gh-102627: Replace address pointing toward malicious web page by Blind4Basics · Pull Request #102630 · python/cpython (original) (raw)

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation17 Commits3 Checks0 Files changed

Conversation

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})

Blind4Basics

@Blind4Basics

FIX python#102627

partial fix only: would require to go through the entire documentation

@ghost

All commit authors signed the Contributor License Agreement.
CLA signed

CAM-Gerlach

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your help, @Blind4Basics ! I do have a requested change below.

Pro tip: To apply my suggestion directly, click Apply under the suggestion, then Commit with an appropriate message.

@CAM-Gerlach

Do we want to consider backports to the 3.7-3.9 docs,since this fix apparently has security implications (as Python interpreters executing the script will apparently load a malicious page)?

@CAM-Gerlach

Following discussion and general consensus, I've marked this for backport to the security branches, since it is a docs-only change and has security implications.

@Blind4Basics

how to proceed to apply the fix in 3.7-3.9?

@Blind4Basics @CAM-Gerlach

Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM

hugovk

@hugovk

how to proceed to apply the fix in 3.7-3.9?

We have a bot called Miss Islington that will do all that for us by looking for "needs backport to 3.x" labels when merged :)

@CAM-Gerlach @hugovk

Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

hugovk

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

olijeffers0n

gpshead

@miss-islington

Thanks @Blind4Basics for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.7, 3.8, 3.9, 3.10, 3.11.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request

Mar 13, 2023

…ythonGH-102630)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics 32236948+Blind4Basics@users.noreply.github.com Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

@bedevere-bot

@bedevere-bot

@bedevere-bot

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request

Mar 13, 2023

…ythonGH-102630)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics 32236948+Blind4Basics@users.noreply.github.com Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

@bedevere-bot

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request

Mar 13, 2023

…ythonGH-102630)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics 32236948+Blind4Basics@users.noreply.github.com Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

@bedevere-bot

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request

Mar 13, 2023

…ythonGH-102630)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics 32236948+Blind4Basics@users.noreply.github.com Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

miss-islington added a commit that referenced this pull request

Mar 13, 2023

)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics 32236948+Blind4Basics@users.noreply.github.com Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

miss-islington added a commit that referenced this pull request

Mar 13, 2023

)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics 32236948+Blind4Basics@users.noreply.github.com Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

ned-deily pushed a commit that referenced this pull request

Mar 13, 2023

…H-102630) (GH-102668)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics 32236948+Blind4Basics@users.noreply.github.com Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

ned-deily pushed a commit that referenced this pull request

Mar 13, 2023

…H-102630) (GH-102666)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics 32236948+Blind4Basics@users.noreply.github.com Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

ned-deily pushed a commit that referenced this pull request

Mar 13, 2023

…H-102630) (GH-102667)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics 32236948+Blind4Basics@users.noreply.github.com Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

carljm added a commit to carljm/cpython that referenced this pull request

Mar 14, 2023

@carljm

Fidget-Spinner pushed a commit to Fidget-Spinner/cpython that referenced this pull request

Mar 27, 2023

…ython#102630)

Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

warsaw pushed a commit to warsaw/cpython that referenced this pull request

Apr 11, 2023

…ython#102630)

Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

carlosroman added a commit to DataDog/cpython that referenced this pull request

Jun 22, 2023

Co-authored-by: Benjamin Peterson benjamin@python.org

Co-authored-by: Ned Deily nad@python.org

(cherry picked from commit 30a6cc4)

Co-authored-by: Ned Deily nad@python.org Co-authored-by: HARSHA VARDHAN 75431678+Thunder-007@users.noreply.github.com

(cherry picked from commit 1cf3d78) (cherry picked from commit 88fe8d7)

Co-authored-by: Jeremy Paige ucodery@gmail.com Co-authored-by: Gregory P. Smith greg@krypto.org

(cherry picked from commit c22a55c)

Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

(cherry picked from commit ea23271)

Co-authored-by: Owain Davies 116417456+OTheDev@users.noreply.github.com

(cherry picked from commit 4652182)

Co-authored-by: Oleg Iarygin oleg@arhadthedev.net Co-authored-by: Steve Dower steve.dower@microsoft.com

[3.8] pythongh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI issue (pythongh-102079)

[3.8] Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK.

