Clarify that:
- it takes parsing for an attack
- that some doors are closed by default
- only Expat version 2.7.2 has all the fixes
- use of the bundle depends on configuration
(cherry picked from commit baa9f33897)
Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
gh-141007: update string module source code link (GH-141008)
In 3.14, the former string.py became `__init__.py` within a new `string` directory that also contains a new submodule file, `templatelib.py`.
(cherry picked from commit fa02422918)
Co-authored-by: alex <30386655+alexomics@users.noreply.github.com>
Update selected RFC 2822 references to RFC 5322
RFC 2822 was obsoleted by RFC 5322 in 2008. This updates references
to use the current standard in documentation, docstrings, and comments.
It preserves RFC 2822 references in legacy API components to maintain their
historical context.
RFC 822 → RFC 2822 → RFC 5322 progression is explained where relevant.
In some places specific sections of RFC are referenced where it seems helpful.
Scout rule was applied in some places and RFC mentions format was
normalized in doc strings and comments.
(cherry picked from commit ce1bb85d28)
Docs: Fix typo in `email.headerregistry.rst` (GH-140965)
Fix missing 'Header' suffix on header class name in `email.headerregistry.rst`
(cherry picked from commit 97d8dda980)
Co-authored-by: Guo Ci <zguoci@gmail.com>
Document that returning `sys.monitoring.DISABLE` in response to a global event raises `ValueError` (GH-140726)
(cherry picked from commit 8a7dbb7a68)
Co-authored-by: Brett Cannon <brett@python.org>
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
* [3.14] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234)
Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).
The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:
- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.
(cherry picked from commit f04bea44c3)
(cherry picked from commit 68a1778b77)
* the "plaintext" element
* the RAWTEXT elements "xmp", "iframe", "noembed" and "noframes"
* optionally RAWTEXT (if scripting=True) element "noscript"
(cherry picked from commit a17c57eee5)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gh-138774: use `value` to `ast.unparse` code when `str` is `None` in `ast.Interpolation` (GH-139415)
(cherry picked from commit 4d0849426f)
Co-authored-by: George Ogden <38294960+George-Ogden@users.noreply.github.com>
* Link to compression setting constants from compression functions
* De-duplicate descriptions of the constants
(cherry picked from commit 091e8513bb)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
gh-138764: annotationlib: Make `call_annotate_function` fallback to using `VALUE` annotations if both the requested format and `VALUE_WITH_FAKE_GLOBALS` are not implemented (GH-138803)
(cherry picked from commit 95c257e2e6)
Co-authored-by: David Ellis <ducksual@gmail.com>
[Docs] Add missing note about Required/NotRequired/ReadOnly in get_type_hints() (GH-139565)
(cherry picked from commit a752f58d6b)
Co-authored-by: Sam Bull <git@sambull.org>
Use multiple signatures for clarity.
Explain different forms of bgcolor() in details.
Fix outdated docstrings.
(cherry picked from commit 525dcfe523)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gh-101100: Document `zlib` public constants to fix reference warnings (GH-139835)
(cherry picked from commit c7f1da97eb)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
The csv.register_dialect() docstring no longer imply that it returns a dialect.
All functions have now signatures.
(cherry picked from commit aa1dbd4dde)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: maurycy <5383+maurycy@users.noreply.github.com>
Passing a negative or zero size to `cursor.fetchmany()` made it fetch all rows
instead of none.
While this could be considered a security vulnerability, it was decided to treat
this issue as a regular bug as passing a non-sanitized *size* value in the first
place is not recommended.
(cherry picked from commit bc172ee830)
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
gh-136520: Clarify docs for _pack_ & _align_ (GH-137036)
Move docs to the reference section & reduce the “tutorial” part to a quick intro & link.
Clarify what values are accepted.
Add macro/attribute equivalents.
Discourage _align_ values that aren't powers of two.
(cherry picked from commit 8943bb722f)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
