[issue11660] closure with too few cells segfaults

[Eric Snow]

New submission from Eric Snow :

While perhaps esoteric, it looks like exec'ing a code object that has freevars, 
using a closure that has too few cells causes a segfault.  I believe the 
problem is around line 3276 of ceval.c at the PyTuple_GET_ITEM call:

if (PyTuple_GET_SIZE(co->co_freevars)) {
int i;
for (i = 0; i < PyTuple_GET_SIZE(co->co_freevars); ++i) {
>>> PyObject *o = PyTuple_GET_ITEM(closure, i);
Py_INCREF(o);
freevars[PyTuple_GET_SIZE(co->co_cellvars) + i] = o;
}
}

I only bring this up because I am toying around with exposing a wrapper around 
PyEval_EvalCodeEx that is a more fully featured version of exec.  Here is an 
example of code where I ran into the problem:

def outer():
x = 5
y = 6
def f(): return x,y
z = 7
def g(): return z
exec_closure(f.__code__, closure=g.__closure__)

Incidently, it looks there isn't any check to see if len(closure) > 
len(freevars), which I would expect to be disallowed.  However, I understand 
that there hasn't really been any point to worry about it due to the current 
usage of PyEval_EvalCodeEx.  

If the above two constraints are appropriate I would love to see them added in 
with something like the following:

if (closure == NULL)
&closure = PyTuple_New(0);
if (!PyTuple_Check(closure)) {
PyErr_Format(PyExc_TypeError,
 "closure must be a tuple");
goto fail;
}
Py_ssize_t nfreevars = PyTuple_GET_SIZE(co->co_freevars);
Py_ssize_t ncells = PyTuple_GET_SIZE(closure);
if (nfreevars != ncells) {
PyErr_Format(PyExc_SystemError,
 "Expected %s cells, received %s", 
 nfreevars, ncells);
goto fail;
}
if (nfreevars) {
int i;
for (i = 0; i < PyTuple_GET_SIZE(co->co_freevars); ++i) {
PyObject *o = PyTuple_GET_ITEM(closure, i);
Py_INCREF(o);
freevars[PyTuple_GET_SIZE(co->co_cellvars) + i] = o;
}
}

Alternately, I could just add some validation into exec_closure, if it's not 
worth bothering in ceval.c.

--
components: Interpreter Core
messages: 131961
nosy: ericsnow
priority: normal
severity: normal
status: open
title: closure with too few cells segfaults
type: crash
versions: Python 3.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11477] Bug in code dispatching based on internal slots

[Martin v . Löwis]

Changes by Martin v. Löwis :


Added file: http://bugs.python.org/file21367/650549138a3d.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11477] Bug in code dispatching based on internal slots

[Martin v . Löwis]

Changes by Martin v. Löwis :


Removed file: http://bugs.python.org/file21258/f1bd5468dae6.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11477] Bug in code dispatching based on internal slots

[Martin v . Löwis]

Changes by Martin v. Löwis :


Removed file: http://bugs.python.org/file21367/650549138a3d.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11477] Bug in code dispatching based on internal slots

[Martin v . Löwis]

Changes by Martin v. Löwis :


Added file: http://bugs.python.org/file21368/650549138a3d.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11236] getpass.getpass does not respond to ctrl-c or ctrl-z

[Steffen Daode Nurpmeso]

Steffen Daode Nurpmeso  added the comment:

By the way, in another thread i've seen a link to issue960406, 
where Guido van Rossum states (in msg46074):

Ideally, ^C should always cause the signal handler for
SIGINT to be called, and the KeyboardInterrupt should be
generated by the default SIGINT handler

Thus removing ISIG contradicts approaches Python has chosen to 
use a long time ago (tracks get lost, as always). 
Just in case anybody is not convinced yet that ISIG has to go.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11606] maxlinelen exceeded by email module's body_encode() function

[Michael Henry]

Michael Henry  added the comment:

David,

Your patch looks fine to me.  I like putting the logic is a
separate class as you've done.  I looked in itertools for
something to perform the job of the each_last() generator I'd
had in my patch, but I didn't see anything.  I like the idea of
encapsulating the test logic of (index + 1 == len(sequence)) in
some way, as each_last() does, rather than having the caller
calculate it.  If that capability exists somewhere in the Python
standard library, it would be my choice to use that.  If it has
to be built just for this test, though, perhaps it's not worth
the extra lines of code to define each_last().

Michael Henry

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11650] Faulty RESTART/EINTR handling in Parser/myreadline.c

[Davide Rizzo]

Changes by Davide Rizzo :


--
nosy: +mwh

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7330] PyUnicode_FromFormat: implement width and precision for %s, %S, %R, %V, %U, %A

[Ray.Allen]

Ray.Allen  added the comment:

By the way, as my simple tests, wprintf() with "%ls" does apply the width and 
precision formatters on units of characters.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7330] PyUnicode_FromFormat: implement width and precision for %s, %S, %R, %V, %U, %A

[STINNER Victor]

STINNER Victor  added the comment:

There are 4 patches "issue 7030" attached to this issue. Some of them have a 
version number in their name, some doesn't. You did the same on other issues. 
It is more easy to follow a patch if it has a version number, for example: 
issue_7330.diff, issue_7330-2.diff, issue_7330-3.diff, issue_7330-4.diff, ... 
And I suppose that you can remove all old patches, except if they are 
alternative implementations or contain something special.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11658] complex sqrt error

[Mark Dickinson]

Mark Dickinson  added the comment:

I don't see a real problem here:  both cmath.sqrt(-1) and (-1)**0.5 are 
producing good approximations to the correct result, which is about as much as 
you can hope for in general with floating-point algorithms.

I wouldn't want to start special-casing the complex power algorithm to produce 
expected results for given bases or exponents;  the code is complex enough as 
it is.

Patches to improve the general accuracy of complex.__pow__ would be welcome.

Closing as won't fix.

--
resolution:  -> wont fix
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11650] Faulty RESTART/EINTR handling in Parser/myreadline.c

[Steffen Daode Nurpmeso]

Steffen Daode Nurpmeso  added the comment:

On Thu, Mar 23, 2011 at 21:50:42PM +, Davide Rizzo wrote:
> Steffen, on a side note, I got readline working with brew.

