- Update to 3.11.0rc2:
- Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits
in string form is above a limit to avoid potential denial of
service attacks due to the algorithmic complexity. This is
a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Fix case of undefined behavior in ceval.c
- Do not expose KeyWrapper in _functools.
- Ensure that tracing, sys.setrace(), is turned on
immediately. In pre-release versions of 3.11, some tracing
events might have been lost when turning on tracing in a
__del__ method or interrupt.
- Fix use after free in trace refs build mode. Patch by Kumar
Aditya.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Make sure that incomplete frames do not show up in
tracemalloc traces.
- Remove two cases of undefined behavior, by adding NULL
checks.
- Fix possible NULL pointer dereference in
_PyThread_CurrentFrames. Patch by Kumar Aditya.
- Fix AttributeError missing name and obj attributes in
object.__getattribute__(). Patch by Philip Georgi.
- Loading a file with invalid UTF-8 will now report the broken
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=32
2022-09-15 11:14:50 +02:00
|
|
|
|
From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001
|
2022-05-18 00:11:07 +02:00
|
|
|
|
From: "Miss Islington (bot)"
|
|
|
|
|
|
<31488909+miss-islington@users.noreply.github.com>
|
- Update to 3.11.0rc2:
- Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits
in string form is above a limit to avoid potential denial of
service attacks due to the algorithmic complexity. This is
a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Fix case of undefined behavior in ceval.c
- Do not expose KeyWrapper in _functools.
- Ensure that tracing, sys.setrace(), is turned on
immediately. In pre-release versions of 3.11, some tracing
events might have been lost when turning on tracing in a
__del__ method or interrupt.
- Fix use after free in trace refs build mode. Patch by Kumar
Aditya.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Make sure that incomplete frames do not show up in
tracemalloc traces.
- Remove two cases of undefined behavior, by adding NULL
checks.
- Fix possible NULL pointer dereference in
_PyThread_CurrentFrames. Patch by Kumar Aditya.
- Fix AttributeError missing name and obj attributes in
object.__getattribute__(). Patch by Philip Georgi.
- Loading a file with invalid UTF-8 will now report the broken
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=32
2022-09-15 11:14:50 +02:00
|
|
|
|
Date: Mon, 21 Feb 2022 08:16:09 -0800
|
2022-05-18 00:11:07 +02:00
|
|
|
|
Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453)
|
- Update to 3.11.0rc2:
- Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits
in string form is above a limit to avoid potential denial of
service attacks due to the algorithmic complexity. This is
a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Fix case of undefined behavior in ceval.c
- Do not expose KeyWrapper in _functools.
- Ensure that tracing, sys.setrace(), is turned on
immediately. In pre-release versions of 3.11, some tracing
events might have been lost when turning on tracing in a
__del__ method or interrupt.
- Fix use after free in trace refs build mode. Patch by Kumar
Aditya.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Make sure that incomplete frames do not show up in
tracemalloc traces.
- Remove two cases of undefined behavior, by adding NULL
checks.
- Fix possible NULL pointer dereference in
_PyThread_CurrentFrames. Patch by Kumar Aditya.
- Fix AttributeError missing name and obj attributes in
object.__getattribute__(). Patch by Philip Georgi.
- Loading a file with invalid UTF-8 will now report the broken
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=32
2022-09-15 11:14:50 +02:00
|
|
|
|
(GH-31472)
|
2022-05-18 00:11:07 +02:00
|
|
|
|
|
|
|
|
|
|
Curly brackets were never allowed in namespace URIs
|
|
|
|
|
|
according to RFC 3986, and so-called namespace-validating
|
|
|
|
|
|
XML parsers have the right to reject them a invalid URIs.
|
|
|
|
|
|
|
|
|
|
|
|
libexpat >=2.4.5 has become strcter in that regard due to
|
|
|
|
|
|
related security issues; with ET.XML instantiating a
|
|
|
|
|
|
namespace-aware parser under the hood, this test has no
|
|
|
|
|
|
future in CPython.
|
|
|
|
|
|
|
|
|
|
|
|
References:
|
|
|
|
|
|
- https://datatracker.ietf.org/doc/html/rfc3968
|
|
|
|
|
|
- https://www.w3.org/TR/xml-names/
|
|
|
|
|
|
|
|
|
|
|
|
Also, test_minidom.py: Support Expat >=2.4.5
|
|
|
|
|
|
(cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e)
|
|
|
|
|
|
|
|
|
|
|
|
Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
|
|
|
|
|
|
---
|
- Update to 3.11.0rc2:
- Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits
in string form is above a limit to avoid potential denial of
service attacks due to the algorithmic complexity. This is
a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Fix case of undefined behavior in ceval.c
- Do not expose KeyWrapper in _functools.
- Ensure that tracing, sys.setrace(), is turned on
immediately. In pre-release versions of 3.11, some tracing
events might have been lost when turning on tracing in a
__del__ method or interrupt.
- Fix use after free in trace refs build mode. Patch by Kumar
Aditya.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Make sure that incomplete frames do not show up in
tracemalloc traces.