Fixes CVE-2023-0286 (High) and a couple of Medium security issues. https://www.openssl.org/news/secadv/20230207.txt

Co-authored-by: Gregory P. Smith greg@krypto.org Co-authored-by: Ned Deily nad@python.org

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics 32236948+Blind4Basics@users.noreply.github.com Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com

(cherry picked from commit 89d9ff0)

Backport of c8c3956

(cherry picked from commit 0aeda29)

Co-authored-by: Sam Carroll 70000253+samcarroll42@users.noreply.github.com

Do not expose the local server's on-disk location from SimpleHTTPRequestHandler when generating a directory index. (unnecessary information disclosure)

(cherry picked from commit c7c3a60)

Co-authored-by: Ethan Furman ethan@stoneleaf.us Co-authored-by: Gregory P. Smith greg@krypto.org Co-authored-by: Jelle Zijlstra jelle.zijlstra@gmail.com

Co-authored-by: Tian Gao gaogaotiantian@hotmail.com

(cherry picked from commit ee26ca1)

Co-authored-by: Irit Katriel 1055913+iritkatriel@users.noreply.github.com

urllib.parse.urlsplit has already been respecting the WHATWG spec a bit pythonGH-25595.

This adds more sanitizing to respect the "Remove any leading C0 control or space from input" rule in response to CVE-2023-24329.

I simplified the docs by eliding the state of the world explanatory paragraph in this security release only backport. (people will see that in the mainline /3/ docs)

(cherry picked from commit d7f8a5f) (cherry picked from commit 2f630e1) (cherry picked from commit 610cc0a) (cherry picked from commit f48a96a)

Co-authored-by: Miss Islington (bot) 31488909+miss-islington@users.noreply.github.com Co-authored-by: Illia Volochii illia.volochii@gmail.com Co-authored-by: Gregory P. Smith [Google] greg@krypto.org

Upgrade builds to OpenSSL 1.1.1u.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.

Manual edits to the _ssl_data_300.h file prevent it from removing any existing definitions in case those exist in some peoples builds and were important (avoiding regressions during backporting).

(cherry picked from commit ede89af) (cherry picked from commit e15de14)

Co-authored-by: Gregory P. Smith greg@krypto.org Co-authored-by: Ned Deily nad@python.org

Co-authored-by: Łukasz Langa lukasz@langa.pl Co-authored-by: Benjamin Peterson benjamin@python.org Co-authored-by: Ned Deily nad@python.org Co-authored-by: Miss Islington (bot) 31488909+miss-islington@users.noreply.github.com Co-authored-by: HARSHA VARDHAN 75431678+Thunder-007@users.noreply.github.com Co-authored-by: Gregory P. Smith greg@krypto.org Co-authored-by: Jeremy Paige ucodery@gmail.com Co-authored-by: Hugo van Kemenade hugovk@users.noreply.github.com Co-authored-by: Steve Dower steve.dower@python.org Co-authored-by: Owain Davies 116417456+OTheDev@users.noreply.github.com Co-authored-by: Éric earaujo@caravan.coop Co-authored-by: Oleg Iarygin oleg@arhadthedev.net Co-authored-by: Steve Dower steve.dower@microsoft.com Co-authored-by: Dong-hee Na donghee.na@python.org Co-authored-by: Blind4Basics 32236948+Blind4Basics@users.noreply.github.com Co-authored-by: C.A.M. Gerlach CAM.Gerlach@Gerlach.CAM Co-authored-by: Pradyun Gedam pradyunsg@gmail.com Co-authored-by: Petr Viktorin encukou@gmail.com Co-authored-by: Sam Carroll 70000253+samcarroll42@users.noreply.github.com Co-authored-by: Ethan Furman ethan@stoneleaf.us Co-authored-by: Jelle Zijlstra jelle.zijlstra@gmail.com Co-authored-by: Tian Gao gaogaotiantian@hotmail.com Co-authored-by: Irit Katriel 1055913+iritkatriel@users.noreply.github.com Co-authored-by: stratakis cstratak@redhat.com Co-authored-by: Illia Volochii illia.volochii@gmail.com