[issue13609] Add "os.get_terminal_size()" function

Martin v. Löwis added the comment: Zitat von Antoine Pitrou : > Antoine Pitrou added the comment: > > The point of named tuples here is that you can use both > get_terminal_size().columns > or > columns, rows = get_terminal_size() > depending on the situation. And my point is that we

[issue13642] urllib incorrectly quotes username and password in https basic auth

Joonas Kuorilehto added the comment: Updated patch for 2.7 hg tip attached. Please review, test and if ok, port to 3.x. I guess the URL needs to be quoted so commented out the assertion for the URL being equal. I added unquote in the base64 encoding of the password, which makes the test pass

[issue13703] Hash collision security issue

Terry J. Reedy added the comment: Those who use or advocate a simple randomized starting hash (Perl, Ruby, perhaps MS, and the CCC presenters) are presuming that the randomized hash values are kept private. Indeed, they should be (and the docs could note this) unless an attacker has direct ac

[issue13703] Hash collision security issue

Paul McMillan added the comment: As Alex said, Java has refused to fix the issue. I believe that Ruby 1.9 (at least the master branch code that I looked at) is using murmurhash2 with a random seed. In either case, yes, these functions are vulnerable to a number of attacks. We're solving the pr

[issue13701] Remove Decimal Python 2.3 Compatibility

Raymond Hettinger added the comment: Mark, do you think the C version of decimal is going to happen for 3.3? If so, it make little sense to make any changes at all the current version of the pure python code. Another advantage to leaving the pure python code alone is that it will make mainte

[issue13642] urllib incorrectly quotes username and password in https basic auth

Joonas Kuorilehto added the comment: > Regarding unittests instead, there is already a method called > test_userpass_inurl which could be extended with some tests on a > password containing spaces ( Lib/test/test_urllib.py:263). But what > I haven't yet understood is: does it really exists a use

[issue8184] multiprocessing.managers will not fail if listening ocket already in use

Phill added the comment: Rather than listening on a socket, listening on a named pipe eg: address = (r'\\.\pipe\Test', 'AF_PIPE') listener = Listener(*address) conn = listener.accept() It doesnt raise an exception when i run the script again a second time. Like I said, I dont know much about

[issue13703] Hash collision security issue

Alex Gaynor added the comment: Perl is so paranoid they obscure their variable names! In all seriousness, both Perl and Ruby are vulnerable to the timing attacks, and as far as I know the JVM is not patching this themselves, but telling applications to fix it themselves (I know JRuby switche

[issue13703] Hash collision security issue

Christian Heimes added the comment: Either we are really paranoid (I know that I am *g*) or Perl's and Ruby's randomized hashing function suffer from the issues we are worried about. They don't compensate for hash(''), hash(n * '\0') or hash(shortstring). Perl 5.12.4 hv.h: #define PERL_HASH(

[issue13703] Hash collision security issue

STINNER Victor added the comment: "Given that a user has an application with an oracle function that returns the hash of a unicode string, an attacker can probe tenth of thousand one and two character unicode strings. That should give him/her enough data to calculate both seeds. hash("") alre

[issue8184] multiprocessing.managers will not fail if listening ocket already in use

Antoine Pitrou added the comment: > im not sure if thats how named pipes are supposed to behave though I'm not sure what you mean. Are you creating named pipes yourself? -- ___ Python tracker _

[issue8184] multiprocessing.managers will not fail if listening ocket already in use

Phill added the comment: I have commented out the line: self._socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) In lib/multiprocessing/connection.py as a test and it works fine, the problem still persists for named pipes (im not sure if thats how named pipes are supposed to behave

[issue13609] Add "os.get_terminal_size()" function

Antoine Pitrou added the comment: > I don't think that it's possible that stdin, stdout and/or stderr have > its own terminal. I suppose that the 3 streams are always attached to > the same terminal. So I don't see why the function would take an > argument. Tell me if I am wrong. I think it can

[issue13703] Hash collision security issue

STINNER Victor added the comment: Note for myself, random-2.patch: _PyRandom_Init() must generate a prefix and a suffix different than zero (call PyOS_URandom in a loop, and fail after 100 tries). -- ___ Python tracker

[issue8184] multiprocessing.managers will not fail if listening ocket already in use

Phill added the comment: Normally I would be happy to but my combined python experience is about 30 minutes so I am probably not the man -- ___ Python tracker ___ __

[issue13609] Add "os.get_terminal_size()" function

STINNER Victor added the comment: Some comments about termsize.diff.3. I don't see why there are two functions, one should be enough: get_terminal_size() should be dropped, and query_terminal_size() renamed to get_terminal_size(). As said before, I don't think that reading ROWS and COLUMNS e

