[issue28263] Python 2.7's `-3` flag warns about __eq__ being implemented without __hash__ even if __hash__ is never accessed.

[Antti Haapala]

Antti Haapala added the comment:

I am very negative to this idea. Correct code in Python **2** would either set 
`__hash__ = None` or redefine `__hash__` in *any* class that defines `__eq__`. 
That it just wasn't used like that is no excuse.

This warning is even more important if even Ned Batchelder could have a bug 
like that in his code.

It will break as soon as someone "realizes" that "hey I can use a set to remove 
duplicates in my container".

--
nosy: +ztane

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28143] ASDL compatibility with Python 3 system interpreter

[Malthe Borch]

Malthe Borch added the comment:

I have updated the patch with requested changes.

Note that the original code also added space after '\t' characters. I have not 
changed this on purpose.

--
Added file: 
http://bugs.python.org/file44801/0001-Allow-make-to-be-run-under-Python-3.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28250] typing.NamedTuple instances are not picklable Two

[Mark Dickinson]

Mark Dickinson added the comment:

I don't think this has anything to do with namedtuple; it's true whenever you 
create a class in an inner scope (rather than at module level). This is by 
design, and these restrictions are documented: 
https://docs.python.org/3.6/library/pickle.html#what-can-be-pickled-and-unpickled

For example, running this script:

import pickle

def my_func():
class A:
pass

a = A()
return a

a = my_func()
pickle.dumps(a)

produces:

Traceback (most recent call last):
  File "test.py", line 11, in 
pickle.dumps(a)
AttributeError: Can't pickle local object 'my_func..A'

--
nosy: +mark.dickinson
resolution:  -> not a bug
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27942] Default value identity regression

[Kay Hayen]

Kay Hayen added the comment:

Same with 3.6b1, still present.

--
nosy: +kayhayen

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28207] SQLite headers are not searched in custom locations

[Chi Hsuan Yen]

Chi Hsuan Yen added the comment:

Could you try this:

CPPFLAGS=-I/home//local/include/ LDFLAGS=-L/home//local/lib 
bash -x /usr/bin/pyenv install 3.5.2

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28263] Python 2.7's `-3` flag warns about __eq__ being implemented without __hash__ even if __hash__ is never accessed.

[Ned Batchelder]

Changes by Ned Batchelder :


--
nosy: +nedbat

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28260] mock._Any and mock._Call implement __eq__ but not __hash__

[Ned Batchelder]

Changes by Ned Batchelder :


--
nosy: +nedbat

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28253] calendar.prcal(9999) output has a problem

[Serhiy Storchaka]

Serhiy Storchaka added the comment:

Having additional tests is always nice. After writing tests we can search 
whether there is other solution.

AFAIK the dummy data needs also the day attribute.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28253] calendar.prcal(9999) output has a problem

[Serhiy Storchaka]

Serhiy Storchaka added the comment:

The problem with year 1 was reported in issue26650.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28263] Python 2.7's `-3` flag warns about __eq__ being implemented without __hash__ even if __hash__ is never accessed.

[Christian Heimes]

Christian Heimes added the comment:

Antti is correct. Please add __hash__ = None to your class to silence the 
warning.

--
nosy: +christian.heimes
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28203] complex() gives wrong error when the second argument has an invalid type

[Roundup Robot]

Roundup Robot added the comment:

New changeset 92f4ce2d5ebb by Mark Dickinson in branch '3.5':
Issue #28203: Fix incorrect type in error message from complex(1.0, {2:3}). 
Patch by Soumya Sharma.
https://hg.python.org/cpython/rev/92f4ce2d5ebb

New changeset a2d93e6bcbcf by Mark Dickinson in branch '3.6':
Issue #28203: Merge from 3.5
https://hg.python.org/cpython/rev/a2d93e6bcbcf

New changeset 9790bc211107 by Mark Dickinson in branch 'default':
Issue #28203: Merge from 3.6
https://hg.python.org/cpython/rev/9790bc211107

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28203] complex() gives wrong error when the second argument has an invalid type

[Mark Dickinson]

Mark Dickinson added the comment:

Fixed; thanks. I made a couple of changes:

- Use "argument" rather than "arg", to be consistent with the original code 
(but admittedly not consistent with the rest of the module, where there doesn't 
seem to be any consistent choice between "arg" and "argument").
- Reformat C and test code to avoid long lines.
- Slight rearrangement of the C code so that all of the "i" handling is in one 
place.