Say - readline not libedit which does not take care of .inputrc? 
Without permanently modifying GNU autoconf stuff? 
How do you do that?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7330] PyUnicode_FromFormat: implement width and precision for %s, %S, %R, %V, %U, %A

[Ray.Allen]

Ray.Allen  added the comment:

Sorry for having done that! I will remove old patches and leave a cleaner view.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7330] PyUnicode_FromFormat: implement width and precision for %s, %S, %R, %V, %U, %A

[Ray.Allen]

Changes by Ray.Allen :


Removed file: http://bugs.python.org/file20739/issue_7330.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7330] PyUnicode_FromFormat: implement width and precision for %s, %S, %R, %V, %U, %A

[Ray.Allen]

Changes by Ray.Allen :


Removed file: http://bugs.python.org/file20786/issue_7330.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7330] PyUnicode_FromFormat: implement width and precision for %s, %S, %R, %V, %U, %A

[Ray.Allen]

Changes by Ray.Allen :


Removed file: http://bugs.python.org/file20983/issue7330_2.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9523] Improve dbm modules

[Ray.Allen]

Ray.Allen  added the comment:

I tried to work out a doc patch for 3.2 to mention the limitation api: the 
missing methods compared with dict and the imperfect methods(keys(), items()) 
of collections.MutableMapping. Here is it.

--
Added file: http://bugs.python.org/file21369/issue_9523_3.2_doc_patch.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11661] test_collections.TestNamedTuple.test_source failing on many buildbots after f09f7ab40ce6

[R. David Murray]

New submission from R. David Murray :

Example:

http://www.python.org/dev/buildbot/all/builders/x86%20FreeBSD%207.2%203.x/builds/1609/steps/test/logs/stdio

==
FAIL: test_source (test.test_collections.TestNamedTuple)
--
Traceback (most recent call last):
  File 
"/usr/home/db3l/buildarea/3.x.bolen-freebsd7/build/Lib/test/test_collections.py",
 line 334, in test_source
self.assertNotIn('Color', globals())
AssertionError: 'Color' unexpectedly found in {'OrderedDict': , 'forget': , 
'unittest': , 
'MyOrderedDict': , 'WithSet': 
, 'KeysView': , 'operator': , 
'shuffle': >, 'TestNT': , 
'MutableMapping': , 'randrange': >, 'unlink': 
, 'support': , 
'Mapping': , '__package__': None, 'Callable': 
, 're': , 'TestCounter': 
, 'collections': ,
 'test_main': , 'SubclassMappingTests': 
, 'ChainMap': , '__doc__': 'Unit tests for collections.py.', 
'Hashable': , 'namedtuple': , 'inspect': , 
'MutableSet': , '__builtins__': 
{'bytearray': , 'IndexError': , 'all': 
, 'help': Type help() for interactive help, or 
help(object) for help about object., 'vars': , 'SyntaxError': , 'UnicodeDecodeError': , 'memoryview': , 'isinstance': 
, '__build_class__': , 'copyright': Copyright (c) 2001-2011 Python Software 
Foundation.

--
assignee: rhettinger
components: Tests
keywords: buildbot
messages: 131970
nosy: pitrou, r.david.murray, rhettinger
priority: high
severity: normal
stage: needs patch
status: open
title: test_collections.TestNamedTuple.test_source failing on many buildbots 
after f09f7ab40ce6
versions: Python 3.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11656] Debug builds for Windows would be very helpful

[Jack Jansen]

Jack Jansen  added the comment:

Martin, I agree about the Py_DEBUG issue. My reason for asking is really only a 
workaround for the VC++ problam that you can't link non-debug and debug builds 
together.

You know what: if you think it isn't worth it just assign it to me and I'll try 
to go the extra step of doing the work and providing a patch.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11661] test_collections.TestNamedTuple.test_source failing on many buildbots after f09f7ab40ce6

[STINNER Victor]

STINNER Victor  added the comment:

Link to the commit: f09f7ab40ce6

--
nosy: +haypo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11655] map() must not swallow exceptions from PyObject_GetIter

[Ray.Allen]

Ray.Allen  added the comment:

There maybe compatibility issues which prevent such behavior change.

--
nosy: +ysj.ray

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11455] issue a warning when populating a CPython type dict with non-string keys

[Nick Coghlan]

Nick Coghlan  added the comment:

Thomas, I know you've been working on this post-Pycon. Could you please take a 
look at Daniel's patch and/or publish your own.

--
assignee:  -> twouters
nosy: +ncoghlan, twouters

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11455] issue a warning when populating a CPython type dict with non-string keys

[STINNER Victor]

Changes by STINNER Victor :


--
nosy: +haypo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11455] issue a warning when populating a CPython type dict with non-string keys

[STINNER Victor]

STINNER Victor  added the comment:

Cool, someone uses my PyErr_WarnFormat() function! :-) I didn't know that NULL 
can be used for the category: I would prefer an explicit PyExc_RuntimeWarning 
to not have to read the source of PyErr_WarnFormat() or its documentation.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue1590744] mail message parsing glitch

[R. David Murray]

R. David Murray  added the comment:

I needed an airplane-trip-sized problem to work on on the way back from PyCon 
and the sprints, so I tried my hand at "fixing" this.  The attached patch is 
really just a proof of concept.  Because it is so invasive of the email package 
machinery I doubt that I will apply it, but it does serve to prove that it is 
quite practical, given the right design, to preserve the leading whitespace in 
message headers, and this does enable the email package to read and write the 
messages in the sample mbox without changing them.  I will incorporate what I 
learned from this exercise into the header management in email6.

On the other hand, if anyone else thinks this *is* worth tidying up an applying 
I could be convinced.

Note that after this patch one test fails, but that test failure is actually a 
buggy test that hides a bug in the header formatter (a failure to provide 
folding white space at the start of a continuation line).  That bug I may 
revisit.

--
keywords: +patch
Added file: http://bugs.python.org/file21370/preserve_leading_whitespace.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11236] getpass.getpass does not respond to ctrl-c or ctrl-z

[Senthil Kumaran]

Senthil Kumaran  added the comment:

Agree to removing of termios.ISIG so that we get a KeyBoardInterrupt exception 
raised when CNTL-C is pressed. Looking at discussion more carefully, it does 
not present any security risk.

Should this be fixed in 3.3 only with NEWS detailing the change in behavior 
(back to old 2.5 behavior) or should be this be backported?

