Change History (5)
comment:1 by , 19 months ago
comment:2 by , 19 months ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Fixed at commit 2ebf4143a8e1dfac1f4855ae116aeabb3f50418a
comment:3 by , 18 months ago
Priority: | normal → high |
---|
Note:
See TracTickets
for help on using tickets.
What's New in Python 3.11.4 final - 2023-06-06
Security
uu.decode
that could allow for directory traversal based on the input if noout_file
was specified.
http.client.SimpleHTTPRequestHandler
.urllib.parse.urlsplit
now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329.Core and Builtins
match
block.a, a = x, y
.
sys.setprofile
and
sys.settrace
trampoline functions. This ensures that frames are not duplicated if an exception is raised in the callback function, and ensures that frames are not omitted if a C callback is used and that does not add the frame.
bytecode
instructions could ignore :pep:523
when "inlining" calls.case
blocks.
try-except*
construct in an :exc:
ExceptionGroup
.except* <except_star>
.~ssl.SSLContext.set_ecdh_curve
method not to use deprecated OpenSSL APIs.name
in
repr
of :class:
weakref.ref
.SyntaxError
when parsing source code containing null bytes. Backported fromaab01e3
. Patch by Pablo Galindo
!pause_reading
to work when called from :func:!connection_made
in :mod:asyncio
.Library
inspect.signature
name
and
supertype
attributes of :class:
typing.NewType
.asyncio
pipe protocol loses its connection due to an error, and the caller doesn't await
wait_closed()
on the corresponding
StreamWriter
, don't log a warning about an exception that was never retrieved. After all, according to the
StreamWriter.close()
docs, the
wait_closed()
call is optional ("not mandatory").
_posixsubprocess
internals to avoid Python C API usage between fork and exec when marking
pass_fds=
file descriptors inheritable.
inspect.getattr_static
.multiprocessing.process
cleanup logic that could manifest as an unintendedAttributeError
when calling
process.close()
.
_tkinter
module for building with Tcl 9.0 and future libtommath by replacing usage of deprecated functions :c:func:`mp_to_unsigned_bin_n
and :c:func:
mp_unsigned_bin_size` when necessary.socket.getnameinfo
now releases the GIL while contacting the DNS serverpathlib.Path.glob
raised :exc:OSError
when it encountered a symlink to an overly long path.!_csv.Reader
and :class:!_csv.Writer
types. The regression was introduced in 3.10.0a4 with PR 23224 (:issue:14935
).getstate
and
setstate
methods for slotted frozen dataclasses.
mmap
, fix several bugs that could lead to access to memory-mapped files after they have been invalidated.io.open_code
for files to be executed instead of raw :func:open
OverflowError
in :meth:sqlite3.Connection.blobopen
for 32-bit builds.[
bracketed
]
hosts found by :func:
urllib.parse.urlsplit
are of IPv6 or IPvFuture format.zipfile.Zipfile
creating invalid zip files when
force_zip64
was used to add files to them. Patch by Carey Metcalfe.
tkinter.Menu.index
for Tk 8.7 so that it does not raiseTclError: expected integer but got ""
when it should return
None
.
urllib.request.CacheFTPHandler
no longer raises :class:URLError
if a cached FTP instance is reused. ftplib's endtransfer method calls voidresp to drain the connection to handle FTP instance reuse properly.pdb
crashes when reading source file with different encoding by replacing :func:io.open
with :func:io.open_code
. The new method would also call into the hook set by :func:PyFile_SetOpenCodeHook
.inspect.Signature
objects with positional-only parameter with a default followed by a positional-or-keyword parameter without one is impossible.STRICT
and fix bitwise operations.
ResourceWarning
in :class:http.client.HTTPConnection
by closing the proxy / tunnel's CONNECT response explicitly.dataclasses.dataclass
.hmac
to raise an exception when the requested hash algorithm was not available in OpenSSL despite being available separately as part ofhashlib
itself. It now falls back properly to the built-in. This could happen when, for example, your OpenSSL does not include SHA3 support and you want to compute
hmac.digest(b'K', b'M', 'sha3_256')
.
pdb
when displaying line numbers of module-level source code.memmber.member
access.
unittest.mock.patch
not enforcing function signatures for methods decorated with@classmethod
or
@staticmethod
when patch is called with
autospec=True
.
http.server
accepting HTTP requests with HTTP version numbers preceded by '+', or '-', or with digit-separating '_' characters. The length of the version numbers is also constrained.tarfile
, and :func:shutil.unpack_archive
, have a new a *filter* argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See :ref:tarfile-extraction-filter
for details.argparse.ArgumentParser
now catches errors when writing messages, such as when :data:sys.stderr
isNone
.
subprocess.Popen
.Documentation
max_group_depth
and
max_group_width
parameters and the
exceptions
attribute of the :class:
traceback.TracebackException
class.end_lineno
and
end_offset
attributes of the :class:
traceback.TracebackException
class.typing.NamedTuple
.atexit
cleanup function from within a registered cleanup function is undefined.Tests
test_pack_configure_in
and
test_place_configure_in
for changes to error message formatting in Tk 8.7.
DISPLAY
environment variable and
-screen
option for toplevels are not useful on Tk for Win32 or Aqua.
unittest.mock.PropertyMock
were added.
os.spawn* <os.spawnl>
tests failing on Windows when the working directory or interpreter path contains spaces.Build
configure
where we could end up unintentionally linking withlibbsd
.
static_assert
when missing from the libc headers to all clang and gcc builds. In particular, this fixes building on macOS <= 10.10.
IDLE