906ed044aa
Fixes the following security issues:
- bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with
additional text after the address and only quad-dotted notation without
trailing whitespaces. Some inet_aton() implementations ignore whitespace
and all data after whitespace, e.g. ‘127.0.0.1 whatever’.
- bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file://
and local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
- bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded
whitespace or control characters through into the underlying http client
request. Such potentially malicious header injection URLs now cause an
http.client.InvalidURL exception to be raised.
- bpo-33529: Prevent fold function used in email header encoding from
entering infinite loop when there are too many non-ASCII characters in a
header.
- bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and
if the PATH environment variable is not set. Remove also the current
directory from posixpath.defpath. On Unix, shutil.which() and the
subprocess module no longer search the executable in the current directory
if the PATH environment variable is not set.
Also remove the following upstreamed patches:
- 0033-bpo-36742-Fixes-handling-of-pre-normalization-charac.patch
- 0034-bpo-36742-Corrects-fix-to-handle-decomposition-in-us.patch
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
65 lines
2.3 KiB
Diff
65 lines
2.3 KiB
Diff
From 0870559b9af82b55f1fd8b35528510f563577256 Mon Sep 17 00:00:00 2001
|
|
From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Date: Wed, 23 Dec 2015 11:51:31 +0100
|
|
Subject: [PATCH] Add an option to disable decimal
|
|
|
|
This patch replaces the existing --with-system-libmpdec option with a
|
|
--with-libmpdec={system,builtin,none} option, which allows to tell
|
|
Python whether we want to use the system libmpdec (already installed),
|
|
the libmpdec builtin the Python sources, or no libmpdec at all.
|
|
|
|
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
[aduskett@gmail.com: Update for python 3.7.0]
|
|
Signed-off-by: Adam Duskett <aduskett@gmail.com>
|
|
---
|
|
configure.ac | 17 ++++++++++++-----
|
|
setup.py | 2 +-
|
|
2 files changed, 13 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 2699e7ceb1..e2c3b6f25c 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -3020,13 +3020,20 @@ fi
|
|
AC_SUBST(LIBFFI_INCLUDEDIR)
|
|
|
|
# Check for use of the system libmpdec library
|
|
-AC_MSG_CHECKING(for --with-system-libmpdec)
|
|
-AC_ARG_WITH(system_libmpdec,
|
|
- AS_HELP_STRING([--with-system-libmpdec], [build _decimal module using an installed libmpdec library]),
|
|
+AC_MSG_CHECKING(for --with-libmpdec)
|
|
+AC_ARG_WITH(libmpdec,
|
|
+ AS_HELP_STRING([--with-libmpdec], [select which libmpdec version to use: system, builtin, none]),
|
|
[],
|
|
- [with_system_libmpdec="no"])
|
|
+ [with_libmpdec="builtin"])
|
|
|
|
-AC_MSG_RESULT($with_system_libmpdec)
|
|
+AC_MSG_RESULT($with_libmpdec)
|
|
+if test "$with_libmpdec" != "none"; then
|
|
+ MPDEC=yes
|
|
+else
|
|
+ DISABLED_EXTENSIONS="${DISABLED_EXTENSIONS} _decimal"
|
|
+ MPDEC=no
|
|
+fi
|
|
+AC_SUBST(MPDEC)
|
|
|
|
# Check for support for loadable sqlite extensions
|
|
AC_MSG_CHECKING(for --enable-loadable-sqlite-extensions)
|
|
diff --git a/setup.py b/setup.py
|
|
index d642825c1e..5b98255857 100644
|
|
--- a/setup.py
|
|
+++ b/setup.py
|
|
@@ -2054,7 +2054,7 @@ class PyBuildExt(build_ext):
|
|
def _decimal_ext(self):
|
|
extra_compile_args = []
|
|
undef_macros = []
|
|
- if '--with-system-libmpdec' in sysconfig.get_config_var("CONFIG_ARGS"):
|
|
+ if '--with-libmpdec=system' in sysconfig.get_config_var("CONFIG_ARGS"):
|
|
include_dirs = []
|
|
libraries = [':libmpdec.so.2']
|
|
sources = ['_decimal/_decimal.c']
|
|
--
|
|
2.13.5
|
|
|