mirror/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2026-01-29 06:06:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
cpython/Lib
History
Miss Islington (bot) d7f8a5fe07
[3.9] gh-102153: Start stripping C0 control and space chars in urlsplit (GH-102508) (GH-104575) (GH-104592) (#104593) 
gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)

`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.

This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).

I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport.  (people will see
that in the mainline /3/ docs)

(cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10)
(cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941)
(cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946)

Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
2023-05-22 12:42:37 +02:00
..
asyncio
Fix missing f prefix on f-strings (GH-91910)
2022-04-27 00:01:11 -07:00
collections
bpo-43102: Set namedtuple __new__'s internal builtins to a dict. (GH-24439) (GH-24452)
2021-02-04 16:12:34 -08:00
concurrent
[3.10] gh-90622: Do not spawn ProcessPool workers on demand via fork method. (GH-91598) (GH-92497) (#92499)
2022-05-08 11:22:36 -07:00
ctypes
bpo-46913: Fix test_ctypes, test_hashlib, test_faulthandler on UBSan (GH-31675) (GH-31676)
2022-03-04 01:31:54 +01:00
curses
dbm
distutils
[3.9] Fix typos in the Lib directory (GH-28775) (GH-28803)
2021-10-07 08:42:38 -07:00
email
[3.9] gh-77630: Change Charset to charset (GH-92439) (GH-92477)
2022-05-08 08:28:18 -07:00
encodings
[3.9] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) (#99230)
2022-11-10 16:57:41 +01:00
ensurepip
[3.9] gh-101997: Update bundled pip version to 23.0.1 (GH-101998). (#102243)
2023-03-28 10:52:56 +02:00
html
Add source for character mappings (GH-92014) (#92388)
2022-05-06 12:58:10 +02:00
http
[3.9] gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (GH-104067) (#104120)
2023-05-22 12:40:50 +02:00
idlelib
bpo-45447: Add syntax highlighting for .pyi files in IDLE (GH-28950)
2022-02-12 17:19:25 -08:00
importlib
[3.9] bpo-47004: Sync with importlib_metadata 4.11.3. (GH-31854). (GH-31859)
2022-03-13 17:30:07 -04:00
json
bpo-46001: Change OverflowError to RecursionError in JSON library docstrings (GH-29943)
2021-12-07 02:25:02 -08:00
lib2to3
bpo-46542: test_lib2to3 uses support.infinite_recursion() (GH-31035)
2022-01-31 12:03:44 -08:00
logging
[3.9] bpo-46063: Improve algorithm for computing which rolled-over log file… (GH-30093) (GH-30095)
2021-12-14 01:19:50 +00:00
msilib
[3.9] [codemod] Fix non-matching bracket pairs (GH-28473) (GH-28512)
2021-09-22 17:32:04 +02:00
multiprocessing
[3.9] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) (#98504)
2022-10-28 12:08:30 +02:00
pydoc_data
Python 3.9.15
2022-10-11 16:48:37 +02:00
site-packages
sqlite3
[3.9] gh-80254: Disallow recursive usage of cursors in sqlite3 converters (#92278)
2022-05-05 12:47:58 -07:00
test
[3.9] gh-102153: Start stripping C0 control and space chars in urlsplit (GH-102508) (GH-104575) (GH-104592) (#104593)
2023-05-22 12:42:37 +02:00
tkinter
bpo-13553: Document tkinter.Tk args (GH-4786)
2022-05-09 21:20:37 -07:00
turtledemo
bpo-44254: On Mac, remove disfunctional colors from turtledemo buttons (GH-26448)
2021-05-29 04:16:34 -04:00
unittest
[3.10] gh-91676 gh-91260 unittest.IsolatedAsyncioTestCase no longer leaks its executor (GH-91680)
2022-04-19 09:40:52 -07:00
urllib
[3.9] gh-102153: Start stripping C0 control and space chars in urlsplit (GH-102508) (GH-104575) (GH-104592) (#104593)
2023-05-22 12:42:37 +02:00
venv
[3.9] bpo-43749: Ensure current exe is copied when using venv on windows (GH-25216) (GH-30033)
