gh-142006: Fix HeaderWriteError in email.policy.default caused by extra newline (GH-142008)
RDM: This fixes a subtle folding error that showed up when a token exactly filled a line and was followed by whitespace and a token with no folding whitespace that was longer than a line. In this particular circumstance the whitespace after the first token got pushed on to the next line, and then stolen to go in front of the next unfoldable token...leaving a completely empty line in the line buffer. That line got turned in to a newline, which is RFC illegal, and the newish security check caught it. The fix is to just delete that empty line from the buffer.
(cherry picked from commit 07eff899d8)
Co-authored-by: Paresh Joshi <rahulj9223@gmail.com>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
The previous test_spawn_doesnt_hang test had a few problems:
* It would cause ENV CHANGED failures if other tests were running
concurrently due to stty changes
* Typing while the test was running could cause it to fail
(cherry picked from commit c0c65141b3)
Co-authored-by: Sam Gross <colesbury@gmail.com>
[3.14] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-142216)
The CGI server on Windows could consume the amount of memory specified
in the Content-Length header of the request even if the client does not
send such much data. Now it reads the POST request body by chunks,
therefore the memory consumption is proportional to the amount of sent
data.
(cherry picked from commit 0e4f4f1a46)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
gh-142145: Remove quadratic behavior in node ID cache clearing (GH-142146)
* Remove quadratic behavior in node ID cache clearing
* Add news fragment
---------
(cherry picked from commit 08d8e18ad8)
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Jacob Walls <38668450+jacobtylerwalls@users.noreply.github.com>
gh-119451: Fix a potential denial of service in http.client (GH-119454)
Reading the whole body of the HTTP response could cause OOM if
the Content-Length value is too large even if the server does not send
a large amount of data. Now the HTTP client reads large data by chunks,
therefore the amount of consumed memory is proportional to the amount
of sent data.
(cherry picked from commit 5a4c4a033a)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
[3.14] gh-142206: multiprocessing.resource_tracker: Decode messages using older protocol (GH-142215) (GH-142285)
(cherry picked from commit 4172644d78)
Difference from the original commit: the default in 3.14 is to use
the simpler original protocol (except for filenames with newlines).
(cherry picked from commit f130b06da3)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
gh-129483: Make `TestLocalTimeDisambiguation`'s time format locale independent (GH-142193)
* Change to update %c to the exact time format.
---------
(cherry picked from commit 8392095bf9)
Co-authored-by: Kir Chou <148194051+gkirchou@users.noreply.github.com>
Co-authored-by: Kir Chou <note351@hotmail.com>
This fixes a regression introduced in gh-140558. The interpreter would
crash if we inserted a non `str` key into a split table that matches an
existing key.
(cherry picked from commit 547d8daf78)
Revert "[3.13] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455) (GH-142130)"
This reverts commit 6c922bbe28.
* [3.13] gh-59000: Fix pdb breakpoint resolution for class methods when module not imported (GH-141949)
(cherry picked from commit 5e58548ebe)
Co-authored-by: LloydZ <35182391+cocolato@users.noreply.github.com>
Reading a specially prepared small Plist file could cause OOM because file's
read(n) preallocates a bytes object for reading the specified amount of
data. Now plistlib reads large data by chunks, therefore the upper limit of
consumed memory is proportional to the size of the input file.
(cherry picked from commit 694922cf40)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
The CGI server on Windows could consume the amount of memory specified
in the Content-Length header of the request even if the client does not
send such much data. Now it reads the POST request body by chunks,
so that the memory consumption is proportional to the amount of sent
data.
(cherry picked from commit 29c657a1f2)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gh-74389: gh-70560: subprocess.Popen.communicate() now ignores stdin.flush error when closed (GH-142061)
gh-70560: gh-74389: subprocess.Popen.communicate() now ignores stdin.flush error when closed
with a unittest and news entry.
(cherry picked from commit 923056b2d4)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
gh-87512: Fix `subprocess` using `timeout=` on Windows blocking with a large `input=` (GH-142058)
On Windows, Popen._communicate() previously wrote to stdin synchronously, which could block indefinitely if the subprocess didn't consume input= quickly and the pipe buffer filled up. The timeout= parameter was only checked when joining the reader threads, not during the stdin write.
This change moves the Windows stdin writing to a background thread (similar to how stdout/stderr are read in threads), allowing the timeout to be properly enforced. If timeout expires, TimeoutExpired is raised promptly and the writer thread continues in the background. Subsequent calls to communicate() will join the existing writer thread.
Adds test_communicate_timeout_large_input to verify that TimeoutExpired is raised promptly when communicate() is called with large input and a timeout, even when the subprocess doesn't consume stdin quickly.
This test already passed on POSIX (where select() is used) but failed on Windows where the stdin write blocks without checking the timeout.
(cherry picked from commit 5b1862bdd8)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* gh-141473: Fix subprocess.Popen.communicate to send input to stdin upon a subsequent post-timeout call (GH-141477)
* gh-141473: Fix subprocess.Popen.communicate to send input to stdin
* Docs: Clarify that `input` is one time only on `communicate()`
* NEWS entry
* Add a regression test.