--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25235] EmailMessage.add_attachment() creates parts with spurious MIME-Version header.

[R. David Murray]

R. David Murray added the comment:

Barry, would you care to render an opinion on this proposed fix?

--
stage: patch review -> commit review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28250] typing.NamedTuple instances are not picklable Two

[Kurt Dally]

Kurt Dally added the comment:

My bad, I searched and found the issue, it very closely fit mine and the pickle 
module is new to me.  I hadn't yet got through  the details of  pickling.  
Thanks for catching that.
Kurt

  From: Mark Dickinson 
 To: thedomestic...@yahoo.com 
 Sent: Saturday, September 24, 2016 1:43 AM
 Subject: [issue28250] typing.NamedTuple instances are not picklable Two

Mark Dickinson added the comment:

I don't think this has anything to do with namedtuple; it's true whenever you 
create a class in an inner scope (rather than at module level). This is by 
design, and these restrictions are documented: 
https://docs.python.org/3.6/library/pickle.html#what-can-be-pickled-and-unpickled

For example, running this script:

    import pickle

    def my_func():
        class A:
            pass

        a = A()
        return a

    a = my_func()
    pickle.dumps(a)

produces:

    Traceback (most recent call last):
      File "test.py", line 11, in 
        pickle.dumps(a)
    AttributeError: Can't pickle local object 'my_func..A'

--
nosy: +mark.dickinson
resolution:  -> not a bug
status: open -> closed

___
Python tracker 

___

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25268] Support pointing frozen modules to the corresponding source files, if available.

[Nick Coghlan]

Nick Coghlan added the comment:

I agree with Marc-Andrew that it's hard to do anything more useful here than 
"-r" already does, as we can assume the source code won't be available on the 
target machine - it's the equivalent of having C/C++ debugging symbols 
available for C/C++ traceback generation.

It may still be worth doing specifically for the sake of _frozen_importlib (as 
that usually *does* have the importlib._bootstrap code available at runtime), 
but I think it would be pretty specific to that particular case.

A more generally applicable feature would be a utility to take a traceback of 
the form created by -r (as shown by Marc-Andre above), and converting that back 
to a full traceback given a directory structure that matched the layout of the 
frozen modules.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27942] Default value identity regression

[Raymond Hettinger]

Raymond Hettinger added the comment:

It would be nice to get this fixed.

--
nosy: +rhettinger

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18893] invalid exception handling in Lib/ctypes/macholib/dyld.py

[INADA Naoki]

INADA Naoki added the comment:

lgtm

--
nosy: +inada.naoki

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18893] invalid exception handling in Lib/ctypes/macholib/dyld.py

[INADA Naoki]

Changes by INADA Naoki :


--
versions: +Python 2.7, Python 3.5, Python 3.6 -Python 3.2, Python 3.3, Python 
3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28252] Tuples used before introduction to tuple in tutorial

[Raymond Hettinger]

Raymond Hettinger added the comment:

The highly interrelated nature of Python makes it necessary for the early parts 
of any tutorial to have some forward references.  This doesn't appear to have 
impaired its usability in practice.

--
nosy: +rhettinger
resolution:  -> not a bug
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue21109] tarfile: Traversal attack vulnerability

[Christian Heimes]

Changes by Christian Heimes :


--
priority: normal -> high
versions: +Python 3.6, Python 3.7 -Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22519] integer overflow in computing byte's object representation

[Christian Heimes]

Christian Heimes added the comment:

The code doesn't crash any more. It took me more than 5 GB of resident memory 
and about 90 CPU seconds to reproduce the circumstances of the overflow.

--
nosy: +christian.heimes
resolution:  -> fixed
status: open -> closed
type: security -> behavior

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue22187] commands.mkarg() buggy in East Asian locales

[Christian Heimes]

Changes by Christian Heimes :


--
priority: normal -> low
stage:  -> needs patch
type: security -> behavior

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

[Christian Heimes]

Christian Heimes added the comment:

Steve, is this bug still relevant and a security problem?

