The Wayback Machine - https://web.archive.org/web/20221209015444/https://github.com/python/cpython/commits/3.8
Skip to content
Permalink
3.8
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Commits on Dec 6, 2022

  1. Post 3.8.16

    ambv committed Dec 6, 2022
  2. Python 3.8.16

    ambv committed Dec 6, 2022
  3. [3.8] gh-100001: Omit control characters in http.server stderr logs. (G…

    …H-100002) (#100033)
    
    * gh-100001: Omit control characters in http.server stderr logs. (GH-100002)
    
    Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
    (cherry picked from commit d8ab0a4)
    
    Co-authored-by: Gregory P. Smith <[email protected]>
    
    * also escape \s (backport of PR #100038).
    
    * add versionadded and remove extraneous 'to'
    
    Co-authored-by: Gregory P. Smith <[email protected]>
    miss-islington and gpshead committed Dec 6, 2022

Commits on Nov 21, 2022

  1. [3.8] gh-87604: Avoid publishing list of active per-interpreter audit…

    … hooks via the gc module (GH-99373) (GH-99661)
    
    (cherry picked from commit 7b98207)
    
    Co-authored-by: Steve Dower <[email protected]>
    miss-islington and zooba committed Nov 21, 2022

Commits on Nov 10, 2022

  1. [3.8] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222)…

    … (GH-99231)
    
    There was an unnecessary quadratic loop in idna decoding. This restores
    the behavior to linear.
    
    (cherry picked from commit d315722)
    (cherry picked from commit a6f6c3a)
    
    Co-authored-by: Miss Islington (bot) <[email protected]>
    Co-authored-by: Gregory P. Smith <[email protected]>
    miss-islington and gpshead committed Nov 10, 2022

Commits on Oct 28, 2022

  1. [3.8] gh-98517: Fix buffer overflows in _sha3 module (GH-98519) (#98527)

    This is a port of the applicable part of XKCP's fix [1] for
    CVE-2022-37454 and avoids the segmentation fault and the infinite
    loop in the test cases published in [2].
    
    [1]: XKCP/XKCP@fdc6fef
    [2]: https://mouha.be/sha-3-buffer-overflow/
    
    Regression test added by: Gregory P. Smith [Google LLC] <[email protected]>
    (cherry picked from commit 0e4e058)
    
    Co-authored-by: Theo Buehler <[email protected]>
    miss-islington and botovq committed Oct 28, 2022
  2. [3.8] gh-98739: Update libexpat from 2.4.9 to 2.5.0 (GH-98742) (#98787)

    Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.
    
    Co-authored-by: Shaun Walbridge <[email protected]>
    (cherry picked from commit 3e07f82)
    miss-islington committed Oct 28, 2022

Commits on Oct 11, 2022

  1. [3.8] gh-68966: Make mailcap refuse to match unsafe filenames/types/p…

    …arams (GH-91993) (#98192)
    
    gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
    (cherry picked from commit b9509ba)
    
    Co-authored-by: Petr Viktorin <[email protected]>
    Co-authored-by: Łukasz Langa <[email protected]>
    3 people committed Oct 11, 2022
  2. [3.8] gh-96710: Make the test timing more lenient for the int/str DoS…

    … regression test. (GH-96717) (#98197)
    
    gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717)
    
    A regression would still absolutely fail and even a flaky pass isn't
    harmful as it'd fail most of the time across our N system test runs.
    
    Windows has a low resolution timer and CI systems are prone to odd
    timing so this just gives more leeway to avoid flakiness.
    (cherry picked from commit 11e3548)
    
    Co-authored-by: Gregory P. Smith <[email protected]>
    miss-islington and gpshead committed Oct 11, 2022
  3. Post 3.8.15

    ambv committed Oct 11, 2022
  4. Python 3.8.15

    ambv committed Oct 11, 2022

Commits on Oct 4, 2022

  1. [3.8] gh-95778: Mention sys.set_int_max_str_digits() in error message (

    …GH-96874) (GH-96877) (GH-97835)
    
    [3.9] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877)
    
    When ValueError is raised if an integer is larger than the limit,
    mention sys.set_int_max_str_digits() in the error message.
    