2021-12-10 18:06:07 +00:00
wsgiref
[3.9] Fix typos in the Lib directory (GH-28775) (GH-28803)
2021-10-07 08:42:38 -07:00
xml
gh-91810: Fix regression with writing an XML declaration with encoding='unicode' (GH-93426) (GH-93791)
2022-06-16 12:16:30 +02:00
xmlrpc
bpo-45386: Handle strftime's ValueError graciously in xmlrpc.client (GH-28765) (GH-28935)
2021-10-13 20:00:05 +02:00
zoneinfo
[3.9] Fix typos in the Lib directory (GH-28775) (GH-28803)
2021-10-07 08:42:38 -07:00
__future__.py
__phello__.foo.py
_aix_support.py
bpo-43666: Lib/_aix_support.py routines may fail in a WPAR environment (GH-25095) (#25880)
2021-05-04 11:00:47 +02:00
_bootlocale.py
_bootsubprocess.py
_collections_abc.py
replace self param with more appropriate cls in classmethods (GH-31402) (#31445)
2022-02-21 02:10:35 +02:00
_compat_pickle.py
_compression.py
_markupbase.py
[3.9] bpo-34480: fix bug where match variable is used prior to being defined (GH-17643) (GH-32256)
2022-05-16 18:19:04 +02:00
_osx_support.py
[3.9] Remove trailing spaces (GH-28710)
2021-10-03 20:04:38 +03:00
_py_abc.py
_pydecimal.py
_pyio.py
bpo-25415: Remove confusing sentence from IOBase docstrings (PR-31631)
2022-03-04 10:34:14 -08:00
_sitebuiltins.py
_strptime.py
bpo-43295: Fix error handling of datetime.strptime format string '%z' (GH-24627) (#25695)
2021-05-19 20:37:49 -04:00
_threading_local.py
_weakrefset.py
bpo-44962: Fix a race in WeakKeyDict, WeakValueDict and WeakSet when two threads attempt to commit the last pending removal (GH-27921) (GH-28014)
2021-08-28 20:54:48 +02:00
abc.py
Clarify the order of a stacked abstractmethod (GH-26892)
2021-06-27 11:50:45 -07:00
aifc.py
antigravity.py
argparse.py
gh-91832: Add 'required' attr to argparse.Action repr (GH-91841)
2022-04-28 08:19:07 -07:00
ast.py
Fix typo in ast.py (GH-25740) (GH-25894)
2021-05-04 06:39:08 -07:00
asynchat.py
asyncore.py
base64.py
bpo-39068: Fix race condition in base64 (GH-17627)
2021-01-01 12:42:44 -08:00
bdb.py
fix docstring typo in bdb.py (GH-22323) (#26180)
2021-05-17 00:43:26 +01:00
binhex.py
bisect.py
bz2.py
bpo-44439: BZ2File.write()/LZMAFile.write() handle length correctly (GH-26846)
2021-06-22 16:57:41 +03:00
calendar.py
cgi.py
[3.9] bpo-42967: only use '&' as a query string separator (GH-24297) (#24528)
2021-02-15 10:03:31 -08:00
cgitb.py
chunk.py
cmd.py
code.py
codecs.py
bpo-14014: Clarify StreamWriter.reset() documentation (GH-13716)
2021-01-06 04:27:30 +02:00
codeop.py
colorsys.py
compileall.py
Fix missing space with help for -m compileall -o (GH-27591) (GH-28431)
2021-09-18 00:55:37 +02:00
configparser.py
bpo-41963: document that ConfigParser strips off comments (GH-26197) (GH-26213)
2021-05-18 18:44:48 +02:00
contextlib.py
[3.9] bpo-44594: fix (Async)ExitStack handling of __context__ (gh-27089) (GH-28731)
2021-10-04 23:37:24 -07:00
contextvars.py
copy.py
bpo-45752: Remove "array" from list of things that cannot be copied in copy module docstring (GH-29555)
2021-11-14 05:21:32 -08:00
copyreg.py
cProfile.py
[3.9] gh-103935: Use io.open_code() when executing code in trace and profile modules (GH-103947) (#103953)
2023-05-22 12:40:30 +02:00
crypt.py
csv.py
dataclasses.py
[3.9] bpo-45662: Fix the repr of InitVar with a type alias to the built-in class (GH-29291) (GH-29924)
2021-12-10 11:42:49 +02:00
datetime.py
Check result of utc_to_seconds and skip fold probe in pure Python (GH-91582) (GH-92748)
2022-05-16 17:33:01 +02:00
decimal.py
difflib.py
[3.9] Fix typos in the Lib directory (GH-28775) (GH-28803)
2021-10-07 08:42:38 -07:00
dis.py
doctest.py
bpo-2604: Make doctest.DocTestCase reset globs in teardown (GH-31932)
2022-03-22 14:27:26 -07:00
enum.py
