* Fix `hashlib.file_digest()` versionchanged description of `BlockingIOError`
The sentence was missing a negation and contradicted the other two
descriptions in the same commit. I believe code behaviour is correct.
* fixup! Fix `hashlib.file_digest()` versionchanged description of `BlockingIOError`
* Remove unncessary NEWS.d entry
Passing a negative or zero size to `cursor.fetchmany()` made it fetch all rows
instead of none.
While this could be considered a security vulnerability, it was decided to treat
this issue as a regular bug as passing a non-sanitized *size* value in the first
place is not recommended.
Expose the XML Expat 2.7.2 APIs to tune protections against
"billion laughs" [1] attacks.
The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:
- `parser.SetBillionLaughsAttackProtectionActivationThreshold(threshold)`, and
- `parser.SetBillionLaughsAttackProtectionMaximumAmplification(max_factor)`.
This completes the work in f04bea44c3,
and improves the existing related documentation.
[1]: https://en.wikipedia.org/wiki/Billion_laughs_attack
Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).
The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:
- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.
Functions that take timestamp or timeout arguments now accept any
real numbers (such as Decimal and Fraction), not only integers or floats,
although this does not improve precision.
* fix: available_timezones is reporting an invalid IANA zone name
* 📜🤖 Added by blurb_it.
* correct rst format for backticks
---------
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Paul Ganssle <1377457+pganssle@users.noreply.github.com>
This amends commit bf8bbe9a81 by
restricting `echo_char` in `getpass.getpass` to single printable
ASCII characters as it would be uncommon to use long strings or
multi-byte characters for keyboard feedback.
---------
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Co-authored-by: Brian Schubert <brianm.schubert@gmail.com>
The codecs lookup function now performs only minimal normalization of
the encoding name before passing it to the search functions:
all ASCII letters are converted to lower case, spaces are replaced
with hyphens.
Excessive normalization broke third-party codecs providers, like
python-iconv.
Revert "bpo-37751: Fix codecs.lookup() normalization (GH-15092)"
This reverts commit 20f59fe1f7.
In bf8bbe9a81, `getpass.getpass` gained
the ability to provide keyboard feedback through `echo_char`.
On Unix, line editing shortcuts such as Ctrl+U were previously handled
as the terminal operates in canonical mode (see termios(3)). However,
since keyboard feedback requires to switch to noncanonical mode, this
now results in an inconsistency when `getpass.getpass` uses `echo_char`
as those shortcuts are no more supported. This limitation is specific
to Unix and does not affect Windows users where line editing shortcuts
were never supported.
