1b6f4e5...
by
"Miss Islington (bot)" <email address hidden>
bpo-44022: Improve the regression test. (GH-26503) (GH-26508)
It wasn't actually detecting the regression due to the
assertion being too lenient.
(cherry picked from commit e60ab843cbb016fb6ff8b4f418641ac05a9b2fcc)
Co-authored-by: Gregory P. Smith <email address hidden>
6f743e7...
by
Senthil Kumaran <email address hidden>
[3.6] bpo-43882 - Mention urllib.parse changes in Whats New section for 3.6.14 (GH-26268)
Co-authored-by: Gregory P. Smith <email address hidden>
f68d2d6...
by
"Miss Islington (bot)" <email address hidden>
bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916) (GH-25935)
Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.
Co-authored-by: Gregory P. Smith <email address hidden>
(cherry picked from commit 47895e31b6f626bc6ce47d175fe9d43c1098909d)
Co-authored-by: Gen Xu <email address hidden>
3fbe961...
by
"Miss Islington (bot)" <email address hidden>
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (GH-25250)
Fix Regular Expression Denial of Service (ReDoS) vulnerability in
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
has quadratic worst-case complexity and it allows cause a denial of
service when identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the HTTP server.
(cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1)
Co-authored-by: Yeting Li <email address hidden>
6c472d3...
by
"Miss Islington (bot)" <email address hidden>
[3.6] bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs (GH-25924)
Co-authored-by: Gregory P. Smith <email address hidden>
Co-authored-by: Serhiy Storchaka <email address hidden>
(cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4)
Co-authored-by: Senthil Kumaran <email address hidden>
(cherry picked from commit 515a7bc4e13645d0945b46a8e1d9102b918cd407)
Co-authored-by: Miss Islington (bot) <email address hidden>
5b1e502...
by
"Miss Islington (bot)" <email address hidden>
bpo-42988: Remove the pydoc getfile feature (GH-25015) (GH-25067)
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
Co-authored-by: Victor Stinner <email address hidden>
4134f15...
by
"Miss Islington (bot)" <email address hidden>
[3.6] bpo-43285 Make ftplib not trust the PASV response. (GH-24838) (GH-24881) (GH-24882)
The IPv4 address value returned from the server in response to the PASV command
should not be trusted. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the client network.
Instead of using the returned address, we use the IP address we're
already connected to. This is the strategy other ftp clients adopted,
and matches the only strategy available for the modern IPv6 EPSV command
where the server response must return a port number and nothing else.
For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
attribute on your `ftplib.FTP` instance to True..
(cherry picked from commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e)
Co-authored-by: Gregory P. Smith <email address hidden>
(cherry picked from commit 664d1d16274b47eea6ec92572e1ebf3939a6fa0c)