Close similarity with getpass.c 's behavior had lent some to support to this 
change in 2.6. Changing now in older codeline has some chances of breaking 
others code.

Someone who has been affected by this change in behavior should provide some 
insights if back-porting would make sense.

--
assignee:  -> orsenthil

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11236] getpass.getpass does not respond to ctrl-c or ctrl-z

[Roundup Robot]

Roundup Robot  added the comment:

New changeset c177faafec51 by Senthil Kumaran in branch 'default':
issue11236 getpass.getpass to respond ctrl-c or ctrl-z
http://hg.python.org/cpython/rev/c177faafec51

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11466] getpass.getpass doesn't close tty file

[Senthil Kumaran]

Changes by Senthil Kumaran :


--
assignee:  -> orsenthil
nosy: +orsenthil

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue975330] Inconsistent newline handling in email module

[R. David Murray]

Changes by R. David Murray :


--
versions:  -Python 2.7, Python 3.1, Python 3.2

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11466] getpass.getpass doesn't close tty file

[Steffen Daode Nurpmeso]

Steffen Daode Nurpmeso  added the comment:

On Thu, Mar 24, 2011 at 02:34:34PM +, Senthil Kumaran wrote:
> assignee:  -> orsenthil

Here is yet another patch which only passes valid streams into 
_user_input(), so that this does not need to take care about that 
at all. 
Would you please review that instead of all the others ;/? 
(It's identical to .5. beside that.) 
Thanks for looking at this issue!

--
Added file: http://bugs.python.org/file21371/11466.6.patch

___
Python tracker 

___diff --git a/Lib/getpass.py b/Lib/getpass.py
--- a/Lib/getpass.py
+++ b/Lib/getpass.py
@@ -38,27 +38,26 @@
 
 Always restores terminal settings before returning.
 """
-fd = None
-tty = None
-try:
-# Always try reading and writing directly on the tty first.
-fd = os.open('/dev/tty', os.O_RDWR|os.O_NOCTTY)
-tty = os.fdopen(fd, 'w+', 1)
-input = tty
-if not stream:
-stream = tty
-except EnvironmentError as e:
-# If that fails, see if stdin can be controlled.
+tty, exinst, passwd = None, None, None
+# Something to break off if an error happens
+while 1:
 try:
-fd = sys.stdin.fileno()
-except (AttributeError, ValueError):
-passwd = fallback_getpass(prompt, stream)
-input = sys.stdin
-if not stream:
-stream = sys.stderr
+# Always try reading and writing directly on the tty first.
+fd = os.open('/dev/tty', os.O_RDWR|os.O_NOCTTY)
+input = tty = os.fdopen(fd, 'w+', 1)
+if not stream:
+stream = tty
+except EnvironmentError:
+# If that fails, see if stdin can be controlled;
+# use generic fallback implementation as last resort
+try:
+fd = sys.stdin.fileno()
+except:
+break
+input = sys.stdin
+if not stream:
+stream = sys.stderr
 
-if fd is not None:
-passwd = None
 try:
 old = termios.tcgetattr(fd) # a copy to save
 new = old[:]
@@ -68,21 +67,29 @@
 tcsetattr_flags |= termios.TCSASOFT
 try:
 termios.tcsetattr(fd, tcsetattr_flags, new)
-passwd = _raw_input(prompt, stream, input=input)
+passwd = _user_input(prompt, stream, input, echooff=True)
+except Exception as e:
+exinst = e
 finally:
 termios.tcsetattr(fd, tcsetattr_flags, old)
-stream.flush()  # issue7208
-except termios.error as e:
+stream.flush() # issue7208 (7246)
+except Exception as e:
 if passwd is not None:
-# _raw_input succeeded.  The final tcsetattr failed.  Reraise
-# instead of leaving the terminal in an unknown state.
-raise
-# We can't control the tty or stdin.  Give up and use normal IO.
-# fallback_getpass() raises an appropriate warning.
-del input, tty  # clean up unused file objects before blocking
-passwd = fallback_getpass(prompt, stream)
+# _user_input succeeded, but the final tcsetattr failed.
+# Reraise the termios.error instead of leaving the terminal
+# in an unknown state.
+exinst = e
+break
 
-stream.write('\n')
+if not exinst and passwd is None:
+# We can't control the tty or stdin. Give up and use normal IO.
+# fallback_getpass() raises an appropriate warning.
+passwd = fallback_getpass(prompt, stream)
+
+if tty:
+tty.close()
+if exinst:
+raise exinst
 return passwd
 
 
@@ -115,21 +122,19 @@
 if not stream:
 stream = sys.stderr
 print("Warning: Password input may be echoed.", file=stream)
-return _raw_input(prompt, stream)
+return _user_input(prompt, stream, sys.stdin, echooff=False)
 
 
-def _raw_input(prompt="", stream=None, input=None):
+def _user_input(prompt, stream, input, echooff=False):
 # This doesn't save the string in the GNU readline history.
-if not stream:
-stream = sys.stderr
-if not input:
-input = sys.stdin
 prompt = str(prompt)
 if prompt:
 stream.write(prompt)
 stream.flush()
 # NOTE: The Python C API calls flockfile() (and unlock) during readline.
 line = input.readline()
+if echooff:
+stream.write('\n')
 if not line:
 raise EOFError
 if line[-1] == '\n':
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11635] concurrent.futures uses polling

[Roundup Robot]

Roundup Robot  added the comment:

New changeset 76a898433a02 by Antoine Pitrou in branch '3.2':
Add tests for the atexit hook in concurrent.futures (part of #11635)
http://hg.python.org/cpython/rev/76a898433a02

New changeset d6bbde982c1c by Antoine Pitrou in branch 'default':
Add tests for the atexit hook in concurrent.futures (part of #11635)
http://hg.python.org/cpython/rev/d6bbde982c1c

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Guido van Rossum]

New submission from Guido van Rossum :

We received the following on the security list. With the OP's permission I am 
now filing a public bug with a patch, with the intent to submit the patch ASAP 
(in time for MvL's planned April security release of Python 2.5).

The OP's description is below; I will attach a patch to this issue as soon as I 
have figured out how.


description:

The Python urllib and urllib2 modules are typically used to fetch web
pages but by default also contains handlers for ftp:// and file:// URL
schemes.