--
assignee:  -> steve.dower
nosy: +christian.heimes
versions: +Python 3.6, Python 3.7 -Python 3.2, Python 3.3, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18789] XML Vunerability Table Unclear

[Christian Heimes]

Changes by Christian Heimes :


--
keywords: +easy
type: security -> enhancement
versions: +Python 3.5, Python 3.6, Python 3.7 -Python 3.3, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24201] _winreg PyHKEY Type Confusion

[Christian Heimes]

Christian Heimes added the comment:

Steve, Zach, please have a look.

--
assignee:  -> steve.dower
nosy: +christian.heimes
stage:  -> needs patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23505] Urlparse insufficient validation leads to open redirect

[Christian Heimes]

Christian Heimes added the comment:

What's the verdict on this bug? It's been dangling for almost one and half year.

--
nosy: +christian.heimes
versions: +Python 3.7 -Python 3.2, Python 3.3, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12238] Readline module loading in interactive mode

[Christian Heimes]

Christian Heimes added the comment:

Steve took care of the readline import for isolated mode in #28192. We can't 
change the default behavior. If you want to prevent Python from important files 
from either cwd, user packages or env vars, you have to use isolated mode. 
System scripts should use the isolated mode flag, too.

--
nosy: +christian.heimes, steve.dower
status: open -> pending
superseder:  -> Don't import readline in isolated mode

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24778] mailcap.findmatch: document shell command Injection danger in filename parameter

[Christian Heimes]

Changes by Christian Heimes :


--
versions: +Python 3.7 -Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue17405] Add _Py_memset_s() to securely clear memory

[Christian Heimes]

Changes by Christian Heimes :


--
priority: normal -> low
versions: +Python 3.7 -Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

[Mark Lawrence]

Changes by Mark Lawrence :


--
nosy:  -BreamoreBoy

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18789] XML Vunerability Table Unclear

[Mark Lawrence]

Changes by Mark Lawrence :


--
nosy:  -BreamoreBoy

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

[Christian Heimes]

Changes by Christian Heimes :


--
assignee:  -> docs@python
components: +Documentation -Extension Modules
nosy: +docs@python
type: security -> enhancement
versions: +Python 3.7 -Python 3.2, Python 3.3, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27235] Heap overflow occurred due to the int overflow (Python-2.7.11/Modules/posixmodule.c)

[Christian Heimes]

Christian Heimes added the comment:

I agree with Xiang and Larry. I don't see how you can successfully create an 
overflow.

--
nosy: +christian.heimes
resolution:  -> not a bug
status: open -> pending

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28265] builtin_function_or_method's __getattribute__ not applicable to self

[Alexander Sosedkin]

New submission from Alexander Sosedkin:

I've managed to obtain several objects, which __getattribute__ cannot be 
applied to them.

Minimal non-working example (a more detailed one is attached):
b = abs.__class__
b.__getattribute__(b, 'x')

Proxying such objects turned out to be even harder that proxying everything 
else in Python (as if it wasn't already mindbogglingly hard).

As you can see, given that 'builtin_function_or_method' object you can obtain 
its __getattribute__, but you cannot apply it.

Tested with Python 3.5.2 and 3.6.0b1.

What's the deal with that broken __getattribute__? It seems to be specific to 
'builtin_function_or_method' class, but why is it broken? If it is 
"PyObject_GenericGetAttr", then why object.__getattribute__(b, 'x') works? What 
am I missing?

--
components: Interpreter Core
files: getattribute.py
messages: 277332
nosy: t184256
priority: normal
severity: normal
status: open
title: builtin_function_or_method's __getattribute__ not applicable to self
type: behavior
versions: Python 3.5, Python 3.6
Added file: http://bugs.python.org/file44802/getattribute.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28207] SQLite headers are not searched in custom locations

[Santiago Castro]

Santiago Castro added the comment:

Okay, that did work. But shouldn't it call pkg-config, so I don't need to set 
the flags manually?

I mean, I'm running this in my user's home, in a computer which I don't have 
root access, and I used Linuxbrew (https://github.com/Linuxbrew/brew) for this, 
and installed libbz2 headers, openssl headers, pkg-config, sqlite3 headers and 
all worked but finding the sqlite3 headers.

Just fyi, when I run pkg-config --cflags sqlite3 this is what I get:

-I/home/sacastro/.linuxbrew/Cellar/sqlite/3.14.1/include

which is ok.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24201] _winreg PyHKEY Type Confusion

[Steve Dower]

Steve Dower added the comment:

I think this requires arbitrary code execution as a minimum - there's no way 
anyone would pass a user-provided value here - so the security implications are 
less interesting.

