#12244 closed enhancement (fixed)
python3-3.7.4
Reported by: | Bruce Dubbs | Owned by: | Bruce Dubbs |
---|---|---|---|
Priority: | high | Milestone: | 9.0 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description
New point version.
Change History (4)
comment:1 by , 5 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 5 years ago
comment:4 by , 5 years ago
Priority: | normal → high |
---|
bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised.
bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file:// and local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of :mod:urllib.request.
Retroactively promote to High
Note:
See TracTickets
for help on using tickets.
What's New in Python 3.7.4 final?
*Release date: 2019-07-08*
Core and Builtins
1875
in 3.7.4rc1 to check for syntax errors in dead conditional code blocks.Documentation
What's New in Python 3.7.4 release candidate 2?
Security
Core and Builtins
Library
_uuid
headers conflicting included.
Windows
sys.executable
when running from the Microsoft Store.macOS
What's New in Python 3.7.4 release candidate 1?
Security
local-file://
and
local_file://
URL schemes in
URLopener().open()
and
URLopener().retrieve()
of :mod:
urllib.request
.shutil.which
now usesos.confstr("CS_PATH")
if available and if the :envvar:
PATH
environment variable is not set. Remove also the current directory from :data:posixpath.defpath
. On Unix, :func:shutil.which
and the :mod:subprocess
module no longer search the executable in the current directory if the :envvar:PATH
environment variable is not set.Core and Builtins
wrap_lenfunc()
when
sizeof(long) < sizeof(Py_ssize_t)
(e.g., 64-bit Windows).
sys.stderr
while using it. Document that an exception must be set when calling :c:func:`PyErr_WriteUnraisable`.f(kwargs)
) and changing the dict
kwargs
while that function is running.
PyGC_Head
structure is aligned to
long double
. This is needed to ensure GC-ed objects are aligned properly. Patch by Inada Naoki.
SyntaxError
is now raised if a code blocks that will be optimized away (e.g. if conditions that are always false) contains syntax errors. Patch by Pablo Galindo. (Reverted in 3.7.4 final by :issue:37500
.)PyCArrayType_new()
.
PyMem_FREE()
due to tokenizer.c's
tok_nextc()
.
itertools.count
.ParserError
messages, instead of numeric IDs. Patch by A. Skrobov.
PyCArrayType_new()
.
sys.path
if it has been removed._Py_dg_strtod()
used by
float(str)
,
complex(str)
, :func:
pickle.load
, :func:marshal.load
, etc.pickle
module. Patch by Zackery Spytz.PyInterpreterState_New()
.
More. See Misc/NEWS in tarball.