(cherry picked from commit bb0268f60dfe903a9bdb8d84104247a9318c6b18)
(cherry picked from commit 6af54d298d5135302037cdda7a1f5535e48cb1b6)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Email generators using email.policy.default may convert an RFC 2047
encoded-word to unencoded form during header refolding. In a structured
header, this could allow 'specials' chars outside a quoted-string,
leading to invalid address headers and enabling spoofing. This change
ensures a parsed encoded-word that contains specials is kept as an
encoded-word while the header is refolded.
[Better fix from @bitdancer.]
(cherry picked from commit 295b53df2aa18deb625a7da41f7e4babfe6ef34b)
Co-authored-by: Mike Edmunds <medmunds@gmail.com>
Co-authored-by: R David Murray <rdmurray@bitdance.com>
The IMAP4 client could consume an arbitrary amount of memory when trying
to connect to a malicious server, because it read a "literal" data with a
single read(size) call, and BufferedReader.read() allocates the bytes
object of the specified size before reading. Now the IMAP4 client reads data
by chunks, therefore the amount of used memory is limited by the
amount of the data actually been sent by the server.
(cherry picked from commit 735f25c5e3a0f74438c86468ec4dfbe219d93c91)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Fix ThreadedVSOCKSocketStreamTest: if get_cid() returns the host
address or the "any" address, use the local communication address
(loopback): VMADDR_CID_LOCAL.
On Linux 6.9, apparently, the /dev/vsock device is now available but
get_cid() returns VMADDR_CID_ANY (-1).
(cherry picked from commit 45db419c3104a14007ea9efbc4bff03aef8ed10c)
(cherry picked from commit e94dbe4ed83460f18bd72563c5f09f6cdc71f604)
(cherry picked from commit c750061047ee520d8299334df4b112fd983d7e48)
(cherry picked from commit cbfe3023e46b544b80ea1a38a8c900c6fb881554)
---
Restore the skipUnless removed by GH-119465.
This test can only pass on virtual machines, not actual machines.
Actual machines see:
```
self.cli.connect((cid, VSOCKPORT))
~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
OSError: [Errno 19] No such device
```
Reproduced on (Linux) Ubuntu 24.04.1 running 6.8.0-52-generic.
(cherry picked from commit 2bd9f9b0547f6ffe40cd1dd964459ce11b58144d)
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: James De Bias <81095953+DBJim@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Make `versionchanged:: next`` expand to current (unreleased) version.
When a new CPython release is cut, the release manager will replace
all such occurences of "next" with the just-released version.
(See the issue for release-tools and devguide PRs.)
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
(cherry picked from commit 7d24ea9db3e8fdca52058629c9ba577aba3d8e5c)
gh-121277: Raise nice error on `next` as second argument to deprecated-removed (GH-124623)
(cherry-picked from e349f73a5ad2856b0a7cbe4aef7cc081c7aed777)
(cherry-picked from 3.11: f0895aa9c1d40d0add673cc51bd143556e22100a)
(cherry-picked from 3.10: 8773554b717cfb08b4bd11a927813f4ed74762c7)
Make IPv4-mapped IPv6 address properties consistent with IPv4.
(cherry picked from commit 76a1c5d18312712baed4699fe7333abb050ec9b7)
(cherry picked from commit b58da409aac90123c1159916908a4c49144925ee)
Co-authored-by: Seth Michael Larson <seth@python.org>
It was never really safe and this claim conflicts directly with the big warning in the docs about it being able to crash the interpreter.
(cherry picked from commit 8baef8ae367041a5cfefb40b19c7b87e9bcb56a2)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 29f348e232e82938ba2165843c448c2b291504c5)
Co-authored-by: JohnJamesUtley <81572567+JohnJamesUtley@users.noreply.github.com>
Determine the support of the Kyiv timezone by checking the result of
astimezone() which uses the system tz database and not the one
populated by zoneinfo.
(cherry picked from commit 931d7e052e22aa01e18fcc67ed71b6ea305aff71)
Use a longer key: FIPS mode requires at least of at least 112 bits.
The previous key was only 32 bits.
(cherry picked from commit e091b9f20fa8e409003af79f3c468b8225e6dcd3)
(cherry picked from commit f7bfac4b3dd30920f97a542fd78c355ce62aa267)
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
This backports two commits:
- GH-31096 skipped the tests unconditionally
- GH-125042 skips only the possibly-failing assertion
(cherry picked from commit d522856)
On FreeBSD, regular users cannot set the sticky bit. Skip the test if
chmod() fails with EFTYPE error.
Co-authored-by: Victor Stinner <vstinner@python.org>
Per https://github.com/python/cpython/issues/89452GH-issuecomment-1116329316,
the issue is fixed in configure for 3.11+, and
> For older Python versions, the workaround is to build with:
>
> ./configure --with-dbmliborder=gdbm:ndbm
We need this workaround in GitHub Actions, otherwise the tests fail.
(cherry picked from commit 850189a64e7f0b920fe48cb12a5da3e648435680)
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Detect email address parsing errors and return empty tuple to
indicate the parsing error (old API). Add an optional 'strict'
parameter to getaddresses() and parseaddr() functions. Patch by
Thomas Dwyer.
(cherry picked from commit 4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19)
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-Authored-By: Thomas Dwyer <github@tomd.tel>
HEAD_LOCK is called from _PyEval_ReInitThreads->_PyThreadState_DeleteExcept before _PyRuntimeState_ReInitThreads reinit runtime->interpreters.mutex which might be locked before fork.
(cherry picked from commit 522799a05e3e820339718151ac055af6d864d463)
Co-authored-by: ChuBoning <102216855+ChuBoning@users.noreply.github.com>
Applies changes from zipp 3.20.1 and jaraco/zippGH-124
(cherry picked from commit 2231286d78d328c2f575e0b05b16fe447d1656d6)
(cherry picked from commit 17b77bb41409259bad1cd6c74761c18b6ab1e860)
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
* Optimize parsing of GNU extended sparse headers v0.0
(cherry picked from commit 34ddb64d088dd7ccc321f6103d23153256caa5d4)
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Per RFC 2047:
> [...] these encoding schemes allow the
> encoding of arbitrary octet values, mail readers that implement this
> decoding should also ensure that display of the decoded data on the
> recipient's terminal will not cause unwanted side-effects
It seems that the "quoted-word" scheme is a valid way to include
a newline character in a header value, just like we already allow
undecodable bytes or control characters.
They do need to be properly quoted when serialized to text, though.
This should fail for custom fold() implementations that aren't careful
about newlines.
(cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit f071f01b7b7e19d7d6b3a4b0ec62f820ecb14660)
Co-authored-by: Russell Keith-Magee <russell@keith-magee.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Authenticate socket connection for `socket.socketpair()` fallback when the platform does not have a native `socketpair` C API. We authenticate in-process using `getsocketname` and `getpeername` (thanks to Nathaniel J Smith for that suggestion).
(cherry picked from commit 78df1043dbdce5c989600616f9f87b4ee72944e5)
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).
This patch updates the ranges with what was missing or otherwise
incorrect.
100.64.0.0/10 is left alone, for now, as it's been made special in [1].
The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.
[1] https://github.com/python/cpython/issues/61602
In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.
For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").
---------
Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
This fixes XML unittest fallout from the https://github.com/python/cpython/issues/115398 security fix. When configured using `--with-system-expat` on systems with older pre 2.6.0 versions of libexpat, our unittests were failing.
(cherry picked from commit 9f74e86c78853c101a23e938f8e32ea838d8f62e)
Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
