We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
2 parents 64d1a92 + 1ce801b commit 773e47eCopy full SHA for 773e47e
.github/workflows/build.yml
@@ -125,10 +125,31 @@ jobs:
125
runs-on: macos-latest
126
needs: check_source
127
if: needs.check_source.outputs.run_tests == 'true'
128
+ env:
129
+ HOMEBREW_NO_ANALYTICS: 1
130
+ HOMEBREW_NO_AUTO_UPDATE: 1
131
+ HOMEBREW_NO_INSTALL_CLEANUP: 1
132
steps:
133
- uses: actions/checkout@v2
134
- name: Configure CPython
- run: SDKROOT=/Library/Developer/CommandLineTools/SDKs/MacOSX12.sdk ./configure --with-pydebug --with-openssl=/usr/local/opt/openssl --prefix=/opt/python-dev
135
+ run: |
136
+ brew install pkg-config openssl@1.1 xz gdbm tcl-tk
137
+ brew install zlib bzip2 ncurses readline sqlite
138
+ SDKROOT=/Library/Developer/CommandLineTools/SDKs/MacOSX12.sdk \
139
+ CC=clang \
140
+ CPPFLAGS="-I$(brew --prefix gdbm)/include -I$(brew --prefix xz)/include \
141
+ -I$(brew --prefix zlib)/include -I$(brew --prefix bzip2)/include \
142
+ -I$(brew --prefix ncurses)/include -I$(brew --prefix readline)/include \
143
+ -I$(brew --prefix sqlite)/include" \
144
+ LDFLAGS="-L$(brew --prefix gdbm)/lib -L$(brew --prefix xz)/lib \
145
+ -L$(brew --prefix zlib)/lib -L$(brew --prefix bzip2)/lib \
146
+ -L$(brew --prefix ncurses)/lib -L$(brew --prefix readline)/lib \
147
+ -L$(brew --prefix sqlite)/lib" \
148
+ ./configure --prefix=/opt/python-dev \
149
+ --with-pydebug \
150
+ --with-openssl="$(brew --prefix openssl@1.1)" \
151
+ --with-tcltk-libs="$(pkg-config --libs tk)" \
152
+ --with-tcltk-includes="$(pkg-config --cflags tk)"
153
- name: Build CPython
154
run: make -j4
155
- name: Display build info
Lib/ensurepip/__init__.py
@@ -9,7 +9,7 @@
9
__all__ = ["version", "bootstrap"]
10
_PACKAGE_NAMES = ('setuptools', 'pip')
11
_SETUPTOOLS_VERSION = "47.1.0"
12
-_PIP_VERSION = "22.0.4"
+_PIP_VERSION = "23.0.1"
13
_PROJECTS = [
14
("setuptools", _SETUPTOOLS_VERSION, "py3"),
15
("pip", _PIP_VERSION, "py3"),
Lib/ensurepip/_bundled/pip-22.0.4-py3-none-any.whl
-2.03 MB
Lib/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl
1.96 MB
Lib/http/server.py
@@ -777,7 +777,7 @@ def list_directory(self, path):
777
displaypath = urllib.parse.unquote(self.path,
778
errors='surrogatepass')
779
except UnicodeDecodeError:
780
- displaypath = urllib.parse.unquote(path)
+ displaypath = urllib.parse.unquote(self.path)
781
displaypath = html.escape(displaypath, quote=False)
782
enc = sys.getfilesystemencoding()
783
title = 'Directory listing for %s' % displaypath
Lib/test/test_httpservers.py
@@ -413,6 +413,14 @@ def test_undecodable_filename(self):
413
self.check_status_and_reason(response, HTTPStatus.OK,
414
data=support.TESTFN_UNDECODABLE)
415
416
+ def test_undecodable_parameter(self):
417
+ # sanity check using a valid parameter
418
+ response = self.request(self.base_url + '/?x=123').read()
419
+ self.assertRegex(response, f'listing for {self.base_url}/\?x=123'.encode('latin1'))
420
+ # now the bogus encoding
421
+ response = self.request(self.base_url + '/?x=%bb').read()
422
+ self.assertRegex(response, f'listing for {self.base_url}/\?x=\xef\xbf\xbd'.encode('latin1'))
423
+
424
def test_get_dir_redirect_location_domain_injection_bug(self):
425
"""Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.
426
Lib/test/test_uu.py
@@ -145,6 +145,34 @@ def test_newlines_escaped(self):
uu.encode(inp, out, filename)
self.assertIn(safefilename, out.getvalue())
+ def test_no_directory_traversal(self):
+ relative_bad = b"""\
+begin 644 ../../../../../../../../tmp/test1
+$86)C"@``
+`
+end
+"""
+ with self.assertRaisesRegex(uu.Error, 'directory'):
156
+ uu.decode(io.BytesIO(relative_bad))
157
+ if os.altsep:
158
+ relative_bad_bs = relative_bad.replace(b'/', b'\\')
159
160
+ uu.decode(io.BytesIO(relative_bad_bs))
161
162
+ absolute_bad = b"""\
163
+begin 644 /tmp/test2
164
165
166
167
168
169
+ uu.decode(io.BytesIO(absolute_bad))
170
171
+ absolute_bad_bs = absolute_bad.replace(b'/', b'\\')
172
173
+ uu.decode(io.BytesIO(absolute_bad_bs))
174
175
176
class UUStdIOTest(unittest.TestCase):
177
178
def setUp(self):
Lib/uu.py
100755
100644
@@ -130,7 +130,14 @@ def decode(in_file, out_file=None, mode=None, quiet=False):
# If the filename isn't ASCII, what's up with that?!?
out_file = hdrfields[2].rstrip(b' \t\r\n\f').decode("ascii")
if os.path.exists(out_file):
- raise Error('Cannot overwrite existing file: %s' % out_file)
+ raise Error(f'Cannot overwrite existing file: {out_file}')
+ if (out_file.startswith(os.sep) or
+ f'..{os.sep}' in out_file or (
+ os.altsep and
+ (out_file.startswith(os.altsep) or
+ f'..{os.altsep}' in out_file))
+ ):
+ raise Error(f'Refusing to write to {out_file} due to directory traversal')
if mode is None:
mode = int(hdrfields[1], 8)
#
Misc/NEWS.d/next/Library/2023-02-17-18-44-27.gh-issue-101997.A6_blD.rst
@@ -0,0 +1 @@
1
+Upgrade pip wheel bundled with ensurepip (pip 23.0.1)
Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst
@@ -0,0 +1,2 @@
+Do not expose the local on-disk location in directory indexes
2
+produced by :class:`http.client.SimpleHTTPRequestHandler`.
Misc/NEWS.d/next/Security/2023-05-02-17-56-32.gh-issue-99889.l664SU.rst
+Fixed a security in flaw in :func:`uu.decode` that could allow for
+directory traversal based on the input if no ``out_file`` was specified.