- Remove two cases of undefined behavior, by adding NULL
checks.
- Fix possible NULL pointer dereference in
_PyThread_CurrentFrames. Patch by Kumar Aditya.
- Fix AttributeError missing name and obj attributes in
object.__getattribute__(). Patch by Philip Georgi.
- Loading a file with invalid UTF-8 will now report the broken
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=32
2022-09-15 11:14:50 +02:00
|
|
|
|
Lib/test/test_minidom.py | 23 +++++++++--------------
|
|
|
|
|
|
1 file changed, 9 insertions(+), 14 deletions(-)
|
2022-05-18 00:11:07 +02:00
|
|
|
|
create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
|
|
|
|
|
|
|
|
|
|
|
|
--- a/Lib/test/test_minidom.py
|
|
|
|
|
|
+++ b/Lib/test/test_minidom.py
|
- Update to 3.11.0rc2:
- Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits
in string form is above a limit to avoid potential denial of
service attacks due to the algorithmic complexity. This is
a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Fix case of undefined behavior in ceval.c
- Do not expose KeyWrapper in _functools.
- Ensure that tracing, sys.setrace(), is turned on
immediately. In pre-release versions of 3.11, some tracing
events might have been lost when turning on tracing in a
__del__ method or interrupt.
- Fix use after free in trace refs build mode. Patch by Kumar
Aditya.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Make sure that incomplete frames do not show up in
tracemalloc traces.
- Remove two cases of undefined behavior, by adding NULL
checks.
- Fix possible NULL pointer dereference in
_PyThread_CurrentFrames. Patch by Kumar Aditya.
- Fix AttributeError missing name and obj attributes in
object.__getattribute__(). Patch by Philip Georgi.
- Loading a file with invalid UTF-8 will now report the broken
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=32
2022-09-15 11:14:50 +02:00
|
|
|
|
@@ -6,7 +6,6 @@ import io
|
2022-05-18 00:11:07 +02:00
|
|
|
|
from test import support
|
|
|
|
|
|
import unittest
|
|
|
|
|
|
|
|
|
|
|
|
-import pyexpat
|
|
|
|
|
|
import xml.dom.minidom
|
|
|
|
|
|
|
- Update to 3.11.0rc2:
- Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits
in string form is above a limit to avoid potential denial of
service attacks due to the algorithmic complexity. This is
a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Fix case of undefined behavior in ceval.c
- Do not expose KeyWrapper in _functools.
- Ensure that tracing, sys.setrace(), is turned on
immediately. In pre-release versions of 3.11, some tracing
events might have been lost when turning on tracing in a
__del__ method or interrupt.
- Fix use after free in trace refs build mode. Patch by Kumar
Aditya.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Make sure that incomplete frames do not show up in
tracemalloc traces.
- Remove two cases of undefined behavior, by adding NULL
checks.
- Fix possible NULL pointer dereference in
_PyThread_CurrentFrames. Patch by Kumar Aditya.
- Fix AttributeError missing name and obj attributes in
object.__getattribute__(). Patch by Philip Georgi.
- Loading a file with invalid UTF-8 will now report the broken
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=32
2022-09-15 11:14:50 +02:00
|
|
|
|
from xml.dom.minidom import parse, Attr, Node, Document, parseString
|
|
|
|
|
|
@@ -1163,13 +1162,11 @@ class MinidomTest(unittest.TestCase):
|
2022-05-18 00:11:07 +02:00
|
|
|
|
|
|
|
|
|
|
# Verify that character decoding errors raise exceptions instead
|
|
|
|
|
|
# of crashing
|
|
|
|
|
|
- if pyexpat.version_info >= (2, 4, 5):
|
|
|
|
|
|
- self.assertRaises(ExpatError, parseString,
|
- Update to 3.11.0rc2:
- Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits
in string form is above a limit to avoid potential denial of
service attacks due to the algorithmic complexity. This is
a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Fix case of undefined behavior in ceval.c
- Do not expose KeyWrapper in _functools.
- Ensure that tracing, sys.setrace(), is turned on
immediately. In pre-release versions of 3.11, some tracing
events might have been lost when turning on tracing in a
__del__ method or interrupt.
- Fix use after free in trace refs build mode. Patch by Kumar
Aditya.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Make sure that incomplete frames do not show up in
tracemalloc traces.
- Remove two cases of undefined behavior, by adding NULL
checks.
- Fix possible NULL pointer dereference in
_PyThread_CurrentFrames. Patch by Kumar Aditya.
- Fix AttributeError missing name and obj attributes in
object.__getattribute__(). Patch by Philip Georgi.
