* [3.14] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234)
Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).
The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:
- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.
(cherry picked from commit f04bea44c3)
(cherry picked from commit 68a1778b77)
* the "plaintext" element
* the RAWTEXT elements "xmp", "iframe", "noembed" and "noframes"
* optionally RAWTEXT (if scripting=True) element "noscript"
(cherry picked from commit a17c57eee5)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gh-138774: use `value` to `ast.unparse` code when `str` is `None` in `ast.Interpolation` (GH-139415)
(cherry picked from commit 4d0849426f)
Co-authored-by: George Ogden <38294960+George-Ogden@users.noreply.github.com>
* Link to compression setting constants from compression functions
* De-duplicate descriptions of the constants
(cherry picked from commit 091e8513bb)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
gh-138764: annotationlib: Make `call_annotate_function` fallback to using `VALUE` annotations if both the requested format and `VALUE_WITH_FAKE_GLOBALS` are not implemented (GH-138803)
(cherry picked from commit 95c257e2e6)
Co-authored-by: David Ellis <ducksual@gmail.com>
[Docs] Add missing note about Required/NotRequired/ReadOnly in get_type_hints() (GH-139565)
(cherry picked from commit a752f58d6b)
Co-authored-by: Sam Bull <git@sambull.org>
Use multiple signatures for clarity.
Explain different forms of bgcolor() in details.
Fix outdated docstrings.
(cherry picked from commit 525dcfe523)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gh-101100: Document `zlib` public constants to fix reference warnings (GH-139835)
(cherry picked from commit c7f1da97eb)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
The csv.register_dialect() docstring no longer imply that it returns a dialect.
All functions have now signatures.
(cherry picked from commit aa1dbd4dde)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: maurycy <5383+maurycy@users.noreply.github.com>
Passing a negative or zero size to `cursor.fetchmany()` made it fetch all rows
instead of none.
While this could be considered a security vulnerability, it was decided to treat
this issue as a regular bug as passing a non-sanitized *size* value in the first
place is not recommended.
(cherry picked from commit bc172ee830)
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
gh-136520: Clarify docs for _pack_ & _align_ (GH-137036)
Move docs to the reference section & reduce the “tutorial” part to a quick intro & link.
Clarify what values are accepted.
Add macro/attribute equivalents.
Discourage _align_ values that aren't powers of two.
(cherry picked from commit 8943bb722f)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Unify documentation for all backends, enumerate all not implemented mapping
methods, document particularities of implemented mapping methods.
(cherry picked from commit 8700404f86)
gh-131885: Use positional-only markers for ``max()`` and ``min()`` (GH-131868)
(cherry picked from commit dd079db4b9)
Co-authored-by: Evan Kohilas <ekohilas@users.noreply.github.com>
gh-136516: Mention installation artifacts as de-facto resources (GH-136419)
Files like NUL on windows are, from `importlib.resources` point of
view, an artifact caused by installing to a filesystem directory.
Mention these.
(cherry picked from commit fac4964fdb)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
