gh-145633: Fix struct.pack('f') on s390x (GH-146422)
Use PyFloat_Pack4() to raise OverflowError.
Add more tests on packing/unpacking floats.
(cherry picked from commit 8de70b31c5)
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Sergey B Kirpichev <skirpichev@gmail.com>
gh-138573: Filter out failing math tests on Solaris (GH-146402)
(cherry picked from commit 8e1469c952)
Co-authored-by: Sergey B Kirpichev <skirpichev@gmail.com>
gh-146358: Fix warnings.catch_warnings on Free Threading (GH-146374)
catch_warnings now also overrides warnings.showwarning() on Free
Threading to support custom warnings.showwarning().
(cherry picked from commit 0055140b2c)
Co-authored-by: Victor Stinner <vstinner@python.org>
gh-146202: Create tmp_dir in regrtest worker (GH-146347)
Create tmp_dir in libregrtest.worker since the directory can be
different than the --tempdir directory.
(cherry picked from commit bcff99cb3f)
Co-authored-by: Victor Stinner <vstinner@python.org>
Base64 decoder (see binascii.a2b_base64(), base64.b64decode(), etc)
no longer ignores excess data after the first padded quad in non-strict
(default) mode. Instead, in conformance with RFC 4648, it ignores the
pad character, "=", if it is present before the end of the encoded data.
(cherry picked from commit 4561f6418a)
Add tests for corner cases: NULL pointers and out of range values.
(cherry picked from commit ab47892c32)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gh-145754: Update signature retrieval in unittest.mock to use forwardref annotation format (GH-145756)
(cherry picked from commit d357a7dbf3)
Co-authored-by: Matthias Schoettle <git@mattsch.com>
* Add the c_init_default attribute which is used to initialize the C variable
if the default is not explicitly provided.
* Add the c_default_init() method which is used to derive c_default from
default if c_default is not explicitly provided.
* Explicit c_default and py_default are now almost always have precedence
over the generated value.
* Add support for bytes literals as default values.
* Improve support for str literals as default values (support non-ASCII
and non-printable characters and special characters like backslash or quotes).
* Fix support for str and bytes literals containing trigraphs, "/*" and "*/".
* Improve support for default values in converters "char" and "int(accept={str})".
* Converter "int(accept={str})" now requires 1-character string instead of
integer as default value.
* Add support for non-None default values in converter "Py_buffer": NULL,
str and bytes literals.
* Improve error handling for invalid default values.
* Rename Null to NullType for consistency.
(cherry picked from commit 99e2c5eccd)
The test doesn't actually test any pyrepl code (it runs Python with -S)
and has a race condition that causes intermittent timeouts on CI.
(cherry picked from commit e18abc6a1f)
Co-authored-by: Sam Gross <colesbury@gmail.com>
gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (GH-145600)
Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`.
(cherry picked from commit 57e88c1cf9)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
Co-authored-by: Victor Stinner <victor.stinner@gmail.com>
gh-140814: Fix freeze_support() setting start method as side effect (GH-144608)
freeze_support() called get_start_method() without allow_none=True,
which locked in the default start method context. This caused a
subsequent set_start_method() call to raise "context has already been
set". Use allow_none=True and accept None as a matching value, since
spawn.freeze_support() independently detects spawned child processes.
Test that freeze_support() does not lock in the default start method,
which would prevent a subsequent set_start_method() call.
(cherry picked from commit ee5318025b)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
gh-145986: Avoid unbound C recursion in `conv_content_model` in `pyexpat.c` (CVE 2026-4224) (GH-145987)
Fix C stack overflow (CVE-2026-4224) when an Expat parser
with a registered `ElementDeclHandler` parses inline DTD
containing deeply nested content model.
---------
(cherry picked from commit eb0e8be3a7)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
gh-140594: Fix an out of bounds read when feeding NUL byte to PyOS_StdioReadline() (GH-140910)
(cherry picked from commit 86a0756234)
Co-authored-by: Shamil <ashm.tech@proton.me>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
(cherry picked from commit 2d35f9bc1c)
Includes test fix-up from GH-145788
(cherry picked from commit aa4240ebea)
Co-authored-by: Thomas Kowalski <thom.kowa@gmail.com>
Co-authored-by: Matt Van Horn <mvanhorn@users.noreply.github.com>
gh-145607: Ensure BIG_DATA has two compressed blocks in test_bz2 (GH-145730)
(cherry picked from commit 19676e5fc2)
Co-authored-by: Emma Smith <emma@emmatyping.dev>
gh-144173: fix flaky test_complex.test_truediv() (GH-144355)
Previously, component-wise relative error bound was tested. However,
such bound can't exist already for complex multiplication as one can be
used to perform subtraction of floating-point numbers, e.g. x and y for
z0=1+1j and z1=x+yj.
```pycon
>>> x, y = 1e-9+1j, 1+1j
>>> a = x*y*y.conjugate()/2;a
(1.0000000272292198e-09+1j)
>>> b = x*(y*y.conjugate()/2);b
(1e-09+1j)
>>> b == x
True
>>> (a.real-b.real)/math.ulp(b.real)
131672427.0
```
(cherry picked from commit c4333a1270)
Co-authored-by: Sergey B Kirpichev <skirpichev@gmail.com>
Only set the format attribute after successful (re-)initialization.
(cherry picked from commit 3f33bf83e8)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 63eaaf9599)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
* Add `:oss-fuzz:` supports
Backports part of 255e79fa95.
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
gh-145548: Use VMADDR_CID_LOCAL in VSOCK socket tests (GH-145589)
Prefer VMADDR_CID_LOCAL instead of VMADDR_CID_ANY for bind() in the
server. Skip the test if bind() fails with EADDRNOTAVAIL.
Log vsock CID in test.pythoninfo.
(cherry picked from commit 6c8c72f7fe)
Co-authored-by: Victor Stinner <vstinner@python.org>
gh-144370: Disallow usage of control characters in status in wsgiref.handlers for security (GH-144371)
Disallow usage of control characters in status in wsgiref.handlers
to prevent HTTP header injections.
(cherry picked from commit d931725bc8)
Co-authored-by: Benedikt Johannes <benedikt.johannes.hofer@gmail.com>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
Adds _PYLAUNCHER_INIDIR as a private variable since the launcher is deprecated and not getting new features.
(cherry picked from commit 6cdbd7bc5d)
Co-authored-by: Itamar Oren <itamarost@gmail.com>
gh-145557: Check ctypes is available in test_external_inspection (GH-145558)
Currently TestGetStackTrace.test_self_trace_after_ctypes_import() will fail if
the _ctypes extension is not built. Make it match test_ctypes by skipping
the test in that case.
(cherry picked from commit 7232883adf)
Co-authored-by: Alex Malyshev <lex.malyshev@gmail.com>
