Matej Cepl
041ff70f73
- gh-115399 & gh-115398: bundled libexpat was updated to 2.6.0
to address CVE-2023-52425, and control of the new reparse
deferral functionality was exposed with new APIs
- gh-109858: zipfile is now protected from the “quoted-overlap”
zipbomb to address CVE-2024-0450. It now raises BadZipFile
when attempting to read an entry that overlaps with another
entry or central directory
- gh-91133: tempfile.TemporaryDirectory cleanup no longer
dereferences symlinks when working around file system
permission errors to address CVE-2023-6597
- gh-115197: urllib.request no longer resolves the hostname
before checking it against the system’s proxy bypass list on
macOS and Windows
- gh-81194: a crash in socket.if_indextoname() with a specific
value (UINT_MAX) was fixed. Relatedly, an integer overflow in
socket.if_indextoname() on 64-bit non-Windows platforms was
fixed
- gh-113659: .pth files with names starting with a dot or
containing the hidden file attribute are now skipped
- gh-102388: iso2022_jp_3 and iso2022_jp_2004 codecs no longer
read out of bounds
- gh-114572: ssl.SSLContext.cert_store_stats() and
ssl.SSLContext.get_ca_certs() now correctly lock access to
the certificate store, when the ssl.SSLContext is shared
across multiple threads
- Remove upstreamed patches:
- CVE-2023-6597-TempDir-cleaning-symlink.patch
- Port to %autosetup and %autopatch.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=119
48 lines
1.8 KiB
Diff
48 lines
1.8 KiB
Diff
From f2eebf3c38eae77765247791576b437ec25ccfe2 Mon Sep 17 00:00:00 2001
|
|
From: Serhiy Storchaka <storchaka@gmail.com>
|
|
Date: Sun, 11 Feb 2024 12:08:39 +0200
|
|
Subject: [PATCH] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0
|
|
(GH-115164)
|
|
|
|
Feeding the parser by too small chunks defers parsing to prevent
|
|
CVE-2023-52425. Future versions of Expat may be more reactive.
|
|
(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4)
|
|
|
|
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
|
---
|
|
Lib/test/test_xml_etree.py | 6 ++++++
|
|
Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst | 2 ++
|
|
2 files changed, 8 insertions(+)
|
|
create mode 100644 Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
|
|
|
|
--- a/Lib/test/test_xml_etree.py
|
|
+++ b/Lib/test/test_xml_etree.py
|
|
@@ -121,6 +121,10 @@ ATTLIST_XML = """\
|
|
</foo>
|
|
"""
|
|
|
|
+fails_with_expat_2_6_0 = (unittest.expectedFailure
|
|
+ if pyexpat.version_info >= (2, 6, 0) else
|
|
+ lambda test: test)
|
|
+
|
|
def checkwarnings(*filters, quiet=False):
|
|
def decorator(test):
|
|
def newtest(*args, **kwargs):
|
|
@@ -1420,9 +1424,11 @@ class XMLPullParserTest(unittest.TestCas
|
|
self.assert_event_tags(parser, [('end', 'root')])
|
|
self.assertIsNone(parser.close())
|
|
|
|
+ @fails_with_expat_2_6_0
|
|
def test_simple_xml_chunk_1(self):
|
|
self.test_simple_xml(chunk_size=1, flush=True)
|
|
|
|
+ @fails_with_expat_2_6_0
|
|
def test_simple_xml_chunk_5(self):
|
|
self.test_simple_xml(chunk_size=5, flush=True)
|
|
|
|
--- /dev/null
|
|
+++ b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
|
|
@@ -0,0 +1,2 @@
|
|
+Fix tests for :class:`~xml.etree.ElementTree.XMLPullParser` with Expat
|
|
+2.6.0.
|