From: Ned Deily Date: Sun, 13 Jul 2014 05:16:56 +0000 (-0700) Subject: Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, X-Git-Tag: v3.4.2rc1~229 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5d0d2e6ed6b6ca99d7aa1f9a5ff9c4b0fa545f76;p=python Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, broken by the fix for security issue #19435. Patch by Zach Byrne. --- 5d0d2e6ed6b6ca99d7aa1f9a5ff9c4b0fa545f76 diff --cc Misc/ACKS index fa6b1f6e4d,eeefc8144a..0c48477300 --- a/Misc/ACKS +++ b/Misc/ACKS @@@ -198,8 -185,8 +198,9 @@@ Roger Burnha Alastair Burt Tarn Weisner Burton Lee Busby +Katherine Busch Ralph Butler + Zach Byrne Nicolas Cadou Jp Calderone Arnaud Calmettes diff --cc Misc/NEWS index ecdb178984,1b72607b55..9425dc93c2 --- a/Misc/NEWS +++ b/Misc/NEWS @@@ -27,272 -13,261 +27,275 @@@ Core and Builtin Library ------- -- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths - before checking for a CGI script at that path. +- Issue #19076: Don't pass the redundant 'file' argument to self.error(). -- Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second - parameter. Bug reported by Guido Vranken. +- Issue #21942: Fixed source file viewing in pydoc's server mode on Windows. -- Issue #20633: Replace relative import by absolute import. +- Issue #11259: asynchat.async_chat().set_terminator() now raises a ValueError + if the number of received bytes is negative. -- Issue #21082: In os.makedirs, do not set the process-wide umask. Note this - changes behavior of makedirs when exist_ok=True. +- Issue #12523: asynchat.async_chat.push() now raises a TypeError if it doesn't + get a bytes string -- Issue #20875: Prevent possible gzip "'read' is not defined" NameError. - Patch by Claudiu Popa. +- Issue #21707: Add missing kwonlyargcount argument to + ModuleFinder.replace_paths_in_code(). -- Issue #11599: When an external command (e.g. compiler) fails, distutils now - prints out the whole command line (instead of just the command name) if the - environment variable DISTUTILS_DEBUG is set. +- Issue #20639: calling Path.with_suffix('') allows removing the suffix + again. Patch by July Tikhonov. -- Issue #4931: distutils should not produce unhelpful "error: None" messages - anymore. distutils.util.grok_environment_error is kept but doc-deprecated. +- Issue #21714: Disallow the construction of invalid paths using + Path.with_name(). Original patch by Antony Lee. -- Issue #20283: RE pattern methods now accept the string keyword parameters - as documented. The pattern and source keyword parameters are left as - deprecated aliases. +- Issue #21897: Fix a crash with the f_locals attribute with closure + variables when frame.clear() has been called. -- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, - broken by the fix for security issue #19435. Patch by Zach Byrne. +- Issue #21151: Fixed a segfault in the winreg module when ``None`` is passed + as a ``REG_BINARY`` value to SetValueEx. Patch by John Ehresman. -Tests ------ +- Issue #21090: io.FileIO.readall() does not ignore I/O errors anymore. Before, + it ignored I/O errors if at least the first C call read() succeed. -- Issue #17752: Fix distutils tests when run from the installed location. +- Issue #21781: ssl.RAND_add() now supports strings longer than 2 GB. -- Issue #20946: Correct alignment assumptions of some ctypes tests. +- Issue #11453: asyncore: emit a ResourceWarning when an unclosed file_wrapper + object is destroyed. The destructor now closes the file if needed. The + close() method can now be called twice: the second call does nothing. -- Issue #20939: Fix test_geturl failure in test_urllibnet due to - new redirect of http://www.python.org/ to https://www.python.org. +- Issue #21858: Better handling of Python exceptions in the sqlite3 module. +- Issue #21476: Make sure the email.parser.BytesParser TextIOWrapper is + discarded after parsing, so the input file isn't unexpectedly closed. -What's New in Python 3.3.5? -=========================== +- Issue #21729: Used the "with" statement in the dbm.dumb module to ensure + files closing. Patch by Claudiu Popa. -*Release date: 09-Mar-2014* +- Issue #21491: socketserver: Fix a race condition in child processes reaping. -No changes from release candidate 2. +- Issue #21832: Require named tuple inputs to be exact strings. +- Issue #19145: The times argument for itertools.repeat now handles + negative values the same way for keyword arguments as it does for + positional arguments. -What's New in Python 3.3.5 release candidate 2? -=============================================== +- Issue #21812: turtle.shapetransform did not tranform the turtle on the + first call. (Issue identified and fixed by Lita Cho.) -*Release date: 02-Mar-2014* +- Issue #21635: The difflib SequenceMatcher.get_matching_blocks() method + cache didn't match the actual result. The former was a list of tuples + and the latter was a list of named