---------
(cherry picked from commit 526d7a8bb4)
Co-authored-by: Artur Jamro <artur.jamro@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
* no assertStartsWith
---------
Co-authored-by: Artur Jamro <artur.jamro@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
GH-134453: Fix subprocess memoryview input handling on POSIX (GH-134949)
Fix inconsistent subprocess.Popen.communicate() behavior between Windows
and POSIX when using memoryview objects with non-byte elements as input.
On POSIX systems, the code was incorrectly comparing bytes written against
element count instead of byte count, causing data truncation for large
inputs with non-byte element types.
Changes:
- Cast memoryview inputs to byte view when input is already a memoryview
- Fix progress tracking to use len(input_view) instead of len(self._input)
- Add comprehensive test coverage for memoryview inputs
🤖 Generated with [Claude Code](https://claude.ai/code)
* old-man-yells-at-ReST
* Update 2025-05-30-18-37-44.gh-issue-134453.kxkA-o.rst
* assertIsNone review feedback
* fix memoryview_nonbytes test to fail without our fix on main, and have a nicer error.
Thanks to Peter Bierma @ZeroIntensity for the code review.
(cherry picked from commit cc6bc4c97f)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
gh-141907: Better handle support for SHA3 for test_hashlib (GH-141908)
* test_hashlib: better handle support for SHA3
It's possible that the SSL library supports only SHA3 algo and doesn't
have SHAKE one.
The current test wrongly detect this and set both HASH and HASHXOF to
None expecting to have the extra SHA3 attributes present but this should
only be true for SHAKE algo.
To better handle this, move the HASH condition to a dedicated try-expect
condition and check if HASHXOF is None in the relevant code effectively
checking if SHA3 is supported by the SSL library but SHAKE algo needs to
use the sha3module one.
---------
(cherry picked from commit fee7782650)
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Co-authored-by: Christian Marangi <ansuelsmth@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Most of the `self.assertTrue(self.called)` checks are flaky because
the worker threads may sometimes finish before the main thread calls
`self.during_threads()`.
(cherry picked from commit 71126ab19c)
Co-authored-by: Sam Gross <colesbury@gmail.com>
gh-135335: Simplify preload regression test using __main__ (GH-138686)
Simplify preload regression test using `__main__`
With the fix for gh-126631 `__main__` modules can be preloaded and the regression
test for gh-135335 can be simplified to just use a self-contained script rather
than requiring a module.
Note this assumes and implicitly tests that `__main__` is preloaded by default.
(cherry picked from commit 425f24e4fa)
Co-authored-by: Duane Griffin <duaneg@dghda.com>
If we overflowed the global version counter (i.e., after 2*24 calls to
`_PyMonitoring_SetEvents`), we bailed out after setting global monitoring
events but before instrumenting code objects, which led to assertion errors
later on.
Also add a `time.sleep()` to `test_free_threading.test_monitoring` to avoid
overflowing the global version counter.
(cherry picked from commit e457d60daa)
gh-98552: Revert (unneeded, already done elsewhere) "flush std streams in the multiprocessing forkserver before fork (GH-141849)" (GH-141871)
Revert (unneeded, already done elsewhere) "gh-98552: flush std streams in the multiprocessing forkserver before fork (GH-141849)"
This reverts commit 58badb1711.
(cherry picked from commit 614a28b3da)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
gh-98552: flush std streams in the multiprocessing forkserver before fork (GH-141849)
* flush std streams in the multiprocessing forkserver before fork
* NEWS
(cherry picked from commit 58badb1711)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
The 5th element of the __reduce__ tuple should be an iterator.
(cherry picked from commit 41b9ad5b38)
Co-authored-by: Arseny Boykov <36469655+Bobronium@users.noreply.github.com>
gh-141570: can_colorize: Expect fileno() to raise OSError, as documented (#141716)
In Fedora, we've been given a slightly incomplete reproducer for a problematic
Python 3.14 color-related change in argparse that leads to an exception when
Python is used from mod_wsgi: https://bugzilla.redhat.com/2414940
mod_wsgi replaces sys.stdout with a custom object that raises OSError on .fileno():
8460dbfcd5/src/server/wsgi_logger.c (L434-L440)
This should be supported, as the documentation of fileno explicitly says:
> An OSError is raised if the IO object does not use a file descriptor.
https://docs.python.org/3.14/library/io.html#io.IOBase.fileno
The previously expected exception inherits from OSError,
so it is still expected.
Fixes https://github.com/python/cpython/issues/141570
(cherry picked from commit 96f496a949)
Co-authored-by: Miro Hrončok <miro@hroncok.cz>
Co-authored-by: Cody Maloney <cmaloney@users.noreply.github.com>
gh-140938: Raise ValueError for infinite inputs to stdev/pstdev (GH-141531)
Raise ValueError for infinite inputs to stdev/pstdev
---
(cherry picked from commit f0a8bc737a)
Co-authored-by: Raymond Hettinger <rhettinger@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