All we can really do is restrict the types accepted here, which I don't think 
is appropriate in a maintenance release. Possibly it's not too late to 
deprecate in 3.6 for removal in 3.8, but it is certainly a documented feature. 
Checking a handle for validity is not part of user mode API, as far as I know - 
EAFP.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27766] Add ChaCha20 Poly1305 to SSL ciphers

[Christian Heimes]

Changes by Christian Heimes :


--
dependencies:  -ssl: get CPU cap flags for AESNI and PCLMULQDQ
resolution:  -> fixed
stage: commit review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27778] PEP 524: Add os.getrandom()

[Christian Heimes]

Christian Heimes added the comment:

I think the documentation is too specific. We typically don't document all 
possible error numbers. Something along the lines "fails with OSError when 
getrandom is not supported" is sufficient.

--
assignee:  -> docs@python
components: +Documentation
nosy: +docs@python
priority: normal -> low
type: security -> enhancement

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25300] Enable Intel MPX (Memory protection Extensions) feature

[Christian Heimes]

Christian Heimes added the comment:

Let's have another look at this enhancement for 3.7. Hopefully we have some 
machines to develop with and test MPX, too. I don't have any machine at home 
that supports hardware MPX. Does any of our buildbots have a Skylake with MPX?

--
nosy: +christian.heimes
versions:  -Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25235] EmailMessage.add_attachment() creates parts with spurious MIME-Version header.

[Barry A. Warsaw]

Barry A. Warsaw added the comment:

On Sep 24, 2016, at 05:06 PM, R. David Murray wrote:

>Barry, would you care to render an opinion on this proposed fix?

I think the general approach is probably the best you can do.  I noticed a
couple of things though with RDM's v.2 patch.

First, I get test failures when applying to the 3.5 branch, specifically
test_mime_version_added_to_mime_message() fails.  I won't attach the failure
I'm seeing unless you can't reproduce it.

Second, if I'm reading RFC 2045#section-4 correctly, I think the embedded
rfc822 attachment should have a MIME-Version header, in this code:

-snip snip-
from email.message import EmailMessage

m = EmailMessage()
m.set_content('This is a body')

o = EmailMessage()
o.add_attachment(m)

print(o)

print(m['mime-version'])
-snip snip-

But instead I get:

Content-Type: multipart/mixed; boundary="===4744209610526815348=="
MIME-Version: 1.0

--===4744209610526815348==
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

This is a body

--===4744209610526815348==--

1.0

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28265] builtin_function_or_method's __getattribute__ not applicable to self

[Eric Snow]

Eric Snow added the comment:

Hmm.  It's not clear what you're after here.  The error from your example code 
is correct.  The valid invocation is:

b.__getattribute__(abs, 'x')

That works just fine.  If you want to look up *class* attributes then you must 
call __getattribute__ on the class's class:

type(b).__getattribute__(b, 'x')

This is how attribute lookup works.  I recommend closing this as not-a-bug.  If 
you have further question your best bet is to ask on the python-list mailing 
list.

--
nosy: +eric.snow
status: open -> pending

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue21109] tarfile: Traversal attack vulnerability

[Martin Panter]

Martin Panter added the comment:

Issue 17102 is open about the specific problem of escaping the destination 
directory. Maybe it is a duplicate, but this bug also discusses other problems.

--
dependencies: +tarfile extract can write files outside the destination path

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28266] setup.py uses build Python's configuration when cross-compiling

[Rouslan Korneychuk]

New submission from Rouslan Korneychuk:

When building Python, the setup.py script will use values from sysconfig, even 
when cross compiling. When cross compiling, the interpreter that runs setup.py 
is configured for the build system, not the host system, so the wrong values 
are used. This patch should fix that.

It should be noted that the updated script assumes it is run from the build 
directory (like the Makefile) and that the script is at the top-level source 
directory. Also it uses a private method from sysconfig. This is unavoidable 
without modifying the sysconfig interface (or duplicating code).

--
components: Cross-Build
files: setup-fix.patch
keywords: patch
messages: 277340
nosy: Alex.Willmer, Rouslan Korneychuk
priority: normal
severity: normal
status: open
title: setup.py uses build Python's configuration when cross-compiling
type: behavior
versions: Python 3.5
Added file: http://bugs.python.org/file44803/setup-fix.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue7412] distutils install race condition

[Christian Heimes]

Christian Heimes added the comment:

This is not a security problem per se. It's rather a request to chance the 
behavior of package installation.

