Name already in use

…H-102953) (#104548)

Backport of c8c3956

…102244)

(cherry picked from commit 89d9ff0)

…H-102630) (GH-102667)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics <[email protected]>
Co-authored-by: C.A.M. Gerlach <[email protected]>
Co-authored-by: Hugo van Kemenade <[email protected]>

…-101752)

Fixes CVE-2023-0286 (High) and a couple of Medium security issues.
https://www.openssl.org/news/secadv/20230207.txt

Co-authored-by: Gregory P. Smith <[email protected]>
Co-authored-by: Ned Deily <[email protected]>

…propriate macOS SDK (GH-102307)

[3.8] Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK.

#102095)

[3.8] gh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI issue (gh-102079)

…ue on Windows (GH-101286) (#101710)

Co-authored-by: Oleg Iarygin <[email protected]>
Co-authored-by: Steve Dower <[email protected]>

(cherry picked from commit 4652182)

…-101424)

(cherry picked from commit ea23271)

Co-authored-by: Owain Davies <[email protected]>

… (#101258)

(cherry picked from commit c22a55c)

Co-authored-by: Hugo van Kemenade <[email protected]>

(cherry picked from commit 1cf3d78)
(cherry picked from commit 88fe8d7)

Co-authored-by: Jeremy Paige <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>

(cherry picked from commit 30a6cc4)

Co-authored-by: Ned Deily <[email protected]>
Co-authored-by: HARSHA VARDHAN <[email protected]>

* [3.8] Update copyright years to 2023. (gh-100848).
(cherry picked from commit 11f9932)

Co-authored-by: Benjamin Peterson <[email protected]>

* Update additional copyright years to 2023.

Co-authored-by: Ned Deily <[email protected]>

…H-100002) (#100033)

* gh-100001: Omit control characters in http.server stderr logs. (GH-100002)

Replace control characters in http.server.BaseHTTPRequestHandler.log_message with an escaped \xHH sequence to avoid causing problems for the terminal the output is printed to.
(cherry picked from commit d8ab0a4)

Co-authored-by: Gregory P. Smith <[email protected]>

* also escape \s (backport of PR #100038).

* add versionadded and remove extraneous 'to'

Co-authored-by: Gregory P. Smith <[email protected]>

… hooks via the gc module (GH-99373) (GH-99661)

(cherry picked from commit 7b98207)

Co-authored-by: Steve Dower <[email protected]>

… (GH-99231)

There was an unnecessary quadratic loop in idna decoding. This restores
the behavior to linear.

(cherry picked from commit d315722)
(cherry picked from commit a6f6c3a)

Co-authored-by: Miss Islington (bot) <[email protected]>
Co-authored-by: Gregory P. Smith <[email protected]>

This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].

[1]: XKCP/XKCP@fdc6fef
[2]: https://mouha.be/sha-3-buffer-overflow/

Regression test added by: Gregory P. Smith [Google LLC] <[email protected]>
(cherry picked from commit 0e4e058)

Co-authored-by: Theo Buehler <[email protected]>

Update libexpat from 2.4.9 to 2.5.0 to address CVE-2022-43680.

Co-authored-by: Shaun Walbridge <[email protected]>
(cherry picked from commit 3e07f82)

…arams (GH-91993) (#98192)

gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
(cherry picked from commit b9509ba)

Co-authored-by: Petr Viktorin <[email protected]>
Co-authored-by: Łukasz Langa <[email protected]>

… regression test. (GH-96717) (#98197)

gh-96710: Make the test timing more lenient for the int/str DoS regression test. (GH-96717)

A regression would still absolutely fail and even a flaky pass isn't
harmful as it'd fail most of the time across our N system test runs.

Windows has a low resolution timer and CI systems are prone to odd
timing so this just gives more leeway to avoid flakiness.
(cherry picked from commit 11e3548)

Co-authored-by: Gregory P. Smith <[email protected]>

…GH-96874) (GH-96877) (GH-97835)

[3.9] gh-95778: Mention sys.set_int_max_str_digits() in error message (GH-96874) (GH-96877)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

Co-authored-by: Ned Deily <[email protected]>
(cherry picked from commit 4118813)

Co-authored-by: Victor Stinner <[email protected]>

…H-97575)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 4135166)

Co-authored-by: Victor Stinner <[email protected]>

)

gh-96577: Fixes buffer overrun in _msi module (GH-96633)
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <[email protected]>

)

gh-97005: Update libexpat from 2.4.7 to 2.4.9 (gh-97006)

Co-authored-by: Gregory P. Smith [Google] <[email protected]>
(cherry picked from commit 10e3d39)

Co-authored-by: Dong-hee Na <[email protected]>

…H-97628)

gh-97616: list_resize() checks for integer overflow (GH-97617)

Fix multiplying a list by an integer (list *= int): detect the
integer overflow when the new allocated length is close to the
maximum size.  Issue reported by Jordan Limor.

list_resize() now checks for integer overflow before multiplying the
new allocated length by the list item size (sizeof(PyObject*)).
(cherry picked from commit a5f092f)

Co-authored-by: Victor Stinner <[email protected]>

…97613) (GH-97633)

Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <[email protected]>
(cherry picked from commit 83a0f44)

Co-authored-by: Victor Stinner <[email protected]>

… to gh issues (GH-96728)

Co-authored-by: roy reznik <[email protected]>
Co-authored-by: Inada Naoki <[email protected]>
Co-authored-by: Ezio Melotti <[email protected]>

* Correctly pre-check for int-to-str conversion

Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)

The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.

The justification for the current check. The C code check is:
```c
max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10
```

In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:
$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$

From this it follows that
$$\frac{M}{3L} < \frac{s-1}{10}$$
hence that
$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
So
$$2^{L(s-1)} > 10^M.$$
But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

Co-authored-by: Gregory P. Smith [Google LLC] <[email protected]>
Co-authored-by: Christian Heimes <[email protected]>
Co-authored-by: Mark Dickinson <[email protected]>