Fix a compiler warning in _randommodule.c (GH-141058)
The test just before the cast ensures that the cast cannot overflow.
Fix the warning on 32-bit Windows:
Modules\_randommodule.c(525,28): warning C4244: '=': conversion
from 'uint64_t' to 'Py_ssize_t', possible loss of data
(cherry picked from commit 4ac16dd109)
Co-authored-by: Victor Stinner <vstinner@python.org>
Clarify that:
- it takes parsing for an attack
- that some doors are closed by default
- only Expat version 2.7.2 has all the fixes
- use of the bundle depends on configuration
(cherry picked from commit baa9f33897)
Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
gh-140815: Fix faulthandler for invalid/freed frame (#140921)
faulthandler now detects if a frame or a code object is invalid or
freed.
Add helper functions:
* _PyCode_SafeAddr2Line()
* _PyFrame_SafeGetCode()
* _PyFrame_SafeGetLasti()
_PyMem_IsPtrFreed() now detects pointers in [-0xff, 0xff] range
as freed.
(cherry picked from commit a84181c31b)
Co-authored-by: Jan-Eric Nitschke <47750513+JanEricNitschke@users.noreply.github.com>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Update selected RFC 2822 references to RFC 5322
RFC 2822 was obsoleted by RFC 5322 in 2008. This updates references
to use the current standard in documentation, docstrings, and comments.
It preserves RFC 2822 references in legacy API components to maintain their
historical context.
RFC 822 → RFC 2822 → RFC 5322 progression is explained where relevant.
In some places specific sections of RFC are referenced where it seems helpful.
Scout rule was applied in some places and RFC mentions format was
normalized in doc strings and comments.
(cherry picked from commit ce1bb85d28)
Docs: Fix typo in `email.headerregistry.rst` (GH-140965)
Fix missing 'Header' suffix on header class name in `email.headerregistry.rst`
(cherry picked from commit 97d8dda980)
Co-authored-by: Guo Ci <zguoci@gmail.com>
Document that returning `sys.monitoring.DISABLE` in response to a global event raises `ValueError` (GH-140726)
(cherry picked from commit 8a7dbb7a68)
Co-authored-by: Brett Cannon <brett@python.org>
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
It was too lenient and allowed MARK opcodes with too large value.
(cherry picked from commit 1326d2a808)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
[3.13] gh-135307: Fix email error when policy max_line_length is set to 0 or None (GH-135367)
(cherry picked from commit 6d45cd8dbb)
Co-authored-by: Jiucheng(Oliver) <git.jiucheng@gmail.com>
RDM: Like the change made in a earlier PR to the folder, we can/must use 'maxlen' as a stand in for 'unlimited' when computing line lengths when max_line_length is 0 or None; otherwise the computation results in a traceback.
* gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (#139234)
Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).
The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:
- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.
(cherry picked from commit f04bea44c3)
(cherry picked from commit 68a1778b77)
* the "plaintext" element
* the RAWTEXT elements "xmp", "iframe", "noembed" and "noframes"
* optionally RAWTEXT (if scripting=True) element "noscript"
(cherry picked from commit a17c57eee5)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gh-140082: Forward colorizing from libregrtest to unittest (GH-140083)
libregrtest redirects test output to a file as part of its operation.
When `unittest` checks to see if it should colorize with
`isatty(sys.stdout)` that fails resulting in no colorizing of the
unittest output.
Update `libregrtest` to set `FORCE_COLOR=1` when redirecting test output
so that unittest will do color printing.
(cherry picked from commit 6ff62ac4fb)
Co-authored-by: Cody Maloney <cmaloney@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
gh-140702: Log color and GHA env vars in test.pythoninfo (GH-140747)
(cherry picked from commit 376559bf54)
Co-authored-by: Victor Stinner <vstinner@python.org>
* [3.13] gh-140607: Validate returned byte count in RawIOBase.read (GH-140611)
While `RawIOBase.readinto` should return a count of bytes between 0 and
the length of the given buffer, it is not required to. Add validation
inside RawIOBase.read() that the returned byte count is valid.
(cherry picked from commit 0f0a362768)
Co-authored-by: Cody Maloney <cmaloney@users.noreply.github.com>
Co-authored-by: Shamil <ashm.tech@proton.me>
Co-authored-by: Victor Stinner <vstinner@python.org>
* fixup: Use older attribute name
---------
Co-authored-by: Shamil <ashm.tech@proton.me>
Co-authored-by: Victor Stinner <vstinner@python.org>
gh-140657: Don't rerun test_import single phase init test (GH-140712)
test_basic_multiple_interpreters_main_no_reset() leaks memory:
import_in_subinterp() is called with postcleanup=False.
(cherry picked from commit c6d4c79c9a)
Co-authored-by: Victor Stinner <vstinner@python.org>
Py_RETURN_NONE, Py_RETURN_TRUE and Py_RETURN_FALSE have already been
fixed by commit 9258f3da91 (issue gh-134989).
(cherry picked from commit c636477523)
[3.13] gh-140593: Fix a memory leak in function `my_ElementDeclHandler` of `pyexpat` (GH-140602)
Ensure that the memory allocated for the content model
passed to `my_ElementDeclHandler` is freed in all error
paths.
(cherry picked from commit e34a5e3304)
Standardize translation of `Doc/bugs.rst` (GH-137449)
(cherry picked from commit 869bb6948e)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
