Fix a flaky test introduced in 13dc2fde8c.
After a single HTTP/0.9 request, both client and server are expected to
close the connection on their side. In particular, if a client sends two
requests with the same connection, only the first one should be handled.
In the tests, it might happen that checking for the second request to be
ignored did not take into account that the server may have already closed
the connection. This flaky behavior was first observed on macOS CI workers
but could not be reproduced locally on a Linux machine.
* Modules/pyexpat.c: Disallow collection of in-use parent parsers.
Within libexpat, a parser created via `XML_ExternalEntityParserCreate`
is relying on its parent parser throughout its entire lifetime.
Prior to this fix, is was possible for the parent parser to be
garbage-collected too early.
Currently, Fedora 42 uses a custom Linux Kernel 6.16.9 that backported an upstream change
from 6.17-rc7 [1,3] but not its subsequent fix [2]. Until the issue is resolved upstream,
we skip the failing test `test_socket.test_aead_aes_gcm` for kernel versions between 6.16
and 6.17.x.
[1] 1b34cbbf4f
[2] d0ca0df179.
[3] 45bcf60fe4
* Fix potential infinite recursion.
* Fix a bug when reference can cross boundaries of substitutions, e.g.
a=$(
b=$(a)a)
* Fix potential quadratic complexity.
* Fix KeyError for undefined CFLAGS, LDFLAGS, or CPPFLAGS.
* Fix infinite recursion when keep_unresolved=False.
* Unify behavior with keep_unresolved=False for bogus $ occurred before
and after variable references.
Replace hardcoded 5 seconds with support.SHORT_TIMEOUT.
Fix the following error on slow CI such as GitHub Action UBSan:
test test_pyrepl failed -- Traceback (most recent call last):
File "Lib/test/test_pyrepl/test_unix_console.py", line 362, in test_repl_eio
_, err = proc.communicate(timeout=5) # sleep for pty to settle
~~~~~~~~~~~~~~~~^^^^^^^^^^^
File "Lib/subprocess.py", line 1219, in communicate
stdout, stderr = self._communicate(input, endtime, timeout)
~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^
File "Lib/subprocess.py", line 2126, in _communicate
self._check_timeout(endtime, orig_timeout, stdout, stderr)
~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "Lib/subprocess.py", line 1266, in _check_timeout
raise TimeoutExpired(
...<2 lines>...
stderr=b''.join(stderr_seq) if stderr_seq else None)
subprocess.TimeoutExpired: Command '[...]' timed out after 5 seconds
The last remaining set of tests to split out that are focused on one
specific implementation portion (`bufferedio.c`).
test_io.test_general is now largely tests around `io.open` and module
properties (ex. pickling, class hierarchy, module members, etc).
This closes#138013.
gh-138013: Split TextIO tests from test_general
These tests take 1.3 seconds on my dev machine, match fairly closely
with testing `textio.c` implementation only.
Passing a negative or zero size to `cursor.fetchmany()` made it fetch all rows
instead of none.
While this could be considered a security vulnerability, it was decided to treat
this issue as a regular bug as passing a non-sanitized *size* value in the first
place is not recommended.
Expose the XML Expat 2.7.2 APIs to tune protections against
"billion laughs" [1] attacks.
The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:
- `parser.SetBillionLaughsAttackProtectionActivationThreshold(threshold)`, and
- `parser.SetBillionLaughsAttackProtectionMaximumAmplification(max_factor)`.
This completes the work in f04bea44c3,
and improves the existing related documentation.
[1]: https://en.wikipedia.org/wiki/Billion_laughs_attack
Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).
The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:
- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.