    (cherry picked from commit e841ffc)
    
    Co-authored-by: Ned Deily <[email protected]>
    (cherry picked from commit 4118813)
    
    Co-authored-by: Victor Stinner <[email protected]>
    miss-islington and vstinner committed Oct 4, 2022
  2. [3.8] gh-96848: Fix -X int_max_str_digits option parsing (GH-96988) (G…

    …H-97575)
    
    Fix command line parsing: reject "-X int_max_str_digits" option with
    no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
    variable is set to a valid limit.
    (cherry picked from commit 4135166)
    
    Co-authored-by: Victor Stinner <[email protected]>
    miss-islington and vstinner committed Oct 4, 2022
  3. [3.8] gh-96577: Fixes buffer overrun in _msi module (GH-96633) (GH-96658

    )
    
    gh-96577: Fixes buffer overrun in _msi module (GH-96633)
    (cherry picked from commit 4114bcc)
    
    Co-authored-by: Steve Dower <[email protected]>
    miss-islington and zooba committed Oct 4, 2022
  4. [3.8] gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006) (gh-97013

    )
    
    gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006)
    
    Co-authored-by: Gregory P. Smith [Google] <[email protected]>
    (cherry picked from commit 10e3d39)
    
    Co-authored-by: Dong-hee Na <[email protected]>
    miss-islington and corona10 committed Oct 4, 2022
  5. [3.8] gh-97616: list_resize() checks for integer overflow (GH-97617) (G…

    …H-97628)
    
    gh-97616: list_resize() checks for integer overflow (GH-97617)
    
    Fix multiplying a list by an integer (list *= int): detect the
    integer overflow when the new allocated length is close to the
    maximum size.  Issue reported by Jordan Limor.
    
    list_resize() now checks for integer overflow before multiplying the
    new allocated length by the list item size (sizeof(PyObject*)).
    (cherry picked from commit a5f092f)
    
    Co-authored-by: Victor Stinner <[email protected]>
    miss-islington and vstinner committed Oct 4, 2022
  6. [3.8] gh-97612: Fix shell injection in get-remote-certificate.py (GH-…

    …97613) (GH-97633)
    
    Fix a shell code injection vulnerability in the
    get-remote-certificate.py example script. The script no longer uses a
    shell to run "openssl" commands. Issue reported and initial fix by
    Caleb Shortt.
    
    Remove the Windows code path to send "quit" on stdin to the "openssl
    s_client" command: use DEVNULL on all platforms instead.
    
    Co-authored-by: Caleb Shortt <[email protected]>
    (cherry picked from commit 83a0f44)
    
    Co-authored-by: Victor Stinner <[email protected]>
    miss-islington and vstinner committed Oct 4, 2022

Commits on Sep 11, 2022

  1. [3.8] Update bugs URL references in README and Docs/bugs.rst from bpo…

    … to gh issues (GH-96728)
    
    Co-authored-by: roy reznik <[email protected]>
    Co-authored-by: Inada Naoki <[email protected]>
    Co-authored-by: Ezio Melotti <[email protected]>
    4 people committed Sep 11, 2022

Commits on Sep 6, 2022

  1. Post 3.8.14

    ambv committed Sep 6, 2022
  2. Python 3.8.14

    ambv committed Sep 6, 2022

Commits on Sep 5, 2022

  1. [3.8] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96503)

    * Correctly pre-check for int-to-str conversion
    
    Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)
    
    The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.
    
    The justification for the current check. The C code check is:
    ```c
    max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10
    ```
    
    In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:
    $$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$
    
    From this it follows that
    $$\frac{M}{3L} < \frac{s-1}{10}$$
    hence that
    $$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
    So
    $$2^{L(s-1)} > 10^M.$$
    But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.
    
    <!-- gh-issue-number: gh-95778 -->
    * Issue: gh-95778
    <!-- /gh-issue-number -->
    
    Co-authored-by: Gregory P. Smith [Google LLC] <[email protected]>
    Co-authored-by: Christian Heimes <[email protected]>
    Co-authored-by: Mark Dickinson <[email protected]>
    3 people committed Sep 5, 2022

Commits on Jul 28, 2022

  1. [3.8] gh-90359: Update documentation to follow PEP 495. (gh-94800). (G…

    …H-94834)
    
    (cherry picked from commit 07374cc)
    
    Co-authored-by: Dong-hee Na <[email protected]>
    corona10 committed Jul 28, 2022

Commits on Jul 27, 2022

  1. [3.8] gh-94208: Add more TLS version/protocol checks for FreeBSD (GH-…

    …94347) (GH-95313)
    
    Three test cases were failing on FreeBSD with latest OpenSSL.
    (cherry picked from commit 1bc86c2)
    
    Co-authored-by: Christian Heimes <[email protected]>
    ambv and tiran committed Jul 27, 2022

