From: Ned Deily Date: Sun, 13 Jul 2014 05:12:39 +0000 (-0700) Subject: Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, X-Git-Tag: v3.3.6rc1~12 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=217f4cd7ee587310587f70c28cd3b25c722275ba;p=python Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, broken by the fix for security issue #19435. Patch by Zach Byrne. --- 217f4cd7ee587310587f70c28cd3b25c722275ba diff --cc Misc/ACKS index ec961e4bc7,c1df48054f..eeefc8144a --- a/Misc/ACKS +++ b/Misc/ACKS @@@ -186,7 -164,7 +186,8 @@@ Alastair Bur Tarn Weisner Burton Lee Busby Ralph Butler + Zach Byrne +Nicolas Cadou Jp Calderone Arnaud Calmettes Daniel Calvelo diff --cc Misc/NEWS index 31980cd25d,12f02b3df7..1b72607b55 --- a/Misc/NEWS +++ b/Misc/NEWS @@@ -24,90 -19,79 +24,93 @@@ Librar - Issue #21082: In os.makedirs, do not set the process-wide umask. Note this changes behavior of makedirs when exist_ok=True. -- Issue #20246: Fix buffer overflow in socket.recvfrom_into. - -- Issue #12226: HTTPS is now used by default when connecting to PyPI. - -- Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler. +- Issue #20875: Prevent possible gzip "'read' is not defined" NameError. + Patch by Claudiu Popa. -- Issue #14984: On POSIX systems, when netrc is called without a filename - argument (and therefore is reading the user's $HOME/.netrc file), it now - enforces the same security rules as typical ftp clients: the .netrc file must - be owned by the user that owns the process and must not be readable by any - other user. +- Issue #11599: When an external command (e.g. compiler) fails, distutils now + prints out the whole command line (instead of just the command name) if the + environment variable DISTUTILS_DEBUG is set. -- Fix tkinter regression introduced by the security fix in issue #16248. +- Issue #4931: distutils should not produce unhelpful "error: None" messages + anymore. distutils.util.grok_environment_error is kept but doc-deprecated. -- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of - service using certificates with many wildcards (CVE-2013-2099). +- Issue #20283: RE pattern methods now accept the string keyword parameters + as documented. The pattern and source keyword parameters are left as + deprecated aliases. + - Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, + broken by the fix for security issue #19435. Patch by Zach Byrne. + +Tests +----- + +- Issue #17752: Fix distutils tests when run from the installed location. + +- Issue #20946: Correct alignment assumptions of some ctypes tests. + +- Issue #20939: Fix test_geturl failure in test_urllibnet due to + new redirect of http://www.python.org/ to https://www.python.org. -What's New in Python 3.2.5? + +What's New in Python 3.3.5? =========================== -*Release date: 13-May-2013* +*Release date: 09-Mar-2014* -Library -------- +No changes from release candidate 2. -- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of - service using certificates with many wildcards (CVE-2013-2099). -- Issue #17192: Restore the patch for Issue #11729 and Issue #10309 - which were omitted in 3.2.4 when updating the bundled version of - libffi used by ctypes. +What's New in Python 3.3.5 release candidate 2? +=============================================== -- Issue #15535: Fix namedtuple pickles which were picking up the OrderedDict - instead of just the underlying tuple. +*Release date: 02-Mar-2014* -- Issue #1159051: Back out a fix for handling corrupted gzip files that - broke backwards compatibility. +Core and Builtins +----------------- -- Issue #17915: Fix interoperability of xml.sax with file objects returned by - codecs.open(). +- Issue #20731: Properly position in source code files even if they + are opened in text mode. Patch by Serhiy Storchaka. -Build ------ +- Issue #19619: str.encode, bytes.decode and bytearray.decode now use an + internal API to throw LookupError for known non-text encodings, rather + than attempting the encoding or decoding operation and then throwing a + TypeError for an unexpected output type. (The latter mechanism remains + in place for third party non-text encodings) -- Issue #17857: Prevent build failures with pre-3.5.0 versions of sqlite3, - such as was shipped with Centos 5 and Mac OS X 10.4. +Library +------- -Tests ------ +- Issue #20778: Fix modulefinder to work with bytecode-only modules. -- Issue #17843: Removed bz2 test data file that was triggering false-positive - virus warnings with certain antivirus software. +- Issue #20791: copy.copy() now doesn't make a copy when the input is + a bytes object. Initial patch by Peter Otten. +- Issue #20621: Fixes a zipimport bug introduced in 3.3.4 that could cause + spurious crashes or SystemErrors when importing modules or packages from a + zip file. The change causing the problem was reverted. -What's New in Python 3.2.4? -=========================== +- Issue #20404: io.TextIOWrapper (and hence the open() builtin) now uses the + internal codec marking system added for issue #19619 to throw LookupError + for known non-text encodings at stream construction time. The existing + output type checks remain in place to deal with unmarked third party + codecs. -*Release date: 07-Apr-2013* +Tests +----- -Library -------- +- Issue #20743: Fix a reference leak in test_tcl. -- Issue #17625: In IDLE, close the replace dialog after it is used. +Tools/Demos +----------- +- Issue #20535: PYTHONWARNING no longer affects the run_tests.py script. + Patch by Arfrever Frehtes Taifersar Arahesis. -What's New in Python 3.2.4 release candidate 1? + +What's New in Python 3.3.5 release candidate 1? =============================================== -*Release date: 24-Mar-2013* +*Release date: 23-Feb-2014* Core and Builtins -----------------