tuples. -Core and Builtins ------------------ +- Issue #21722: The distutils "upload" command now exits with a non-zero + return code when uploading fails. Patch by Martin Dengler. -- Issue #20731: Properly position in source code files even if they - are opened in text mode. Patch by Serhiy Storchaka. +- Issue #21723: asyncio.Queue: support any type of number (ex: float) for the + maximum size. Patch written by Vajrasky Kok. -- Issue #19619: str.encode, bytes.decode and bytearray.decode now use an - internal API to throw LookupError for known non-text encodings, rather - than attempting the encoding or decoding operation and then throwing a - TypeError for an unexpected output type. (The latter mechanism remains - in place for third party non-text encodings) +- Issue #21326: Add a new is_closed() method to asyncio.BaseEventLoop. + run_forever() and run_until_complete() methods of asyncio.BaseEventLoop now + raise an exception if the event loop was closed. -Library -------- +- Issue #21774: Fixed NameError for an incorrect variable reference in the + XML Minidom code for creating processing instructions. + (Found and fixed by Claudiu Popa.) -- Issue #20778: Fix modulefinder to work with bytecode-only modules. +- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths + before checking for a CGI script at that path. -- Issue #20791: copy.copy() now doesn't make a copy when the input is - a bytes object. Initial patch by Peter Otten. +- Issue #21310: Fixed possible resource leak in failed open(). -- Issue #20621: Fixes a zipimport bug introduced in 3.3.4 that could cause - spurious crashes or SystemErrors when importing modules or packages from a - zip file. The change causing the problem was reverted. +- Issue #21677: Fixed chaining nonnormalized exceptions in io close() methods. -- Issue #20404: io.TextIOWrapper (and hence the open() builtin) now uses the - internal codec marking system added for issue #19619 to throw LookupError - for known non-text encodings at stream construction time. The existing - output type checks remain in place to deal with unmarked third party - codecs. +- Issue #11709: Fix the pydoc.help function to not fail when sys.stdin is not a + valid file. -Tests ------ +- Issue #13223: Fix pydoc.writedoc so that the HTML documentation for methods + that use 'self' in the example code is generated correctly. -- Issue #20743: Fix a reference leak in test_tcl. +- Issue #21463: In urllib.request, fix pruning of the FTP cache. -Tools/Demos ------------ +- Issue #21618: The subprocess module could fail to close open fds that were + inherited by the calling process and already higher than POSIX resource + limits would otherwise allow. On systems with a functioning /proc/self/fd + or /dev/fd interface the max is now ignored and all fds are closed. -- Issue #20535: PYTHONWARNING no longer affects the run_tests.py script. - Patch by Arfrever Frehtes Taifersar Arahesis. +- Issue #21552: Fixed possible integer overflow of too long string lengths in + the tkinter module on 64-bit platforms. +- Issue #14315: The zipfile module now ignores extra fields in the central + directory that are too short to be parsed instead of letting a struct.unpack + error bubble up as this "bad data" appears in many real world zip files in + the wild and is ignored by other zip tools. -What's New in Python 3.3.5 release candidate 1? -=============================================== +- Issue #21402: tkinter.ttk now works when default root window is not set. -*Release date: 23-Feb-2014* +- Issue #10203: sqlite3.Row now truly supports sequence protocol. In particulr + it supports reverse() and negative indices. Original patch by Claudiu Popa. -Core and Builtins ------------------ +- Issue #18807: If copying (no symlinks) specified for a venv, then the python + interpreter aliases (python, python3) are now created by copying rather than + symlinking. -- Issue #20588: Make Python-ast.c C89 compliant. +- Issue #14710: pkgutil.get_loader() no longer raises an exception when None is + found in sys.modules. -- Issue #20437: Fixed 21 potential bugs when deleting objects references. +- Issue #14710: pkgutil.find_loader() no longer raises an exception when a + module doesn't exist. -- Issue #20538: UTF-7 incremental decoder produced inconsistant string when - input was truncated in BASE64 section. +- Issue #21481: Argparse equality and inequality tests now return + NotImplemented when comparing to an unknown type. -Library -------- +- Issue #8743: Fix interoperability between set objects and the + collections.Set() abstract base class. -- Issue #20635: Fixed grid_columnconfigure() and grid_rowconfigure() methods of - Tkinter widgets to work in wantobjects=True mode. +- Issue #13355: random.triangular() no longer fails with a ZeroDivisionError + when low equals high. -- Issue #19612: On Windows, subprocess.Popen.communicate() now ignores - OSError(22, 