[Enum] improve pickle support (#26666)
2021-06-11 01:26:32 -07:00
filecmp.py
bpo-42958: Improve description of shallow= in filecmp.cmp docs (GH-27166) (GH-27608)
2021-08-04 22:09:45 +02:00
fileinput.py
fnmatch.py
bpo-36769: Document that fnmatch.filter supports any kind of iterable (GH-13039)
2020-12-18 11:34:27 -08:00
formatter.py
fractions.py
ftplib.py
bpo-43285 Make ftplib not trust the PASV response. (GH-24838)
2021-03-15 12:02:45 -07:00
functools.py
[3.9] bpo-46032: Check types in singledispatch's register() at declaration time (GH-30050) (GH-30254) (GH-30255)
2021-12-26 14:23:23 +02:00
genericpath.py
getopt.py
getpass.py
update docstring for win_getpass to reflect code changes (GH-24967)
2021-05-04 00:10:32 -07:00
gettext.py
glob.py
[3.9] bpo-44482: Fix very unlikely resource leak in glob in non-CPython implementations (GH-26843). (GH-26916)
2021-06-27 14:28:24 +03:00
graphlib.py
[3.9] [codemod] Fix non-matching bracket pairs (GH-28473) (GH-28512)
2021-09-22 17:32:04 +02:00
gzip.py
[3.9] Fix typo in comment (GH-26162) (GH-26165)
2021-05-16 11:08:10 -07:00
hashlib.py
heapq.py
hmac.py
imaplib.py
imghdr.py
imp.py
inspect.py
bpo-43118: Fix bug in inspect.signature around 'base.__text_signature__' (GH-30285)
2022-01-21 14:06:35 -08:00
io.py
ipaddress.py
bpo-46415: Use f-string for ValueError in ipaddress.ip_{address,network,interface} helper functions (GH-30642)
2022-05-03 05:34:50 -07:00
keyword.py
linecache.py
[3.9] Fix typos in the Lib directory (GH-28775) (GH-28803)
2021-10-07 08:42:38 -07:00
locale.py
lzma.py
bpo-44439: BZ2File.write()/LZMAFile.write() handle length correctly (GH-26846)
2021-06-22 16:57:41 +03:00
mailbox.py
mailcap.py
[3.9] gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (#98190)
2022-10-11 23:13:18 +02:00
mimetypes.py
bpo-20392: Fix inconsistency with uppercase file extensions in mimetypes.guess_type (GH-30229)
2022-03-15 08:50:01 -07:00
modulefinder.py
netrc.py
nntplib.py
ntpath.py
nturl2path.py
bpo-43607: Fix urllib handling of Windows paths with \\?\ prefix (GH-25539)
2021-04-23 10:28:05 -07:00
numbers.py
bpo-44072: fix Complex, Integral docs for ** (GH-25986)
2021-05-14 15:25:43 -07:00
opcode.py
operator.py
[3.9] bpo-44558: Match countOf is/== treatment to c (GH-27007). (GH-27055)
2021-07-07 23:55:22 +09:00
optparse.py
os.py
pathlib.py
bpo-27827: identify a greater range of reserved filename on Windows. (GH-26698) (#27422)
2021-07-28 17:15:51 +02:00
pdb.py
bpo-46434: Handle missing docstrings in pdb help (GH-30705)
2022-01-21 09:33:25 -08:00
pickle.py
[3.9] Fix typos in the Lib directory (GH-28775) (GH-28803)
2021-10-07 08:42:38 -07:00
pickletools.py
pipes.py
pkgutil.py
[3.9] [codemod] Fix non-matching bracket pairs (GH-28473) (GH-28512)
2021-09-22 17:32:04 +02:00
platform.py
bpo-44572: On Windows, disconnect STDIN in platform._syscmd_ver() to prevent erroneous STDIN consumption (GH-27092)
2021-07-14 17:17:18 +01:00
plistlib.py
poplib.py
posixpath.py
bpo-26329: update os.path.normpath documentation (GH-20138) (#27095)
2021-07-12 17:22:33 +02:00
pprint.py
profile.py
[3.9] gh-103935: Use io.open_code() when executing code in trace and profile modules (GH-103947) (#103953)
2023-05-22 12:40:30 +02:00
pstats.py
pty.py
py_compile.py
pyclbr.py
pydoc.py
[3.9] bpo-40296: Fix supporting generic aliases in pydoc (GH-30253). (GH-31976) (GH-31981)
2022-03-19 17:12:48 +02:00
queue.py
gh-90879: Fix missing parameter for put_nowait() (GH-91514)
2022-04-14 02:23:15 -07:00
quopri.py
random.py
bpo-44018: random.seed() no longer mutates its inputs (GH-25856) (GH-25864)
2021-05-03 16:36:14 -07:00
re.py
reprlib.py
rlcompleter.py
bpo-44752: refactor part of rlcompleter.Completer.attr_matches (GH-27433) (GH-27446)