Now unfortunately it appears that it is possible for a web server to
redirect (HTTP 302) a urllib request to any of the supported
schemes. Examples on how this could turn bad:

 1) File disclosure: A web application, that normally fetches and
 displays a web page, is redirected to file:///etc/passwd and
 discloses it.

 2) Denial of Service: An application is redirected to a system device
 (e.g. file:///dev/zero) which will result in excessive CPU/memory/disk
 usage.

Affected versions:
--
The urllib and urllib2 modules of python 2.4.6 and 2.6.5 where tested
but this likely affects all versions.

Possible solution:
--
The default handlers could be reduced but this will probably break
existing python scripts.

Alternatively the default HTTPRedirectHandler behaviour can be changed
to only allow redirects to HTTP, HTTPS and FTP by checking the scheme
of the location URL (this seems to be a common practise in browsers)

--
assignee: gvanrossum
components: Library (Lib)
hgrepos: 6
messages: 131981
nosy: barry, benjamin.peterson, georg.brandl, gvanrossum
priority: release blocker
severity: normal
stage: patch review
status: open
title: Redirect vulnerability in urllib/urllib2
type: security
versions: Python 2.5, Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 
3.3, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Senthil Kumaran]

Senthil Kumaran  added the comment:

>> HTTPRedirectHandler behaviour can be changed
>> to only allow redirects to HTTP, HTTPS and FTP by checking the scheme
>> of the location URL (this seems to be a common practise in browsers)

This would be the way to go.

--
nosy: +orsenthil

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Guido van Rossum]

Changes by Guido van Rossum :


--
keywords: +patch
Added file: http://bugs.python.org/file21372/dd852a0f92d6.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[STINNER Victor]

STINNER Victor  added the comment:

Repository URL is incorrect (missing http:/ prefix). The commit:
http://hg.python.org/sandbox/guido/rev/dd852a0f92d6

--
nosy: +haypo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Guido van Rossum]

Guido van Rossum  added the comment:

Please review the patch that I created. (Now why doesn't it have a "review" 
link?) Note that the patch currently only allows http and https.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11653] Problems with some tests using -j2

[Skip Montanaro]

Skip Montanaro  added the comment:

Ned> Skip, what parameters are you using with ./configure ?

Pretty vanilla.  Install in my directory tree, get libraries from MacPorts:

  --prefix=/Users/skip/local --enable-shared LDFLAGS=-L/opt/local/lib 
CPPFLAGS=-I/opt/local/include

I thought you had fixed the --enable-shared linkage problems, but taking it
out seems to solve this issue.  I'm guessing nothing has been checked in yet
to solve that problem.

S

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11635] concurrent.futures uses polling

[Antoine Pitrou]

Antoine Pitrou  added the comment:

Tests now committed, here is a patch without them.

--
Added file: http://bugs.python.org/file21373/cfpolling4.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11653] Problems with some tests using -j2

[Antoine Pitrou]

Antoine Pitrou  added the comment:

> Pretty vanilla.  Install in my directory tree, get libraries from MacPorts:
> 
>   --prefix=/Users/skip/local --enable-shared LDFLAGS=-L/opt/local/lib 
> CPPFLAGS=-I/opt/local/include
> 
> I thought you had fixed the --enable-shared linkage problems, but taking it
> out seems to solve this issue.  I'm guessing nothing has been checked in yet
> to solve that problem.

It's not --enable-shared, it's that you have to set "LD_LIBRARY_PATH=.",
otherwise your new "./python.exe" will use some other Python 3.3 shared
library installed on your system. So you're basically testing an old
Python with the latest test suite :)

We do have a buildbot testing shared builds btw:
http://www.python.org/dev/buildbot/all/buildslaves/bolen-ubuntu

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Senthil Kumaran]

Senthil Kumaran  added the comment:

>> why doesn't it have a "review" link?

Perhaps, as it is not against the 'default'?

Let's try my hg sandbox link which has a fix committed. Let's see if it gives 
the review link.

--
hgrepos: +7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Senthil Kumaran]

Changes by Senthil Kumaran :


Added file: http://bugs.python.org/file21374/c6a4d267fe88.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[STINNER Victor]

STINNER Victor  added the comment:

The patch has no test. You may read our new "Python Developer’s Guide" for new 
contributors:
http://docs.python.org/devguide/runtests.html#writing

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Guido van Rossum]

Guido van Rossum  added the comment:

Oddly, I now see a review link for my own diff but not for orsenthil's. Maybe 
there's a delay?

I could use help with the tests.

I suppose orsenthil's patch is for Python 3?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Antoine Pitrou]

Antoine Pitrou  added the comment:

Which patch should be reviewed? They seem to be different. Senthil's patch 
allows a redirect to ftp while Guido's doesn't.

Senthil's patch doesn't seem to fix urllib-inherited code, only urllib2- (see 
FancyURLopener.redirect_internal()).

Guido's patch doesn't close the file (fp.close()) when the redirect is denied.

Both patches apparently return silently (?), while it might be better to raise 
an exception.
Both would deserve a test :)

--
nosy: +pitrou

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[STINNER Victor]

STINNER Victor  added the comment:

c6a4d267fe88.diff: This patch doesn't explain why other scheme are not allowed. 
I like Guido's comment:

# For security reasons we do not allow redirects to protocols
# other than HTTP or HTTPS.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[R. David Murray]

R. David Murray  added the comment:

Yes there is a delay.  The cron job that creates the link runs every two 
minutes.  Not sure why the delay seems to be longer than that, though.

--
nosy: +r.david.murray

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11606] maxlinelen exceeded by email module's body_encode() function

[R. David Murray]

R. David Murray  added the comment:

I turns out that issue 5803 has a patch that also fixes this bug, and the 
algorithm used there is even more efficient than the one you've developed here. 
 However, it is also not compatible with the email5 version of quoprimime.  It 
could be adapted, but I think I'm going to put off considering that until I can 
take a deeper look at why encode_body takes string as its input.  So I'm going 
to apply this patch in the meantime.

--
versions:  -Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11663] concurrent.futures (or multiprocessing?) doesn't detect killed processes

[Antoine Pitrou]

New submission from Antoine Pitrou :

If you do:

./python -c "from concurrent.futures import *; from time import *; t = 
ProcessPoolExecutor(1); t.submit(sleep, 60)"

and then kill the child process, the parent process doesn't notice and waits 
endlessly for the child to return the results.

