9e12fb0ebe
Fixes the following security issues:
- bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with
additional text after the address and only quad-dotted notation without
trailing whitespaces. Some inet_aton() implementations ignore whitespace
and all data after whitespace, e.g. ‘127.0.0.1 whatever’.
- bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file://
and local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
- bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded
whitespace or control characters through into the underlying http client
request. Such potentially malicious header injection URLs now cause an
http.client.InvalidURL exception to be raised.
- bpo-33529: Prevent fold function used in email header encoding from
entering infinite loop when there are too many non-ASCII characters in a
header.
- bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and
if the PATH environment variable is not set. Remove also the current
directory from posixpath.defpath. On Unix, shutil.which() and the
subprocess module no longer search the executable in the current directory
if the PATH environment variable is not set.
Also remove the following upstreamed patches:
- 0033-bpo-36742-Fixes-handling-of-pre-normalization-charac.patch
- 0034-bpo-36742-Corrects-fix-to-handle-decomposition-in-us.patch
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 906ed044aa
)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
57 lines
2.0 KiB
Diff
57 lines
2.0 KiB
Diff
From e568f4deb7c648e3265154574db753601636cdda Mon Sep 17 00:00:00 2001
|
|
From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Date: Wed, 22 Feb 2017 16:21:31 -0800
|
|
Subject: [PATCH] Make the build of pyc files conditional
|
|
|
|
This commit adds a new configure option --disable-pyc-build to disable
|
|
the compilation of pyc.
|
|
|
|
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
[ Andrey Smrinov: ported to Python 3.6 ]
|
|
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
|
|
---
|
|
Makefile.pre.in | 2 ++
|
|
configure.ac | 6 ++++++
|
|
2 files changed, 8 insertions(+)
|
|
|
|
diff --git a/Makefile.pre.in b/Makefile.pre.in
|
|
index 82e830727e..b38bd79121 100644
|
|
--- a/Makefile.pre.in
|
|
+++ b/Makefile.pre.in
|
|
@@ -1395,6 +1395,7 @@ libinstall: build_all $(srcdir)/Modules/xxmodule.c
|
|
$(INSTALL_DATA) $(srcdir)/Modules/xxmodule.c \
|
|
$(DESTDIR)$(LIBDEST)/distutils/tests ; \
|
|
fi
|
|
+ifeq (@PYC_BUILD@,yes)
|
|
-PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \
|
|
$(PYTHON_FOR_BUILD) -Wi $(DESTDIR)$(LIBDEST)/compileall.py \
|
|
-d $(LIBDEST) -f \
|
|
@@ -1422,6 +1423,7 @@ libinstall: build_all $(srcdir)/Modules/xxmodule.c
|
|
$(PYTHON_FOR_BUILD) -Wi -OO $(DESTDIR)$(LIBDEST)/compileall.py \
|
|
-d $(LIBDEST)/site-packages -f \
|
|
-x badsyntax $(DESTDIR)$(LIBDEST)/site-packages
|
|
+endif
|
|
-PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \
|
|
$(PYTHON_FOR_BUILD) -m lib2to3.pgen2.driver $(DESTDIR)$(LIBDEST)/lib2to3/Grammar.txt
|
|
-PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 962006704f..a76b5444df 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -1107,6 +1107,12 @@ fi
|
|
|
|
AC_MSG_CHECKING(LDLIBRARY)
|
|
|
|
+AC_SUBST(PYC_BUILD)
|
|
+
|
|
+AC_ARG_ENABLE(pyc-build,
|
|
+ AS_HELP_STRING([--disable-pyc-build], [disable build of pyc files]),
|
|
+ [ PYC_BUILD="${enableval}" ], [ PYC_BUILD=yes ])
|
|
+
|
|
# MacOSX framework builds need more magic. LDLIBRARY is the dynamic
|
|
# library that we build, but we do not want to link against it (we
|
|
# will find it with a -framework option). For this reason there is an
|
|
--
|
|
2.13.5
|
|
|