2021-07-29 17:46:07 +02:00
runpy.py
bpo-26792: Improve docstrings of runpy module run_functions (GH-30729)
2022-04-29 11:46:47 -07:00
sched.py
secrets.py
selectors.py
shelve.py
shlex.py
shutil.py
[3.9] gh-102950: Implement PEP 706 – Filter for tarfile.extractall (GH-102953) (#104382)
2023-05-15 18:53:58 +02:00
signal.py
[3.10] bpo-27718: Fix help for the signal module (GH-30063) (GH-30080)
2021-12-13 02:43:13 -08:00
site.py
smtpd.py
smtplib.py
bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) (GH-28035)
2021-08-29 16:45:25 +02:00
sndhdr.py
socket.py
bpo-40635: Fix getfqdn() docstring and docs (GH-27971)
2021-08-26 12:55:22 -07:00
socketserver.py
[3.9] bpo-37193: Remove thread objects which finished process its request (GH-23127) (GH-24750)
2021-03-04 08:36:41 -08:00
sre_compile.py
[3.9] gh-91575: Update case-insensitive matching in re to the latest Unicode version (GH-91580). (GH-91661) (GH-91837)
2022-04-22 22:02:56 +03:00
sre_constants.py
[3.9] gh-92049: Forbid pickling constants re._constants.SUCCESS etc (GH-92070) (GH-92073) (GH-92102)
2022-05-01 13:01:56 +03:00
sre_parse.py
[3.9] gh-91700: Validate the group number in conditional expression in RE (GH-91702) (GH-91831) (GH-91836)
2022-04-22 22:02:20 +03:00
ssl.py
bpo-46604: fix function name in ssl module docstring (GH-31064)
2022-05-03 09:33:35 -07:00
stat.py
statistics.py
Fix double-space in exception message (GH-29955) (GH-29983)
2021-12-08 13:41:50 +02:00
string.py
stringprep.py
struct.py
subprocess.py
[3.9] gh-101283: Improved fallback logic for subprocess with shell=True on Windows (GH-101286) (#101709)
2023-02-09 10:59:40 +01:00
sunau.py
symbol.py
symtable.py
sysconfig.py
bpo-42504: Ensure that get_config_var('MACOSX_DEPLOYMENT_TARGET') is a string (GH-24341) (GH-24410)
2021-01-31 23:22:48 -05:00
tabnanny.py
tarfile.py
[3.9] gh-102950: Implement PEP 706 – Filter for tarfile.extractall (GH-102953) (#104382)
2023-05-15 18:53:58 +02:00
telnetlib.py
tempfile.py
bpo-45192: Fix a bug that infers the type of an os.PathLike[bytes] object as str (GH-28323) (GH-29112)
2021-10-20 23:25:10 +02:00
textwrap.py
this.py
threading.py
gh-92530: Fix an issue that occurred after interrupting threading.Condition.notify (GH-92534) (GH-92831)
2022-05-16 17:25:31 +02:00
timeit.py
token.py
tokenize.py
bpo-44667: Treat correctly lines ending with comments and no newlines in the Python tokenizer (GH-27499) (GH-27501)
2021-08-02 11:44:01 +02:00
trace.py
[3.9] gh-103935: Use io.open_code() when executing code in trace and profile modules (GH-103947) (#103953)
2023-05-22 12:40:30 +02:00
traceback.py
bpo-45614: Fix traceback display for exceptions with invalid module name (GH-29726) (GH-29827)
2021-11-29 10:11:48 +00:00
tracemalloc.py
bpo-37961: Fix regression in tracemalloc.Traceback.__repr__ (GH-23805)
2020-12-16 14:01:14 -08:00
tty.py
turtle.py
bpo-45837: Note tiltangle is not deprecated, it's really settiltangle (GH-29630)
2021-11-19 19:55:15 +01:00
types.py
bpo-45664: Fix resolve_bases() and new_class() for GenericAlias instance as a base (GH-29298) (GH-29928)
2021-12-07 14:00:06 +02:00
typing.py
Lib/typing.py copy edits originating from GH-31061 (GH-31684)
2022-03-04 19:21:51 -08:00
uu.py
[3.9] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) (#104331)
2023-05-22 12:41:30 +02:00
uuid.py
warnings.py
wave.py
weakref.py
bpo-44962: Fix a race in WeakKeyDict, WeakValueDict and WeakSet when two threads attempt to commit the last pending removal (GH-27921) (GH-28014)
2021-08-28 20:54:48 +02:00
webbrowser.py
xdrlib.py
zipapp.py
zipfile.py
bpo-42369: Fix thread safety of zipfile._SharedFile.tell (GH-26974)
2022-03-20 07:54:19 -07:00
zipimport.py