gh-146333: Fix quadratic regex backtracking in configparser option parsing (GH-146399)
Use negative lookahead in option regex to prevent backtracking, and to avoid changing logic outside the regexes (since people could use the regex directly).
(cherry picked from commit 7e0a0be409)
Co-authored-by: Joshua Swanson <22283299+joshuaswanson@users.noreply.github.com>
gh-145105: Fix crash in csv.reader with re-entrant iterator (GH-145106)
When a custom iterator calls next() on the same csv.reader from
within __next__, the inner iteration sets self->fields to NULL.
The outer iteration then crashes in parse_save_field() by passing
NULL to PyList_Append.
Add a guard after PyIter_Next() to detect that fields was set to
NULL by a re-entrant call, and raise csv.Error instead of crashing.
(cherry picked from commit 20994b1809)
Co-authored-by: Ramin Farajpour Cami <ramin.blackhat@gmail.com>
gh-148284: Block inlining of gigantic functions in ceval.c for clang 22 (GH-148334)
(cherry picked from commit e007631e99)
Co-authored-by: Ken Jin <kenjin@python.org>
Co-authored-by: Victor Stinner <vstinner@python.org>
decoded[:-1] only strips one character, leaving a stray \r when eol
is two characters. Fix: decoded[:-len(eol)].
(cherry picked from commit 1a0edb1fa8)
Co-authored-by: Stefan Zetzsche <120379523+stefanzetzsche@users.noreply.github.com>
gh-148091: clarify asyncio.Future.cancel(msg) behaviour (GH-148248)
(cherry picked from commit 2acb8d9257)
Co-authored-by: Manoj K M <136242596+manoj-k-m@users.noreply.github.com>
gh-148274: properly handle result from `PyObject_VisitManagedDict` (GH-148275)
(cherry picked from commit ee2775cfae)
Co-authored-by: Max Bachmann <kontakt@maxbachmann.de>
Original patch by gigaplastik, extended with a few more tests.
Addresses gh-70039 and bpo-25852: failure of starttls if connect is called explicitly.
(cherry picked from commit 442f83a5ea)
Co-authored-by: nmartensen <nis.martensen@web.de>
Avoid embedding the parent's sys.argv into the forkserver -c command
string via repr(). When sys.argv is large (e.g. thousands of file
paths from a pre-commit hook), the resulting single argument could
exceed the OS per-argument length limit (MAX_ARG_STRLEN on Linux,
typically 128 KiB), causing posix_spawn to fail and the parent to
observe a BrokenPipeError.
Instead, append the argv entries as separate command-line arguments
after -c; the forkserver child reads them back as sys.argv[1:]. This
cannot exceed any limit the parent itself did not already satisfy.
Regression introduced by gh-143706 / 298d5440eb.
(cherry picked from commit 5e9d90b615)
Pre-create the Android emulator image so that the the configuration can be
modified to use 4GB of RAM.
(cherry picked from commit a95ee3a21d)
Co-authored-by: Malcolm Smith <smith@chaquo.com>
gh-148144: Initialize visited on copied interpreter frames (GH-148143)
_PyFrame_Copy() copied interpreter frames into generator and
frame-object storage without initializing the visited byte. Incremental
GC later reads frame->visited in mark_stacks() on non-start passes, so
copied frames could expose an uninitialized value once they became live
on a thread stack again.
Reset visited when copying a frame so copied frames start with defined
GC bookkeeping state. Preserve lltrace in Py_DEBUG builds.
(cherry picked from commit fbfc6ccb0a)
Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
gh-94632: document the subprocess need for extra_groups=() with user= (GH-148129)
(cherry picked from commit a1cf4430ed)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
gh-143394: Skip pyrepl test_no_newline() basic REPL if readline is missing (GH-147973)
(cherry picked from commit 97babb8ef7)
Co-authored-by: Victor Stinner <vstinner@python.org>
Allows for cleaning a subset of targets, customization of the download cache and
cross-build directories, and modifies the build command to allow 'all', 'build'
and 'hosts' targets.
(cherry picked from commit b8470deb5d)
Co-authored-by: Russell Keith-Magee <russell@keith-magee.com>
Allows building the Android testbed for 32-bit targets, adding the target triplets
`arm-linux-androideabi` and `i686-linux-android`.
(cherry picked from commit 848bbe9ff2)
Co-authored-by: Robert Kirkman <31490854+robertkirkman@users.noreply.github.com>
Co-authored-by: Malcolm Smith <smith@chaquo.com>
gh-148022: Add threat model to remote debugging docs (GH-148024)
The remote debugging protocol has been generating spurious
vulnerability reports from automated scanners that pattern-match
on "remote access" and "memory operations" without understanding
the privilege model. This section documents the security boundaries
so reporters can self-triage before submitting.
The threat model clarifies three points: attaching requires the
same OS-level privileges as GDB (ptrace, task_for_pid, or
SeDebugPrivilege), crashes caused by reading corrupted target
process memory are not security issues, and a compromised target
process is out of scope. A subsection explains when operators
should use PYTHON_DISABLE_REMOTE_DEBUG for defence-in-depth.
(cherry picked from commit edab6860a7)
Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