[issue13703] Hash collision security issue

STINNER Victor added the comment: > What I propose is to make the amount of information necessary > to analyze and generate collisions impractically large. Not only: the attacker has to compute the collisions for the new seed. I don't know how long it is, the code to generate collisions is not

[issue9993] shutil.move fails on symlink source

Antoine Pitrou added the comment: Thanks! I think we also need a doc update for the change in behaviour (with a "versionchanged" tag). -- ___ Python tracker ___

[issue12415] Missing: How to checkout the Doc sources

Sandro Tosi added the comment: Hi Éric, did you reconsider the text of the patch or this issue just passed under your radar? -- ___ Python tracker ___ _

[issue9993] shutil.move fails on symlink source

Hynek Schlawack added the comment: I took the liberty to fix the tests. Basically I've adapted them to the new mock based cross file system approach (that doesn't depend on luck anymore :)). I also had to add one more `os.path.realpath` because on some OS (like OS X) the tmp directory path a

[issue13609] Add "os.get_terminal_size()" function

Antoine Pitrou added the comment: The point of named tuples here is that you can use both get_terminal_size().columns or columns, rows = get_terminal_size() depending on the situation. Also, the better repr() makes debugging easier. -- ___ Py

[issue13703] Hash collision security issue

Paul McMillan added the comment: Marc-Andre: Victor already pasted the relevant part of my code: http://bugs.python.org/issue13703#msg150568 The link to the fuller version, with revision history and a copy of the code before I modified it is here: https://gist.github.com/0a91e52efa74f61858b5 >

[issue13609] Add "os.get_terminal_size()" function

Zbyszek Szmek added the comment: > I haven't read much of this issue, but I strongly dislike the use of > named tuples. I don't really have a very strong opinion, but (cols, rows) does seem a lot like a tuple -- it really is just a pair of values without other function or state. Still I would

[issue10542] Py_UNICODE_NEXT and other macros for surrogates

Benjamin Peterson added the comment: Closing now. -- nosy: +benjamin.peterson resolution: -> out of date status: open -> closed ___ Python tracker ___ _

[issue10521] str methods don't accept non-BMP fillchar on a narrow Unicode build

Benjamin Peterson added the comment: I'm just going to close this and say "use 3.3". -- nosy: +benjamin.peterson resolution: -> out of date status: open -> closed ___ Python tracker __

[issue13701] Remove Decimal Python 2.3 Compatibility

Martin v. Löwis added the comment: I suggest to remove all mentionings of 2.3 compatibility from the file (I actually could find only a single one), for 3.3. Changing 3.2 is out of scope, as it isn't a bug fix (except that the one place referring to 2.3 claims that there is a comment at the t

[issue13609] Add "os.get_terminal_size()" function

Martin v. Löwis added the comment: I haven't read much of this issue, but I strongly dislike the use of named tuples. Either we want people to use named fields, then we should use a regular class (possibly with slots), or we want to define the result as two values, then there should be a plai

[issue13697] python RLock implementation unsafe with signals

Antoine Pitrou added the comment: > The first and most simple thing we could do would be to nuke the > Python version (and also the loggin hack at the same time): does that > sound reasonable ? To me, yes, but I think it's better to ask on python-dev as for nuking the Python version. -

[issue13511] Specifying multiple lib and include directories on linux

Martin v. Löwis added the comment: See http://www.gnu.org/software/autoconf/manual/autoconf.html for a description of the includedir and libdir options: — Variable: includedir The directory for installing C header files. — Variable: libdir The directory for installing object code libraries. So

[issue13717] print fails on unicode '\udce5' surrogates not allowed

Antoine Pitrou added the comment: The file tree contains a file which has an undecodable character in it. It ends up mangled as specified in PEP 383. Priting such filenames is not directly supported (since they have invalid characters in them), but you can workaround it in several ways, for ex

[issue13717] print fails on unicode '\udce5' surrogates not allowed

Ezio Melotti added the comment: On Python 3, os.walk() uses the surrogateescape error handler. If the filename is in e.g. iso-8859-* and the filesystem encoding is UTF-8, decoding '\xe5' will then result in '\udce5', and '\udce5' can't then be printed because it's a lone surrogate. See also

[issue13703] Hash collision security issue

Changes by Glenn Linderman : -- nosy: +v+python ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.pyt

[issue13717] print fails on unicode '\udce5' surrogates not allowed

New submission from Atle Pedersen : I've made a short program to traverse file tree and print file names. for root, dirs, files in os.walk(path): for f in files: hex = ' '.join(["%02X"%ord(x) for x in f]) print('file is',hex,f) This fails with the followi