I'm using concurrent.futures here but I assume the bug (or limitation) is on 
the multiprocessing side?

--
components: Library (Lib)
messages: 131995
nosy: asksol, bquinlan, jnoller, pitrou
priority: normal
severity: normal
status: open
title: concurrent.futures (or multiprocessing?) doesn't detect killed processes
versions: Python 3.2, Python 3.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11663] concurrent.futures (or multiprocessing?) doesn't detect killed processes

[STINNER Victor]

Changes by STINNER Victor :


--
nosy: +haypo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11393] Integrate faulthandler module into Python 3.3

[Scott Dial]

Scott Dial  added the comment:

Antoine Pitrou wrote:
> It would be nice if it were enabled by default for fatal errors (and asserts 
> perhaps?).

I feel like a broken record. This code hardcodes fd=2 as a write target on 
crash, which is not safe thing to do at all. You can argue that adopters of 
Python 3.3 should have to deal with that fact, but it's obscure and there is no 
way to warn anyone about it except by putting a NEWS item, and if the PyCapsule 
discussion on python-dev have taught us anything: even well meaning programmers 
miss these things all the time.

I have stated this repeatedly on the other issues for this same discussion. I 
think creating a completely new issue for this same topic has segmented the 
discussion unfortunately. I wrote a much longer and more thoughtful explanation 
of why faulthandler writes to the wrong "thing" here:

http://bugs.python.org/msg124381

AFAICT, Victor has addressed my issue by giving programmers yet another 
interface to configure (that they may or may not be aware of). So, the only way 
this acceptable to me is if it's off by default and a programmer who wants this 
functionality opts-in and has taken care to make sure it does the right thing. 
My suggestion that faulthandler needs to find a way to be coupled to 
"sys.stderr" still stands.

--
nosy: +scott.dial

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11236] getpass.getpass does not respond to ctrl-c or ctrl-z

[Merlijn van Deen]

Merlijn van Deen  added the comment:

@orsenthil
> Close similarity with getpass.c 's behavior had lent some to support to this 
> change in 2.6. Changing now in older codeline has some chances of breaking 
> others code.
> Someone who has been affected by this change in behavior should provide some 
> insights if back-porting would make sense.

Most code will probably have been updated their getpass code with a line like

if '\x03' in text:
  raise KeyboardInterrupt()

( http://www.mediawiki.org/wiki/Special:Code/pywikipedia/8978 )

However, people might have changed their code from
try:
  pass = getpass.getpass()
except KeyboardInterrupt:
  print "Ctrl-C!"

to:
pass = getpass.getpass()
if "\x03' in pass:
  print "Ctrl-C!"

which will break with this change. The first workaround makes more sense, 
though, so I suspect very little code will be broken by reverting the ISIG flag.

Overall, I think most people are not aware of the removal, either because they 
still use python 2.5 or because they don't press ctrl-c. They are still in for 
a surprise if the ISIG flag is not removed (although it will probably stay in 
the 2.6 branch, anyway?).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11663] concurrent.futures (or multiprocessing?) doesn't detect killed processes

[STINNER Victor]

STINNER Victor  added the comment:

In the following example, if I kill the child process, the parent is immediatly 
done:
---
from os import getpid
from time import sleep
from multiprocessing import Process

def f(sec):
print("child %s: wait %s seconds" % (getpid(), sec))
sleep(sec)

if __name__ == '__main__':
print("parent %s: wait child" % (getpid(),))
p = Process(target=f, args=(30,))
p.start()
p.join()
---

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11663] concurrent.futures (or multiprocessing?) doesn't detect killed processes

[Antoine Pitrou]

Antoine Pitrou  added the comment:

Le jeudi 24 mars 2011 à 16:16 +, STINNER Victor a écrit :
> STINNER Victor  added the comment:
> 
> In the following example, if I kill the child process, the parent is 
> immediatly done:
> ---
> from os import getpid
> from time import sleep
> from multiprocessing import Process

concurrent.futures uses a multiprocessing.Queue to get the function
results back. You should use a similar setup in your script.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11393] Integrate faulthandler module into Python 3.3

[Antoine Pitrou]

Antoine Pitrou  added the comment:

> Antoine Pitrou wrote:
> > It would be nice if it were enabled by default for fatal errors (and 
> > asserts perhaps?).
> 
> I feel like a broken record. This code hardcodes fd=2 as a write target on 
> crash,

For fatal errors, you needn't be async-safe, so the fatal error code
could read fileno(stderr) and give it to the traceback printing code.
What do you think, Victor?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11610] Improving property to accept abstract methods

[Darren Dale]

Darren Dale  added the comment:

Here is a new version of the patch. I think it addresses all of the issues that 
have been raised to date.

I had to comment out the -lintl line in Modules/Setup to build on OS X, this 
seems to be a similar issue to http://bugs.python.org/issue6154 . So I don't 
have a _locale module, and I also don't have _scproxy. I ran "make test", and 
get the same results with and without the patch: 315 passes, 22 failed, 15 
skipped. All of the failures are due to missing _locale and _scproxy, with the 
exception of an error during the sax test that is unrelated to my changes.

--
components:  -Library (Lib)
Added file: http://bugs.python.org/file21375/issue11610_v2.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11477] Bug in code dispatching based on internal slots

[Raymond Hettinger]

Changes by Raymond Hettinger :


--
nosy: +rhettinger

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11606] maxlinelen exceeded by email module's body_encode() function

[Roundup Robot]

Roundup Robot  added the comment:

New changeset 37ba11d806c5 by R David Murray in branch '3.1':
#11606: improved body_encode algorithm, no longer produces overlong lines
http://hg.python.org/cpython/rev/37ba11d806c5

New changeset b801d55a9979 by R David Murray in branch '3.2':
Merge #11606: improved body_encode algorithm, no longer produces overlong lines
http://hg.python.org/cpython/rev/b801d55a9979

New changeset 0c40f4939174 by R David Murray in branch 'default':
Merge #11606: improved body_encode algorithm, no longer produces overlong lines
http://hg.python.org/cpython/rev/0c40f4939174

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11393] Integrate faulthandler module into Python 3.3

[STINNER Victor]

STINNER Victor  added the comment:

> For fatal errors, you needn't be async-safe, so the fatal error code
> could read fileno(stderr) and give it to the traceback printing code.