--
type: security -> behavior

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue21109] tarfile: Traversal attack vulnerability

[Larry Hastings]

Changes by Larry Hastings :


--
nosy:  -larry

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23505] Urlparse insufficient validation leads to open redirect

[Martin Panter]

Martin Panter added the comment:

It is not clear what Yassine’s bug is. Maybe it is about round-tripping from 
urlparse() → urlunparse(). If so, it could be solved by fixing either of the 
following two problems:

1. urlunparse() forgets the initial pair of slashes when netloc="". That might 
be addressed by Issue 22852, and documented as a limitation in the mean time.

2. urlunparse() accepts invalid components, such as netloc="", 
path="//evil.com", which transforms the path into a hostname. Yassine preferred 
to percent-encode the path and pass it through, though I think an exception 
would be more sensible. Or just documenting that there is little or no 
validation.

When considering the second problem of validation, you have to be aware that 
urlunparse() is documented to handle schemes like “mailto:” not listed in 
“uses_netloc”. According to RFC 6068, mailto://evil.com is valid syntax, and is 
decoded to netloc="", path="//evil.com". In this case, netloc="evil.com" would 
probably be invalid instead.

--
dependencies: +urllib.parse wrongly strips empty #fragment, ?query, //netloc

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28266] setup.py uses build Python's configuration when cross-compiling

[Zachary Ware]

Zachary Ware added the comment:

Could you try 3.6b1 and see if it works correctly for you? Cross-building 
support has changed significantly in 3.6.

--
nosy: +doko, xdegaye, zach.ware

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28266] setup.py uses build Python's configuration when cross-compiling

[Rouslan Korneychuk]

Rouslan Korneychuk added the comment:

Here is an updated patch for 3.6b1. I was able to compile Python with the 
changes, natively (x86_64 linux) and for ARM, using an Android "isolated 
toolchain." However, with the ARM build, a file named 
_sysconfigdata_m_linux_x86_64-linux-gnu.py ended up in 
build/lib.linux-x86_64-3.6 instead of build/lib.linux-arm-3.6 like the ".so"s 
did. I don't know what created the file or where it's used. I'm sure I could 
figure it out if I investigate, but I'll wait for a reply first, since this is 
new behaviour and I figure someone on here could save me some trouble.

--
versions: +Python 3.6
Added file: http://bugs.python.org/file44804/setup-fix.patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28265] builtin_function_or_method's __getattribute__ not applicable to self

[Alexander Sosedkin]

Alexander Sosedkin added the comment:

Oh, I see. The invocation b.__getattribute__(b, attrname) worked on so many 
objects that I didn't even think it could be incorrect.

Sorry for wasting your time.

--
resolution:  -> not a bug
status: pending -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28266] setup.py uses build Python's configuration when cross-compiling

[Chi Hsuan Yen]

Chi Hsuan Yen added the comment:

This is fixed two weeks ago. See issue28046. The relevant fix is at 
http://bugs.python.org/issue28046#msg275845. Xavier pushed it to default before 
the 3.6 branch is created. I guess it should already be in 3.6b1??

Current hg tip works for me:

$ find build/21-aarch64-linux-android-4.9/lib/python3.7 -name 
'*sysconfigdata*.py'
build/21-aarch64-linux-android-4.9/lib/python3.7/_sysconfigdata_m_linux_aarch64-linux-android.py
build/21-aarch64-linux-android-4.9/lib/python3.7/lib-dynload/_sysconfigdata_m_linux_aarch64-linux-android.py

I'm using my own build script: https://github.com/yan12125/python3-android. If 
different build scripts lead to different result, CPython should handle it. 
Rouslan, would you like to share your build script?

--
nosy: +Chi Hsuan Yen

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28207] SQLite headers are not searched in custom locations

[Chi Hsuan Yen]

Chi Hsuan Yen added the comment:

Hmmm, currently only _ctypes uses pkg-config to detect libffi's header path, as 
it's not easy to determine without pkg-config. Is there a magic that enables 
openssl and bz2 outside standard paths :)

Anyway, using pkg-config is not a bad idea. I'd like to hear from some core 
developers. Zach, is it a good idea to introduce pkg-config for dependencies?

--
nosy: +zach.ware

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com