[issue13716] distutils doc contains lots of XXX

Changes by Florent Xicluna : -- nosy: +eric.araujo, tarek versions: +Python 3.2, Python 3.3 ___ Python tracker ___ ___ Python-bugs-lis

[issue13716] distutils doc contains lots of XXX

New submission from Florent Xicluna : http://docs.python.org/distutils/apiref.html?highlight=XXX#module-distutils.ccompiler We find lots of "XXX" and "XXX see also." which give no information. -- assignee: docs@python components: Documentation messages: 150683 nosy: docs@python, flox pr

[issue12042] What's New multiprocessing example error

Sandro Tosi added the comment: Thanks Davi for the report and Jordan for the patch! Jordan, a tip for your (hopefully) future contributions: for doc patches, please don't re-indent the whole paragraph, since it makes harder to identify the actual changes, just change what is needed, and the c

[issue12042] What's New multiprocessing example error

Roundup Robot added the comment: New changeset 3353f9747a39 by Sandro Tosi in branch '2.7': Issue #12042: a queue is only used to retrive results; preliminary patch by Jordan Stadler http://hg.python.org/cpython/rev/3353f9747a39 New changeset 0d4bb1356f39 by Sandro Tosi in branch '3.2': Issue

[issue11984] Wrong "See also" in symbol and token module docs

Sandro Tosi added the comment: Hi Davi, thanks for your report! I've removed the reference from symbol to parser, given this last module doesn't show anymore how to user symbol, and it's encouraging to use ast module instead. -- nosy: +sandro.tosi resolution: -> fixed stage: -> comm

[issue11984] Wrong "See also" in symbol and token module docs

Roundup Robot added the comment: New changeset d8102ccc5bf7 by Sandro Tosi in branch '2.7': Issue #11984: remove reference to parser, it's not showing symbol usage anymore http://hg.python.org/cpython/rev/d8102ccc5bf7 New changeset b326d90ce9c9 by Sandro Tosi in branch '3.2': Issue #11984: remo

[issue12926] tarfile tarinfo.extract*() broken with symlinks

Lars Gustäbel added the comment: This should be fixed now, thanks. -- resolution: -> fixed stage: -> committed/rejected status: open -> closed versions: +Python 3.3 ___ Python tracker ___

[issue12926] tarfile tarinfo.extract*() broken with symlinks

Roundup Robot added the comment: New changeset 573fc99873bd by Lars Gustäbel in branch '3.2': Issue #12926: Fix a bug in tarfile's link extraction. http://hg.python.org/cpython/rev/573fc99873bd New changeset 5936c2005ab7 by Lars Gustäbel in branch 'default': Merge from 3.2: Issue #12926: Fix a

[issue13697] python RLock implementation unsafe with signals

Charles-François Natali added the comment: > Hmm, but that would break single-threaded programs which expect their > select() (or other) to return EINTR when a signal is received (which is > a perfectly valid expectation in that case). Yes, that's why I said "that"s another story" ;-) EINTR is

[issue8184] multiprocessing.managers will not fail if listening ocket already in use

Charles-François Natali added the comment: > If the above gets solved on windows my problem will just go away, thanks Would you like to propose a patch with test? -- ___ Python tracker

[issue12760] Add create mode to open()

Charles-François Natali added the comment: I've done a small review. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsu

[issue13715] typo in unicodedata documentation

Changes by Ezio Melotti : -- assignee: docs@python -> ezio.melotti nosy: +ezio.melotti stage: -> patch review type: -> enhancement versions: -Python 2.6, Python 3.1, Python 3.4 ___ Python tracker ___

[issue13702] relative symlinks in tarfile.extract broken (windows)

Lars Gustäbel added the comment: The dereference option is only used for archive creation, so the contents of the file a symbolic link is pointing to is added instead of the symbolic link itself. -- ___ Python tracker

[issue13702] relative symlinks in tarfile.extract broken (windows)

Patrick von Reth added the comment: to ignore the bug I also tried dereference=True, but it looks like python3 is ignoring it for extraction. Is this the normal behavior or just another bug? -- ___ Python tracker

[issue13702] relative symlinks in tarfile.extract broken (windows)

Lars Gustäbel added the comment: You actually hit two bugs at the same time here: The target of the created symlink was not translated from unix to windows path delimiters and is therefore broken. The second bug is issue12926 which leads to the error in TarFile.makefile(). Brian, AFAIK all

