe9 [3.11] gh-137638: Use macos-15-intel in GitHub Actions (GH-139154) (#139794) 2025-10-08 16:04:27 +00:00
Miss Islington (bot) 1d29afb0d6 [3.11] gh-139700: Check consistency of the zip64 end of central directory record (GH-139702) (GH-139708) (GH-139713) 
(cherry picked from commit 333d4a6f49)

Support records with "zip64 extensible data" if there are no bytes
prepended to the ZIP file.
(cherry picked from commit 162997bb70)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
 2025-10-08 13:46:45 +02:00
Miss Islington (bot) 22d5724fbb [3.11] gh-135661: Fix CDATA section parsing in HTMLParser (GH-135665) (GH-137774) (GH-139659) 
"] ]>" and "]] >" no longer end the CDATA section.

Make CDATA section parsing  context depending.
Add private method HTMLParser._set_support_cdata() to change the context.
If called with True, "<[CDATA[" starts a CDATA section which ends with "]]>".
If called with False, "<[CDATA[" starts a bogus comments which ends with ">".
(cherry picked from commit 0cbbfc4621)
(cherry picked from commit dcf24768c9)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
 2025-10-07 14:05:06 +02:00
Sebastian Pipping 1459d1f1f1 [3.11] gh-139400: Make sure that parent parsers outlive their subparsers in pyexpat (GH-139403) (#139612) 
* gh-139400: Make sure that parent parsers outlive their subparsers in `pyexpat` (#139403)

* Modules/pyexpat.c: Disallow collection of in-use parent parsers.

Within libexpat, a parser created via `XML_ExternalEntityParserCreate`
is relying on its parent parser throughout its entire lifetime.
Prior to this fix, is was possible for the parent parser to be
garbage-collected too early.

(cherry picked from commit 6edb2ddb5f)

* Move news item from section "Core and Builtins" to section "Security"
 2025-10-07 00:34:05 +01:00