- Loading a file with invalid UTF-8 will now report the broken
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=32
2022-09-15 11:14:50 +02:00
|
|
|
|
- b'<fran\xe7ais></fran\xe7ais>')
|
2022-05-18 00:11:07 +02:00
|
|
|
|
- self.assertRaises(ExpatError, parseString,
|
- Update to 3.11.0rc2:
- Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits
in string form is above a limit to avoid potential denial of
service attacks due to the algorithmic complexity. This is
a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Fix case of undefined behavior in ceval.c
- Do not expose KeyWrapper in _functools.
- Ensure that tracing, sys.setrace(), is turned on
immediately. In pre-release versions of 3.11, some tracing
events might have been lost when turning on tracing in a
__del__ method or interrupt.
- Fix use after free in trace refs build mode. Patch by Kumar
Aditya.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Make sure that incomplete frames do not show up in
tracemalloc traces.
- Remove two cases of undefined behavior, by adding NULL
checks.
- Fix possible NULL pointer dereference in
_PyThread_CurrentFrames. Patch by Kumar Aditya.
- Fix AttributeError missing name and obj attributes in
object.__getattribute__(). Patch by Philip Georgi.
- Loading a file with invalid UTF-8 will now report the broken
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=32
2022-09-15 11:14:50 +02:00
|
|
|
|
- b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
|
|
|
|
|
|
- else:
|
|
|
|
|
|
- self.assertRaises(UnicodeDecodeError, parseString,
|
|
|
|
|
|
+ # It doesn’t make any sense to insist on the exact text of the
|
|
|
|
|
|
+ # error message, or even the exact Exception … it is enough that
|
|
|
|
|
|
+ # the error has been discovered.
|
|
|
|
|
|
+ with self.assertRaises((UnicodeDecodeError, ExpatError)):
|
|
|
|
|
|
+ parseString(
|
|
|
|
|
|
b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
|
|
|
|
|
|
|
|
|
|
|
|
doc.unlink()
|
|
|
|
|
|
@@ -1631,12 +1628,10 @@ class MinidomTest(unittest.TestCase):
|
2022-05-18 00:11:07 +02:00
|
|
|
|
self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
|
|
|
|
|
|
|
|
|
|
|
|
def testExceptionOnSpacesInXMLNSValue(self):
|
|
|
|
|
|
- if pyexpat.version_info >= (2, 4, 5):
|
|
|
|
|
|
- context = self.assertRaisesRegex(ExpatError, 'syntax error')
|
- Update to 3.11.0rc2:
- Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits
in string form is above a limit to avoid potential denial of
service attacks due to the algorithmic complexity. This is
a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Fix case of undefined behavior in ceval.c
- Do not expose KeyWrapper in _functools.
- Ensure that tracing, sys.setrace(), is turned on
immediately. In pre-release versions of 3.11, some tracing
events might have been lost when turning on tracing in a
__del__ method or interrupt.
- Fix use after free in trace refs build mode. Patch by Kumar
Aditya.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Make sure that incomplete frames do not show up in
tracemalloc traces.
- Remove two cases of undefined behavior, by adding NULL
checks.
- Fix possible NULL pointer dereference in
_PyThread_CurrentFrames. Patch by Kumar Aditya.
- Fix AttributeError missing name and obj attributes in
object.__getattribute__(). Patch by Philip Georgi.
- Loading a file with invalid UTF-8 will now report the broken
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=32
2022-09-15 11:14:50 +02:00
|
|
|
|
- else:
|
|
|
|
|
|
- context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')
|
|
|
|
|
|
-
|
|
|
|
|
|
- with context:
|
|
|
|
|
|
+ # It doesn’t make any sense to insist on the exact text of the
|
|
|
|
|
|
+ # error message, or even the exact Exception … it is enough that
|
|
|
|
|
|
+ # the error has been discovered.
|
|
|
|
|
|
+ with self.assertRaises((ExpatError, ValueError)):
|
|
|
|
|
|
parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
|
2022-05-18 00:11:07 +02:00
|
|
|
|
|
- Update to 3.11.0rc2:
- Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits
in string form is above a limit to avoid potential denial of
service attacks due to the algorithmic complexity. This is
a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Fix case of undefined behavior in ceval.c
- Do not expose KeyWrapper in _functools.
- Ensure that tracing, sys.setrace(), is turned on
immediately. In pre-release versions of 3.11, some tracing
events might have been lost when turning on tracing in a
__del__ method or interrupt.
- Fix use after free in trace refs build mode. Patch by Kumar
Aditya.
- When loading a file with invalid UTF-8 inside a multi-line
string, a correct SyntaxError is emitted.
- Make sure that incomplete frames do not show up in
tracemalloc traces.
- Remove two cases of undefined behavior, by adding NULL
checks.
- Fix possible NULL pointer dereference in
_PyThread_CurrentFrames. Patch by Kumar Aditya.
- Fix AttributeError missing name and obj attributes in
object.__getattribute__(). Patch by Philip Georgi.
- Loading a file with invalid UTF-8 will now report the broken
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python311?expand=0&rev=32
2022-09-15 11:14:50 +02:00
|
|
|
|
def testDocRemoveChild(self):
|