Commits on Jul 5, 2022

  1. [3.8] gh-90355: Add isolated flag if currently isolated (GH-92857) (G…

    …H-94571)
    
    Co-authored-by: Carter Dodd <[email protected]>
    Co-authored-by: Éric <[email protected]>
    Co-authored-by: Łukasz Langa <[email protected]>
    (cherry picked from commit c8556bc)
    ambv committed Jul 5, 2022

Commits on Jul 1, 2022

  1. [3.8] gh-81054: Document that SimpleHTTPRequestHandler follows symbol…

    …ic links (GH-94416) (GH-94495)
    
    (cherry picked from commit 80aaeab)
    
    Co-authored-by: Sam Ezeh <[email protected]>
    ambv and dignissimus committed Jul 1, 2022

Commits on Jun 22, 2022

  1. gh-91172: Create a workflow for verifying bundled pip and setuptools (G…

    …H-31885) (GH-94124)
    
    Co-authored-by: Hugo van Kemenade <[email protected]>
    Co-authored-by: Adam Turner <[email protected]>
    (cherry picked from commit d36954b)
    
    Co-authored-by: Illia Volochii <[email protected]>
    miss-islington and illia-v committed Jun 22, 2022
  2. gh-87389: Fix an open redirection vulnerability in http.server. (GH-9…

    …3879) (GH-94094)
    
    Fix an open redirection vulnerability in the `http.server` module when
    an URI path starts with `//` that could produce a 301 Location header
    with a misleading target.  Vulnerability discovered, and logic fix
    proposed, by Hamza Avvan (@hamzaavvan).
    
    Test and comments authored by Gregory P. Smith [Google].
    (cherry picked from commit 4abab6b)
    
    Co-authored-by: Gregory P. Smith <[email protected]>
    miss-islington and gpshead committed Jun 22, 2022

Commits on Jun 6, 2022

  1. gh-83728: Add hmac.new default parameter deprecation (GH-91939) (GH-9…

    …3547)
    
    (cherry picked from commit 56b5daf)
    
    Co-authored-by: Stanley <[email protected]>
    miss-islington and slateny committed Jun 6, 2022
  2. bpo-46114: Fix OpenSSL version check for 3.0.1 (GH-30170) (GH-92954)

    (cherry picked from commit 2985fea)
    
    Co-authored-by: Christian Heimes <[email protected]>
    vstinner and tiran committed Jun 6, 2022

Commits on May 24, 2022

  1. [3.8] gh-93065: Fix HAMT to iterate correctly over 7-level deep trees (

    …GH-93066) (#93148)
    
    Also while there, clarify a few things about why we reduce the hash to 32 bits.
    
    Co-authored-by: Eli Libman <[email protected]>
    Co-authored-by: Yury Selivanov <[email protected]>
    Co-authored-by: Łukasz Langa <[email protected]>
    
    (cherry picked from commit c1f5c90)
    ambv committed May 24, 2022

Commits on May 16, 2022

  1. [3.8] gh-80254: Disallow recursive usage of cursors in sqlite3 conver…

    …ters (#92333)
    
    (cherry picked from commit c908dc5)
    
    Co-authored-by: Sergey Fedoseev <[email protected]>
    Co-authored-by: Jelle Zijlstra <[email protected]>
    3 people committed May 16, 2022
  2. bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (

    GH-32241) (GH-32250)
    
    (cherry picked from commit 6066739)
    
    Co-authored-by: Zachary Ware <[email protected]>
    miss-islington and zware committed May 16, 2022

Commits on May 12, 2022

  1. [3.8] gh-92448: Update the documentation builder to render the GitHub… (

    GH-92605)
    
    (cherry picked from commit 45e1721)
    
    Co-authored-by: Dong-hee Na <[email protected]>
    corona10 committed May 12, 2022

Commits on May 10, 2022

  1. [3.8] Update Sphinx bpo role to use redirect URI. (#91892)

    * Update Sphinx bpo role to use redirect URI. (GH-32342)
    
    * [3.8] Update Sphinx bpo role to use redirect URI. (GH-32342).
    (cherry picked from commit 08cfe07)
    
    Co-authored-by: Ezio Melotti <[email protected]>
    ezio-melotti committed May 10, 2022
  2. Add redirects to Misc/NEWS bpo links (GH-91454) (#91895)

    (cherry picked from commit 17dbb6b)
    
    Co-authored-by: Ezio Melotti <[email protected]>
    
    Co-authored-by: Ezio Melotti <[email protected]>
    miss-islington and ezio-melotti committed May 10, 2022
Older