My last patch for issue #8863 does exactly that:

##
 void
 Py_FatalError(const char *msg)
 {
-fprintf(stderr, "Fatal Python error: %s\n", msg);
-fflush(stderr); /* it helps in Windows debug build */
-if (PyErr_Occurred()) {
+const int fd = fileno(stderr);
+
+fputs("Fatal Python error: ", stderr);
+fputs(msg, stderr);
+fputc('\n', stderr);
+fflush(stderr);
+
+if (PyErr_Occurred())
 PyErr_PrintEx(0);
+else {
+fputc('\n', stderr);
+fflush(stderr);
+_Py_DumpBacktrace(fd);
 }
...
##

Yes, call fileno() here is safe.

--

The main problem was on the SIGSEGV handler which was first proposed as enabled 
by default. Extract of my old patch:

+static void
+fault_handler(int signum)
+{
+const int fd = 2; /* should be fileno(stderr) */
+unsigned int i;
+fault_handler_t *handler;
...

In the faulthandler module, the last call to faulthandler.enable() saves 
sys.stderr.fileno(). If this file descriptor is replaced by a critical file, we 
have a problem. It can occurs in two cases:
 - stderr was closed (after the call to enable) and a new file gets its file 
descriptor number
 - dup2() was used

Both cases may occur on a server application.

But I think that everybody agrees to disable the SIGSEGV handler by default.

--

I'm preparing the integration of faulthandler in the following Mercurial repo:
http://hg.python.org/features/faulthandler/

I didn't write the fatal error hook yet.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11606] maxlinelen exceeded by email module's body_encode() function

[R. David Murray]

Changes by R. David Murray :


--
resolution:  -> fixed
stage: patch review -> committed/rejected
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11663] concurrent.futures (or multiprocessing?) doesn't detect killed processes

[STINNER Victor]

STINNER Victor  added the comment:

In the following example, the parent doesn't react when the child process is 
killed:
-
from os import getpid
from time import sleep, time
from multiprocessing import Pool

def f(sec):
print("child %s: wait %s seconds" % (getpid(), sec))
sleep(sec)

if __name__ == '__main__':
print("parent %s: wait child" % (getpid(),))
pool = Pool(processes=1)
result = pool.apply_async(f, [60])
print(result.get(timeout=120))
print("parent: done")
-

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11663] multiprocessing (and concurrent.futures) doesn't detect killed processes

[STINNER Victor]

Changes by STINNER Victor :


--
title: concurrent.futures (or multiprocessing?) doesn't detect killed processes 
-> multiprocessing (and concurrent.futures) doesn't detect killed processes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11663] multiprocessing (and concurrent.futures) doesn't detect killed processes

[STINNER Victor]

STINNER Victor  added the comment:

It's possible to stop the parent with a CTRL+c, and so here is the trace of 
blocking function:

$ ./python y.py 
parent 26706: wait child
child 26707: wait 60 seconds
^CProcess PoolWorker-2:
Traceback (most recent call last):
  File "y.py", line 13, in 
Traceback (most recent call last):
  File "/home/haypo/prog/HG/cpython/Lib/multiprocessing/process.py", line 263, 
in _bootstrap
print(result.get(timeout=120))
  File "/home/haypo/prog/HG/cpython/Lib/multiprocessing/pool.py", line 539, in 
get
self.run()
  File "/home/haypo/prog/HG/cpython/Lib/multiprocessing/process.py", line 118, 
in run
self._target(*self._args, **self._kwargs)
  File "/home/haypo/prog/HG/cpython/Lib/multiprocessing/pool.py", line 102, in 
worker
self.wait(timeout)
  File "/home/haypo/prog/HG/cpython/Lib/multiprocessing/pool.py", line 534, in 
wait
task = get()
  File "/home/haypo/prog/HG/cpython/Lib/multiprocessing/queues.py", line 378, 
in get
return recv()
KeyboardInterrupt
self._cond.wait(timeout)
  File "/home/haypo/prog/HG/cpython/Lib/threading.py", line 241, in wait
gotit = waiter.acquire(True, timeout)
KeyboardInterrupt
[61207 refs]

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11661] test_collections.TestNamedTuple.test_source failing on many buildbots after f09f7ab40ce6

[Raymond Hettinger]

Raymond Hettinger  added the comment:

Thanks for the report.  It looks like globals() contamination is happening on 
the buildbot that isn't happening locally.

Isolated the test in commit 4f1cd92fe835

Will check the buildbots after to make sure it worked.  Otherwise, will delete 
test.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11661] test_collections.TestNamedTuple.test_source failing on many buildbots after f09f7ab40ce6

[STINNER Victor]

STINNER Victor  added the comment:

Why do you remove NTColor from globals *after* creating it? The assertion looks 
useless, or are you testing that globals().pop() works as expected?

tmp = namedtuple('NTColor', 'red green blue')
globals().pop('NTColor', None)  # remove artifacts from other tests
self.assertNotIn('NTColor', globals())

Can't you remove NTColor from globals before creating it?

globals().pop('NTColor', None)
tmp = namedtuple('NTColor', 'red green blue')
self.assertNotIn('NTColor', globals())

It looks like I missed something important :-)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Guido van Rossum]

Guido van Rossum  added the comment:

> Which patch should be reviewed? They seem to be different.

Both. Mine's for the Python 2 line while Senthil seems to deal with
Python 3. (However the presence of Senthil's patch somehow overrode my
patch in Rietveld. It looks like Martin didn't think of this use
case.) I'd like to have agreement over the Python 2 patch first, then
we can think about forward porting.

> Senthil's patch allows a redirect to ftp while Guido's doesn't.

That is a good question. Should we? It doesn't look like ftp:
participates in the vulnerability, but I'm not sure how useful it is
either.

> Senthil's patch doesn't seem to fix urllib-inherited code, only urllib2- (see 
> FancyURLopener.redirect_internal()).

Right, that's for Python 3.

> Guido's patch doesn't close the file (fp.close()) when the redirect is denied.

But the calling code does. Note that when there is no URI or Location
header, redirect_internal() also returns without closing the file; if
the error handler returns no result, http_error() will call
http_error_default() which closes the file.

> Both patches apparently return silently (?), while it might be better to 
> raise an exception.

This follows the tradition of returning silently when no URI or
Location header is found. The 302 error will be treated the same as
any other error.

