906ed044aa
Fixes the following security issues:
- bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with
additional text after the address and only quad-dotted notation without
trailing whitespaces. Some inet_aton() implementations ignore whitespace
and all data after whitespace, e.g. ‘127.0.0.1 whatever’.
- bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file://
and local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
- bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded
whitespace or control characters through into the underlying http client
request. Such potentially malicious header injection URLs now cause an
http.client.InvalidURL exception to be raised.
- bpo-33529: Prevent fold function used in email header encoding from
entering infinite loop when there are too many non-ASCII characters in a
header.
- bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and
if the PATH environment variable is not set. Remove also the current
directory from posixpath.defpath. On Unix, shutil.which() and the
subprocess module no longer search the executable in the current directory
if the PATH environment variable is not set.
Also remove the following upstreamed patches:
- 0033-bpo-36742-Fixes-handling-of-pre-normalization-charac.patch
- 0034-bpo-36742-Corrects-fix-to-handle-decomposition-in-us.patch
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
74 lines
2.2 KiB
Diff
74 lines
2.2 KiB
Diff
From f96a00d42e714171f1d90501ed73594fddee570f Mon Sep 17 00:00:00 2001
|
|
From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Date: Wed, 22 Feb 2017 17:23:42 -0800
|
|
Subject: [PATCH] Add an option to disable the tk module
|
|
|
|
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
|
|
[ Andrey Smirnov: ported to Python 3.6 ]
|
|
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
|
|
---
|
|
Makefile.pre.in | 11 ++++++++---
|
|
configure.ac | 9 +++++++++
|
|
2 files changed, 17 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/Makefile.pre.in b/Makefile.pre.in
|
|
index a1ce0712cd..dc1e917cc3 100644
|
|
--- a/Makefile.pre.in
|
|
+++ b/Makefile.pre.in
|
|
@@ -1266,7 +1266,7 @@ maninstall: altmaninstall
|
|
# Install the library
|
|
XMLLIBSUBDIRS= xml xml/dom xml/etree xml/parsers xml/sax
|
|
|
|
-LIBSUBDIRS= tkinter site-packages \
|
|
+LIBSUBDIRS= site-packages \
|
|
asyncio \
|
|
collections concurrent concurrent/futures encodings \
|
|
email email/mime \
|
|
@@ -1283,8 +1283,7 @@ LIBSUBDIRS= tkinter site-packages \
|
|
venv venv/scripts venv/scripts/common venv/scripts/posix \
|
|
curses
|
|
|
|
-TESTSUBDIRS= tkinter/test tkinter/test/test_tkinter \
|
|
- tkinter/test/test_ttk test \
|
|
+TESTSUBDIRS= test \
|
|
test/audiodata \
|
|
test/capath test/data \
|
|
test/cjkencodings test/decimaltestdata test/xmltestdata \
|
|
@@ -1348,6 +1347,12 @@ TESTSUBDIRS= tkinter/test tkinter/test/test_tkinter \
|
|
test/test_tools test/test_warnings test/test_warnings/data \
|
|
unittest/test unittest/test/testmock
|
|
|
|
+ifeq (@TK@,yes)
|
|
+LIBSUBDIRS += tkinter
|
|
+TESTSUBDIRS += tkinter/test tkinter/test/test_tkinter \
|
|
+ tkinter/test/test_ttk
|
|
+endif
|
|
+
|
|
ifeq (@LIB2TO3@,yes)
|
|
LIBSUBDIRS += lib2to3 lib2to3/fixes lib2to3/pgen2
|
|
TESTSUBDIRS += lib2to3/tests \
|
|
diff --git a/configure.ac b/configure.ac
|
|
index d7582cfea4..6a56a5b0c1 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -3235,6 +3235,15 @@ if test "$SQLITE3" = "no" ; then
|
|
DISABLED_EXTENSIONS="${DISABLED_EXTENSIONS} _sqlite3"
|
|
fi
|
|
|
|
+AC_SUBST(TK)
|
|
+AC_ARG_ENABLE(tk,
|
|
+ AS_HELP_STRING([--disable-tk], [disable tk]),
|
|
+ [ TK="${enableval}" ], [ TK=yes ])
|
|
+
|
|
+if test "$TK" = "no"; then
|
|
+ DISABLED_EXTENSIONS="${DISABLED_EXTENSIONS} _tkinter"
|
|
+fi
|
|
+
|
|
AC_SUBST(PYDOC)
|
|
|
|
AC_ARG_ENABLE(pydoc,
|
|
--
|
|
2.13.5
|
|
|