'Invalid argument') when writing input data into stdin, whereas - the process already exited. +- Issue #21538: The plistlib module now supports loading of binary plist files + when reference or offset size is not a power of two. -- Issue #6815: os.path.expandvars() now supports non-ASCII environment - variables names and values. +- Issue #21801: Validate that __signature__ is None or an instance of Signature. -- Issue #17671: Fixed a crash when use non-initialized io.BufferedRWPair. - Based on patch by Stephen Tu. +- Issue #21923: Prevent AttributeError in distutils.sysconfig.customize_compiler + due to possible uninitialized _config_vars. + -- Issue #8478: Untokenizer.compat processes first token from iterator input. - Patch based on lines from Georg Brandl, Eric Snow, and Gareth Rees. ++- Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, ++ broken by the fix for security issue #19435. Patch by Zach Byrne. -- Issue #20594: Avoid name clash with the libc function posix_close. +Build +----- -- Issue #19856: shutil.move() failed to move a directory to other directory - on Windows if source name ends with os.altsep. +- Issue #17095: Fix Modules/Setup *shared* support. -- Issue #14983: email.generator now always adds a line end after each MIME - boundary marker, instead of doing so only when there is an epilogue. This - fixes an RFC compliance bug and solves an issue with signed MIME parts. +- Issue #21811: Anticipated fixes to support OS X versions > 10.9. -- Issue #20540: Fix a performance regression (vs. Python 3.2) when layering - a multiprocessing Connection over a TCP socket. For small payloads, Nagle's - algorithm would introduce idle delays before the entire transmission of a - message. +IDLE +---- -- Issue #16983: the new email header parsing code will now decode encoded words - that are (incorrectly) surrounded by quotes, and register a defect. +- Issue #21940: Add unittest for WidgetRedirector. Initial patch by Saimadhav + Heblikar. -- Issue #19772: email.generator no longer mutates the message object when - doing a down-transform from 8bit to 7bit CTEs. +- Issue #18592: Add unittest for SearchDialogBase. Patch by Phil Webster. -- Issue #18805: the netmask/hostmask parsing in ipaddress now more reliably - filters out illegal values and correctly allows any valid prefix length. +- Issue #21694: Add unittest for ParenMatch. Patch by Saimadhav Heblikar. -- Issue #17369: get_filename was raising an exception if the filename - parameter's RFC2231 encoding was broken in certain ways. This was - a regression relative to python2. +- Issue #21686: add unittest for HyperParser. Original patch by Saimadhav + Heblikar. -- Issue #20013: Some imap servers disconnect if the current mailbox is - deleted, and imaplib did not handle that case gracefully. Now it - handles the 'bye' correctly. +- Issue #12387: Add missing upper(lower)case versions of default Windows key + bindings for Idle so Caps Lock does not disable them. Patch by Roger Serwy. -- Issue #19920: TarFile.list() no longer fails when outputs a listing - containing non-encodable characters. Based on patch by Vajrasky Kok. +- Issue #21695: Closing a Find-in-files output window while the search is + still in progress no longer closes Idle. -- Issue #20515: Fix NULL pointer dereference introduced by issue #20368. +- Issue #18910: Add unittest for textView. Patch by Phil Webster. -- Issue #19186: Restore namespacing of expat symbols inside the pyexpat module. +- Issue #18292: Add unittest for AutoExpand. Patch by Saihadhav Heblikar. -- Issue #20426: When passing the re.DEBUG flag, re.compile() displays the - debug output every time it is called, regardless of the compilation cache. +- Issue #18409: Add unittest for AutoComplete. Patch by Phil Webster. -- Issue #20368: The null character now correctly passed from Tcl to Python. - Improved error handling in variables-related commands. +Tests +----- -- Issue #20435: Fix _pyio.StringIO.getvalue() to take into account newline - translation settings. +- Issue #20155: Changed HTTP method names in failing tests in test_httpservers + so that packet filtering software (specifically Windows Base Filtering Engine) + does not interfere with the transaction semantics expected by the tests. -- Issue #20288: fix handling of invalid numeric charrefs in HTMLParser. +- Issue #19493: Refactored the ctypes test package to skip tests explicitly + rather than silently. -- Issue #20424: Python implementation of io.StringIO now supports lone surrogates. +- Issue #18492: All resources are now allowed when tests are not run by + regrtest.py. -- Issue #19456: ntpath.join() now joins relative paths correctly when a drive - is present. +- Issue #21634: Fix pystone micro-benchmark: use floor division instead of true + division to benchmark integers instead of floating point numbers. Set pystone + version to 1.2. Patch written by Lennart Regebro. -- Issue #19077: tempfile.TemporaryDirectory cleanup is now most likely - successful when called during nulling out of modules during shutdown. - Misleading exception no longer raised when resource warning is emitted - during shutdown. +- Issue #21605: Added tests for Tkinter images. -- Issue #20367: Fix behavior of concurrent.futures.as_completed() for - duplicate arguments. Patch by Glenn Langford. +- Issue #21493: Added test for ntpath.expanduser(). Original patch by + Claudiu Popa. -- Issue #8260: The read(), readline() and readlines() methods of - codecs.StreamReader returned incomplete data when were called after - readline() or read(size). Based on patch by Amaury Forgeot d'Arc. +- Issue #19925: Added tests for the spwd module. Original patch by Vajrasky Kok. -IDLE ----- +- Issue #21522: Added Tkinter tests for Listbox.itemconfigure(), + PanedWindow.paneconfigure(), and Menu.entryconfigure(). -- Issue #20406: Use Python application icons for Idle window title bars. - Patch mostly by Serhiy Storchaka. +Windows +------- -- Update the python.gif icon for the Idle classbrowser and pathbowser - from the old green snake to the new new blue and yellow snakes. +- Issue #21671, CVE-2014-0224: The bundled version of OpenSSL has been + updated to 1.0.1h. -- Issue #17721: Remove non-functional configuration dialog help button until we - make it actually gives some help when clicked. Patch by Guilherme Simões. +- Issue #10747: Use versioned labels in the Windows start menu. + Patch by Olive Kilburn. -Tests ------ +Tools/Demos +----------- + +- Issue #21906: Make Tools/scripts/md5sum.py work in Python 3. + Patch by Zachary Ware. -- Issue #20510: Rewrote test_exit in test_sys to match existing comments, - use modern unittest features, and use helpers from test.script_helper - instead of using subprocess directly. Patch by Gareth Rees. +- Issue #21629: Fix Argument Clinic's "--converters" feature. -- Issue #20532: Tests which use _testcapi are now marked as CPython only. -- Issue #19920: Added tests for TarFile.list(). Based on patch by Vajrasky Kok. +What's New in Python 3.4.1? +=========================== -- Issue #19990: Added tests for the imghdr module. Based on patch by - Claudiu Popa. +Release date: 2014-05-18 -- Issue #20474: Fix test_socket "unexpected success" failures on OS X 10.7+. +Core and Builtins +----------------- -- Issue #20605: Make test_socket getaddrinfo OS X segfault test more robust. +- Issue #21418: Fix a crash in the builtin function super() when called without + argument and without current frame (ex: embedded Python). -Documentation -------------- +- Issue #21425: Fix flushing of standard streams in the interactive + interpreter. -- Issue #20488: Importlib is no longer *an* implementation of import, it's *the* - implementation. +- Issue #21435: In rare cases, when running finalizers on objects in cyclic + trash a bad pointer dereference could occur due to a subtle flaw in + internal iteration logic. -Build ------ +Library +------- -- Issue #20221: Removed conflicting (or circular) hypot definition when - compiled with VS 2010 or above. Initial patch by Tabrez Mohammed. +- Issue #10744: Fix PEP 3118 format strings on ctypes objects with a nontrivial + shape. -- Issue #20609: Restored the ability to build 64-bit Windows binaries on - 32-bit Windows, which was broken by the change in issue #19788. +- Issue #20998: Fixed re.fullmatch() of repeated single character pattern + with ignore case. Original patch by Matthew Barnett. +- Issue #21075: fileinput.FileInput now reads bytes from standard stream if + binary mode is specified. Patch by Sam Kimbrel. -What's New in Python 3.3.4? -=========================== +- Issue #21396: Fix TextIOWrapper(..., write_through=True) to not force a + flush() on the underlying binary stream. Patch by akira. -*Release date: 09-Feb-2014* +- Issue #21470: Do a better job seeding the random number generator by + using enough bytes to span the full state space of the Mersenne Twister. -Library -------- +- Issue #21398: Fix an unicode error in the pydoc pager when the documentation + contains characters not encodable to the stdout encoding. + +Tests +----- -- Issue #20374: Fix build warnings of the readline module with libedit on Mac. +- Issue #17756: Fix test_code test when run from the installed location. +- Issue #17752: Fix distutils tests when run from the installed location. + +IDLE +---- + +- Issue #18104: Add idlelib/idle_test/htest.py with a few sample tests to begin + consolidating and improving human-validated tests of Idle. Change other files + as needed to work with htest. Running the module as __main__ runs all tests. -What's New in Python 3.3.4 release candidate 1? -=============================================== -*Release date: 26-Jan-2014* +What's New in Python 3.4.1rc1? +============================== + +Release date: 2014-05-05 Core and Builtins -----------------