> Both would deserve a test :)

If someone would contribute one I'd appreciate it. Otherwise I will
get on it myself.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Senthil Kumaran]

Changes by Senthil Kumaran :


Added file: http://bugs.python.org/file21376/3c07ea6a176a.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Senthil Kumaran]

Senthil Kumaran  added the comment:

Here is a more complete patch with tests. Please review this. Yes, it is 
against the default branch (3.x codeline). We can backport this behavior to 2.x 
codeline.

I have raised an URLError exception when the direct to invalid_schemes is 
detected.

Also, ftp redirection should be allowed. It is common to see ISO download 
mirrors which will redirect itself to an ftp url. Also the security report says 
about allowing to http, https and ftp.

Thanks.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Antoine Pitrou]

Antoine Pitrou  added the comment:

> > Senthil's patch allows a redirect to ftp while Guido's doesn't.
> 
> That is a good question. Should we? It doesn't look like ftp:
> participates in the vulnerability, but I'm not sure how useful it is
> either.

I would say accept it anyway. That way we minimize potential for
compatibility breakage.
(do we support "ftps" as well? I don't think so)

> > Senthil's patch doesn't seem to fix urllib-inherited code, only
> urllib2- (see FancyURLopener.redirect_internal()).
> 
> Right, that's for Python 3.

FancyURLopener is still present in Python 3 (even though we would like
to deprecate it in 3.3).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Guido van Rossum]

Guido van Rossum  added the comment:

I am okay with adding FTP to the list.

I still don't think we should raise URLError on the bad redirect; we should 
treat it the same as a missing URI/Location header, and it will raise HTTPError.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11662] Redirect vulnerability in urllib/urllib2

[Guido van Rossum]

Changes by Guido van Rossum :


Added file: http://bugs.python.org/file21377/ca3b117c40f3.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11635] concurrent.futures uses polling

[Antoine Pitrou]

Antoine Pitrou  added the comment:

After studying the multiprocessing code, it turns out that Queue.get() with a 
timeout does its own rather high-frequency polling under Windows (see 
Modules/_multiprocessing/pipe_connection.c). Therefore, here is an updated 
patch which doesn't have a security timeout at all.

--
Added file: http://bugs.python.org/file21378/cfpolling5.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue5305] imaplib should support international mailbox names

[Александр Цамутали]

Александр Цамутали  added the comment:

So noone is working on this issue ATM?

--
nosy: +astsmtl

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11030] regrtest - allow for relative path with --coverdir

[Roundup Robot]

Roundup Robot  added the comment:

New changeset 6ff4e479f03b by R David Murray in branch 'default':
#11030: make --coverdir work for relative directories again.
http://hg.python.org/cpython/rev/6ff4e479f03b

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11030] regrtest - allow for relative path with --coverdir

[R. David Murray]

R. David Murray  added the comment:

Thanks.  Shortened patch by using the fact that os.path.join returns the second 
component if it is absolute, as discussed on IRC.

--
nosy: +r.david.murray
resolution:  -> fixed
stage: patch review -> committed/rejected
status: open -> closed
type:  -> behavior

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11031] regrtest - --testdir, new command-line option to specify alternative test directory

[Roundup Robot]

Roundup Robot  added the comment:

New changeset ef393e6ac31b by R David Murray in branch 'default':
#11031: Add --testdir to specify where to find tests
http://hg.python.org/cpython/rev/ef393e6ac31b

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11031] regrtest - --testdir, new command-line option to specify alternative test directory

[R. David Murray]

R. David Murray  added the comment:

Made the same change to the usage of os.path.join.

--
nosy: +r.david.murray
resolution:  -> accepted
stage: patch review -> committed/rejected
status: open -> closed
type:  -> feature request

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11093] test_future - rename not-unittest files to make regrtest.NOTTESTS an empty set

[Roundup Robot]

Roundup Robot  added the comment:

New changeset 6a649a15cd14 by R David Murray in branch 'default':
#11093: make NOTTESTS empty by renaming confusingly named files in test dir.
http://hg.python.org/cpython/rev/6a649a15cd14

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11093] test_future - rename not-unittest files to make regrtest.NOTTESTS an empty set

[R. David Murray]

Changes by R. David Murray :


--
resolution:  -> accepted
stage: patch review -> committed/rejected
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue10225] Fix doctest runable examples in python manual

[Alexander Belopolsky]

Alexander Belopolsky  added the comment:

> Please leave the deployed code for named tuple as-is.  Doctest may
> have issues with trailing whitespace, but that is doctest's problem,
> not named tuple's.

I am curious, what was the reason to add trailing whitespace in the named tuple 
template?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue10225] Fix doctest runable examples in python manual

[Raymond Hettinger]

Raymond Hettinger  added the comment:

> I am curious, what was the reason to add 
> trailing whitespace in the named tuple template?

To make it hard to doctest ;-)

I had a thought that it made the template more readable, but the better 
solution was to just use real newlines instead of '\n'.   The template has been 
considerably beautified for python 3.3, but I don't want to go back in time and 
muck with stable code just to accommodate adding a doctest in old docs.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9344] please add posix.getgrouplist()

[Alexander Belopolsky]

Alexander Belopolsky  added the comment:

Looks good to me as well.  Just a nit-pick: in python code base "sizeof" is not 
separated from the opening parenthesis.  I understand the desire to distinguish 
"sizeof" from a function, but it is probably better to be consistent.

--
assignee: belopolsky -> rosslagerwall

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9344] please add posix.getgrouplist()

[Ross Lagerwall]

Ross Lagerwall  added the comment:

Ronald, does it have the same problem as #7900 on OS X or can I commit?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9909] request for calendar.dayofyear() function

[Alexander Belopolsky]

Changes by Alexander Belopolsky :


--
status: pending -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue1156179] Calls from VBScript clobber passed args

[Chris Lambacher]

Chris Lambacher  added the comment:

copied to pywin32 bug tracker: 
http://sourceforge.net/tracker/index.php?func=detail&aid=3238774&group_id=78018&atid=551954

--
nosy: +lambacck

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11650] Faulty RESTART/EINTR handling in Parser/myreadline.c

[Michael Hudson]

Michael Hudson  added the comment:

To be clear, I have no idea why the patch for issue 960406 removed the continue 
from my_fgets.  It may have been simply a mistake.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11610] Improving property to accept abstract methods

[Ned Deily]

Ned Deily  added the comment:

(Darren, what version of OS X and what arguments did you use for ./configure ?  
In general, for testing purposes, a vanilla ./configure with no args should 
work fine for building a Python that works right from your source build 
directory.  If you want to build something to be installed, avoid using 
--enable-shared on OS X, see, for instance, Issue11445)

--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11664] Add patch method to unittest.TestCase

[Éric Araujo]

New submission from Éric Araujo :

A common thing to do in setUp or test* methods is to replace some module 
attribute with something else, either to mock an object calling an external 
resource or to test platform-specific behavior (for example, changing os.name 
before calling some function).  Care has to be taken to restore the initial 
object with addCleanup, tearDown or in a finally block.