[issue13715] typo in unicodedata documentation

New submission from Eli Collins : I noticed a minor typo in the unicodedata.normalize() documentation... The line reading 'U+0327 (COMBINING CEDILLA) U+0043 (LATIN CAPITAL LETTER C)' is not proper unicode, it should be in the reverse order: 'U+0043 (LATIN CAPITAL LETTER C) U+0327 (COMBINING CE

[issue13128] httplib debuglevel on CONNECT doesn't print response headers

Changes by Antoine Pitrou : -- nosy: +orsenthil versions: +Python 3.3 -Python 2.7 ___ Python tracker ___ ___ Python-bugs-list mailing

[issue13712] pysetup create should not convert package_data to extra_files

Erik Bray added the comment: FWIW, I'm for the first option for specifying package_data: [files] package_data = spam = first second third I'm pretty sure this is how I ended up implementing it in d2to1, since I needed this functionality. Theoretically spaces could be supported with an es

[issue13703] Hash collision security issue

Antoine Pitrou added the comment: > I concur with Marc. The change is too intrusive and may cause too much > trouble for the issue. Do you know if mod_wsgi et al. are tackling the issue on their side? > Also it seems to be unnecessary for platforms with 64bit hash. We still support Python on

[issue13699] test_gdb has recently started failing

Roundup Robot added the comment: New changeset a3d4cde1c357 by Vinay Sajip in branch '3.2': Closes #13699. Skipped two tests if Python is optimised. http://hg.python.org/cpython/rev/a3d4cde1c357 New changeset 7d87ebbbd718 by Vinay Sajip in branch 'default': Closes #13699: merged fix from 3.2. h

[issue13714] Methods of ftplib never ends if the ip address changes

Giampaolo Rodola' added the comment: Python can't do that. It's a socket implementation detail. Python just exposes the underlying socket implementation as-is. I'm closing this out as rejected. -- assignee: -> giampaolo.rodola resolution: -> rejected status: open -> closed _

[issue13703] Hash collision security issue

Mark Shannon added the comment: But that's not the issue we are supposed to be dealing with. A single (genuinely random) seed will deal with the attack described in the talk and it is (almost) as fast as using 0 as a seed. Why make things complicated dealing with a hypothetical problem? >> Why

[issue13714] Methods of ftplib never ends if the ip address changes

Sworddragon added the comment: If i set the timeout argument an exception s thrown if the ip address is changed. At least it's a workaround but we should think about if Python shouldn't try to detect changes of the ip address. It would be nicer to continue the file transfer like it does if th

[issue13714] Methods of ftplib never ends if the ip address changes

Giampaolo Rodola' added the comment: Since you say the connection hangs I think you can set a timeout: >>> ftp = ftplib.FTP(..., timeout=30) That is applied to both control and data connection (and hence storbinary). This way you should get a socket.timeout exception after 30 seconds. --

[issue13703] Hash collision security issue

Christian Heimes added the comment: It's quite possible that a user has created a function (by mistake or deliberately) that gives away the hash of an arbitrary string. We haven't taught developers that (s)he shouldn't disclose the hash of a string. > Why should hash("") always return 0? > I

[issue13714] Methods of ftplib never ends if the ip address changes

Sworddragon added the comment: The problem is that it is for example here in germany very common that the provider disconnects the client every 24 hours and gives him a new ip address if his router reconnects. This makes it very difficult to send big files with ftplib. For example for daily

[issue13714] Methods of ftplib never ends if the ip address changes

Giampaolo Rodola' added the comment: What storbinary does is just using a socket to send data. There's no way for storbinary to ask the socket whether an unpredicted event such as an IP change occurred and neither it should. As a user, you just shouldn't change the IP address while a network a

[issue13703] Hash collision security issue

Mark Shannon added the comment: What is the mechanism by which the attacker can determine the seeds? The actual hash value is not directly observable externally. The attacker can only determine the timing effects of multiple insertions into a dict, or have I missed something? > - hash("") shou

[issue13714] Methods of ftplib never ends if the ip address changes

Sworddragon added the comment: If the connection gets lost and reconnected again but the ip address doesn't change storbinary() continues the data transfer. But if the ip address was changed due to the reconnect storbinary() hangs in a loop. I expect either that storbinary() detects the chang

[issue13714] Methods of ftplib never ends if the ip address changes

Giampaolo Rodola' added the comment: It seems expected behavior to me, and the same issue should apply to all other network libs as well. What would you expect ftplib to do in such case? -- nosy: +giampaolo.rodola ___ Python tracker

[issue13703] Hash collision security issue

Marc-Andre Lemburg added the comment: Paul McMillan wrote: > > This is not something that can be fixed by limiting the size of POST/GET. > > Parsing documents (even offline) can generate these problems. I can create > books that calibre (a Python-based ebook format shifting tool) can't conve