I propose that a new method TestCase.patch (inspired by mock.patch, but more 
limited in scope) be added, to allow such usages (each example is standalone):

  def setUp(self):
  self.patch(socket, 'socket', MockSocket)

  def test_default_format(self):
  self.patch(os, 'name', 'posix')
  self.assertEqual(get_default_format(), '.tar.gz')
  self.path(os, 'name', 'nt')
  self.assertEqual(get_default_format(), '.zip')

  def setUp(self):
  self.patch(sys, 'path', sys.path.copy())

In each example, patch(object, attribute, value) does this: save 
object.attribute, set object.attribute to value, register a cleanup function to 
restore object.attribute.

I assigned to Michael so that he can kill this idea early if he has reason to 
do so.  If not, please move stage to “patch needed” (no pun).  I am willing to 
work on a patch for 3.3 and unittest2 (not sure which is first :)

--
assignee: michael.foord
components: Library (Lib)
keywords: easy
messages: 132026
nosy: eric.araujo, ezio.melotti, michael.foord
priority: normal
severity: normal
status: open
title: Add patch method to unittest.TestCase
type: feature request
versions: Python 3.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11664] Add patch method to unittest.TestCase

[Éric Araujo]

Éric Araujo  added the comment:

Typo s/self.path/self.patch/

I forgot to mention the rationale for this method: factor out common code to 
make sure the cleanup is not forgotten.  Also kill debates about addCleanup vs. 
tearDown vs. try/finally.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11664] Add patch method to unittest.TestCase

[Éric Araujo]

Éric Araujo  added the comment:

Needless to say the name is open: patch, replace, settempvalue, what have you.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11634] misleading comment on PyBytes_FromStringAndSize

[Roundup Robot]

Roundup Robot  added the comment:

New changeset a729dfdbd24b by Eli Bendersky in branch 'default':
Issue #11634: Remove misleading paragraph from a comment
http://hg.python.org/cpython/rev/a729dfdbd24b

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11634] misleading comment on PyBytes_FromStringAndSize

[Roundup Robot]

Roundup Robot  added the comment:

New changeset 44749e501982 by Eli Bendersky in branch '2.7':
Issue #11634: Remove misleading paragraph from a comment
http://hg.python.org/cpython/rev/44749e501982

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11634] misleading comment on PyBytes_FromStringAndSize

[Eli Bendersky]

Eli Bendersky  added the comment:

Patch reviewed by Nick Coghlan and committed

--
resolution:  -> fixed
status: open -> closed
versions: +Python 2.7 -Python 3.2

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11650] Faulty RESTART/EINTR handling in Parser/myreadline.c

[Steffen Daode Nurpmeso]

Changes by Steffen Daode Nurpmeso :


--
nosy: +jesstess

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11455] issue a warning when populating a CPython type dict with non-string keys

[Daniel Urban]

Daniel Urban  added the comment:

> I would prefer an explicit PyExc_RuntimeWarning to not have to read the
> source of PyErr_WarnFormat() or its documentation.

The patch at issue11470 adds a new warning type, CompatibilityWarning. I think 
probably that should be used here too.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9056] Adding additional level of bookmarks and section numbers in python pdf documents.

[Sandro Tosi]

Sandro Tosi  added the comment:

The number of items in the bookmark is controlled by 

\setcounter{tocdepth}{1}

in sphinxmanual.cls, that's included in every latex file (the source of the PDF 
documentation). The cls file is coming directly from sphinx, so Georg: what is 
the purpose of limiting the bookmarks depth to 1? can we consider (somehow) to 
special-case if for python?

--
nosy: +georg.brandl, sandro.tosi
versions: +Python 3.3 -Python 2.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue10966] eliminate use of ImportError implicitly representing SkipTest

[Éric Araujo]

Éric Araujo  added the comment:

I’m probably the one with the least regrtest knowledge among us, but I like the 
general idea of moving the compat info from one huge dict into the tests 
themselves.  It looks more readable and maintainable.

The new tests for test.support looks good.

I have a reputation to maintain, so here are some nits:
- “FS encoding” would be clearer as “filesystem encoding”.
- The argument names “required_on” and “optional” are not symmetrical.
- The indentation is hard to read here:

+pty = import_module('pty',
+optional=['win32', 'os2emx', 'freebsd4', 'freebsd5', 'freebsd6',
+'freebsd7', 'freebsd8'])

--
nosy: +eric.araujo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11660] closure with too few cells segfaults

[Benjamin Peterson]

Benjamin Peterson  added the comment:

And the source of exec_closure is what exactly?

--
nosy: +benjamin.peterson

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11610] Improving property to accept abstract methods

[Darren Dale]

Darren Dale  added the comment:

(Ned, I'm running 10.6.6 with a 64-bit kernel. I've tried running ./configure 
without any arguments, and also with --prefix=/opt/local, since I install 
essentially everything with MacPorts.)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11656] Debug builds for Windows would be very helpful

[Martin v . Löwis]

Martin v. Löwis  added the comment:

> Martin, I agree about the Py_DEBUG issue. My reason for asking is
> really only a workaround for the VC++ problam that you can't link
> non-debug and debug builds together.

Please understand that this is factually incorrect, if, by "debug
build" you mean "build with debug symbols".

> You know what: if you think it isn't worth it just assign it to me
> and I'll try to go the extra step of doing the work and providing a
> patch.

Not sure what a patch might help. It's the effort of actually releasing
the files that I want to avoid.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue11660] closure with too few cells segfaults

[Daniel Urban]

Changes by Daniel Urban :


--
nosy: +durban

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com